Resiliency in Today's Cyber-Threat Landscape The Illinois Approach
The significant information breaches reported on an all-too-often basis clearly demonstrate the challenges faced by security professionals charged with keeping cyber-attackers at bay and protecting the business. While the primary motivation for cyber-attacks remains financial gain, social and political issues are giving rise to attacks intended to disrupt an organization’s ability to operate. Government entities are increasingly targeted, and the State of Illinois is no exception. Organizations must ensure their ability to recover from malicious attacks and other adverse events.
Illinois provides myriad services to its citizens, many of which help ensure life, health and safety. Significant resources are expended daily to deliver these services as well as provide a robust business environment for the Illinois’ economy. These services require a reliable support infrastructure of employees, third-party providers, facilities, equipment, and information systems.
Illinois’ Digital Transformation
Illinois is in the midst of an unprecedented digital transformation, focused on modernizing information systems and consolidating disparate technology resources into a single, laser-focused organization. Imagine merging nearly 40 companies while delivering state-of-the art technology solutions and achieving rapid results. In the first year of creating the Illinois Department of Innovation & Technology (DoIT), Illinois rose from the bottom fourth to the top third of all states in the use of digital technologies.
Identifying critical technology infrastructure provides the foundation for information systems and communication capabilities required to deliver key services to Illinois citizens
This accelerated transformation requires the building of robust information security capabilities. Governor Rauner has prioritized cybersecurity as a key issue and directed the development of a comprehensive cybersecurity strategy. A critical component of this strategy is the Illinois Cyber Resilience and Business Continuity Program.
The Illinois Approach
Six components comprise the Illinois Cyber Resiliency and Business Continuity Program;
1. Continuity of Operations Planning for Information Technology Functions
2. Personnel Contingency Plan
3. Information System Recovery Plan
4. Critical Infrastructure Plan
5. Cyber-Disruption Plan
6. Training, Testing and Exercising the Program
DoIT Continuity of Operations Plan (CoOP)
DoIT supports thousands of technology applications, administers statewide network services, maintains data center operations and manages third-party providers. “The business of I.T.” essential functions must be sustained following a disrupting event.
As DoIT stabilizes, the Illinois CoOP team is conducting extensive document collection and analysis, conducting expert interviews, documenting business processes and mapping CoOP plans to specific risk scenarios. Using the National Institute of Standards and Technology (NIST) as the authoritative source, CoOP plans are designed for activation within 12 hours of an event and to sustain critical IT operations for 30 days.
The Illinois Emergency Management Agency (IEMA) maintains responsibility for the coordination of CoOP activities across State of Illinois agencies. DoIT works closely with IEMA to ensure consistency in information and documentation. IEMA’s role in the overall Cyber Resiliency and Business Continuity Program becomes increasingly critical as the risk scenarios present more dire consequences.
Personnel Contingency Plan
In addition to threats of disruptive disasters or attacks, the State of Illinois, like many organizations, faces its own ‘silver tsunami’ with a high percentage of highly-experienced technology personnel eligible for retirement. CoOP analysis provides detailed information regarding important roles required to maintain critical technology business processes.
Program personnel document the skills and expertise necessary for these roles, and also recommend training for that expertise. This step will also benefit long-term workforce development and training programs.
Illinois Information System Recovery Plan (ISRP)
The ISRP initially focuses on systems critical to business operations. State troopers to healthcare program personnel to child case workers rely on these technologies; without them, life, health and safety would be severely compromised. Business support systems which ensure the ongoing logistics of the state are also crucial.
The ISRP includes individual plans which prioritize life, health and safety functions. Business Impact Analyses (BIA) are also completed, as well as data classification and categorization. In addition to the critical information needed to establish loss-tolerance levels which help identify key recovery objectives, Illinois information security personnel also determine the priorities of incident response process in the case of an information breach or other system compromise.
Illinois Critical Infrastructure Plan (CIP)
Identifying critical technology infrastructure provides the foundation for information systems and communication capabilities required to deliver key services to Illinois citizens. As with most disaster recovery approaches the criticality of recovery is most-often driven by the results of BIAs.
Illinois has found that this effort can accelerate risk reduction efforts by examining specific infrastructure component areas, such as server farms and enterprise storage. In fact, a key component to Illinois’ digital transformation targets moving 70 percent of Illinois’ technology infrastructure to ‘the cloud’ by 2019. Cloud services provide an opportunity to accelerate the state’s progress toward a robust and resilient technology infrastructure.
Illinois Cyber Disruption Plan
The development of a Cyber Disruption plan has become a key initiative nationwide. Leaders in the state cybersecurity realm such as the State of Michigan, the National Association of State Chief Information Officers, and the National Governor’s Association are helping states define when cyber incidents move beyond the oversight of the information security organization and become potential catastrophes. During a ‘cyber disruption,’ oversight and direction of the incident transfers from the state Chief Information Security Officer to the Director of the state emergency management agency and/or the Governor Illinois is working jointly with IEMA, the Illinois National Guard and other partners toward the completion of an Illinois Cyber Disruption Plan.
Cyber Resiliency and Business Continuity Training, Testing and Exercising
No plan is effective unless it can be executed. The Illinois strategy is not complete until plans have been socialized, trained, tested and exercised. The partnership with the IEMA provides the state with expertise in these critical areas, and helps ensure exercises are in line with national standards to ensure their effectiveness and currency.
The State of Illinois is working diligently to ensure the digital transformation is supported by a robust cyber resiliency and business continuity capability through the establishment of an effective and sustainable program. Today’s cyber-threat environment adds ever-growing challenges to the state as well as organizations across the globe. Through a sound program based on national standards, proven methods, and guidance from both our public and private sector partners, we are confident that the state can become one of the most cyber-secure states in the nation.