Cyber Storm II

In the Aftermath of Cyber Storm II: What's Next?

Many families spend hours discussing what to do in case of a fire. Surely you would pick a meeting place outside the home and determine the exits out of every room. You would make sure everyone knows not to go back inside for any reason. And you would make sure that all smoke detectors are in good working order. But try as you might, you may always wonder: will it be enough?

While it is important to prepare, strategize and plan for the worst-case scenario, all the planning in the world may never be as beneficial as being able to realistically experience what it would be like to deal with a crisis the way it might actually occur. Eighteen federal, state and local departments and agencies; more than 40 private sector companies; and the governments from five countries were thrown into the fire, hypothetically speaking, when they exercised their cyber security preparedness and response capabilities earlier this year.

In keeping up with the continually evolving risk of cyber threats to our national security, the Department of Homeland Security (DHS) recently conducted its biennial cyber exercise, Cyber Storm II. The exercise, which took place March 10-14 in Washington, D.C., was the culmination of 18 months of planning and the largest cyber security exercise ever organized.

Ten ChemITC members participated in Cyber Storm II, which involved simulating a number of large-scale, sophisticated cyber attacks on critical infrastructure sectors including information technology, communications, the rail and pipe modes of the transportation sector, and of course, the chemical sector. Throughout the intense, multi-day exercise, companies had the opportunity to validate their incident response and coordination capabilities. Although the attacks were simulated and no actual networks suffered impact, they reflected what could potentially occur in a real-world attack and provided insight into areas where improvement is needed.

So now that the exercise is over, where do we go from here?

Immediately following the exercise, an intensive evaluation process began where all participants were encouraged to share their candid insights into what worked and more importantly what areas need to be addressed for improvement across federal, state, private sector and international partners who had been participating in the exercise. These perspectives are being complied into an after action report that will be published in late summer on the DHS Web site.

The Cyber Security Program Risk Assessment and Preparedness (RAP) team has been working to compile their learnings for DHS’ after action report since the exercise itself ended. They are also creating a separate report for ChemITC members. This report will provide information on specific lessons learned from the after action report that are relevant to chemical companies, primarily centering on the current status of information sharing and how to improve it moving forward. As another key output from Cyber Storm II, the team is also exploring options to develop a mechanism for sharing information on individual company cyber security incidents with sector counterparts.

Moving forward, it is important that what was learned during Cyber Storm II be effectively used by all to help enhance the nation’s cyber security in the future. While the mitigation efforts of Cyber Storm II participants are critical pieces of the puzzle, all ChemITC members are encouraged to use the public after action report and follow-up chemical sector report to more closely examine their own planning and response capabilities and apply appropriate mitigation measures. Through the diligent application of risk-based cyber security principles and continued relationship building between the public and private sectors, chemical companies will be well-prepared to weather future storms they may encounter.