California Cybersecurity Integration Center
Emergency Support Function (ESF) 18
The purpose of this Emergency Support Function (ESF) #18: Unified Cyber Command Annex is the following:
- establish a unified understanding of key cyber concepts and terminologies
- provide a system to evaluate the severity of a cyber incident
- assign roles and responsibilities to City stakeholders
The plan is specifically focused on priority SEVERE or EMERGENCY cyber incidents, when the City’s Emergency Operations Center (EOC) is activated to coordinate:
- key processes for sharing threat intelligence
- develops situational awareness
- manages operational response in a cyber- disrupted environment
Scope
ESF #18: Unified Cyber Command Annex plan addresses cyber incidents that have or could potentially degrade, damage, or destroy information systems in City Departments, Agencies, Offices, and Commissions. High focus will be given to cyber incidents affecting City government critical functions and infrastructure, including:
- Medical/Healthcare Services
- Government/Public Safety Services
- Financial/Banking Services
- Transportation/Transit Services
- City’s Telecommunications Services
- City’s managed Lifelines – Critical Infrastructure
- City’s Radio Infrastructure
- City and Department IT Networks
- City and Department Enterprise Technology and Applications
Unified Cyber Command Incident Response Process
| Phase | Objective |
|---|---|
| 1. Preperation | Identify activity or work that should be completed to make the response successful |
| 2. Reporting and Detection | Provide channel to report suspected incidents and verify that an incident has occured |
| 3. Analysis, Notification and Detection | Understand the incident and begin notifications and escalations |
| 4. Containment | Stop the incident from spreading further and eliminate further damage |
| 5. Eradication | Determine the root cause and fully eliminate it as well as the symptoms everywhere |
| 6. Recovery | Return to normal operations |
| 7. Post Incident Review | Close out the incident and determine areas for improvement |
Analysis, Notification and Escalation
During the analysis phase, the affected City Department coordinates with the City Cyber Defense team, which involves recording available reporting observations, assessing potential incident severity, and determining the type of incident that has occurred. In general, this phase requires the City Cyber Defense team to review playbooks, collect, analyze information, and decide next steps.
This phase has the following goals:
- If necessary, confirm the validity of information provided in the initial lead
- Determine whether the event is a cause for concern or a false positive
- Determine whether further investigation is warranted
- Determine priority of the incident
- Determine need to activate City’s Emergency Operation Center
- Determine immediate Remediation steps
Cyber incidents may be difficult to identify and their impacts not immediately apparent. As a cyber incident develops, timely and flexible coordination is needed to alert and notify key stakeholders. Based on the information provided, additional stakeholders will be identified, and the DEM Director will determine whether the EOC will be activated to a Level II (Partial). If there isn’t a change in the EOC activation level, the City Cyber Defense Team and DEM will establish a timeframe for further briefings.