Developing a Cyber Incident Communication Management Exercise for CI Stakeholders

  • Tomomi AoyamaEmail author
  • Kenji Watanabe
  • Ichiro Koshijima
  • Yoshihiro Hashimoto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10242)


Existing cyber security training programs for Critical Infrastructures (CI) place much emphasis on technical aspects, often related to a specific sector/expertise, overlooking the importance of communication (i.e. the ability of a stakeholder to gather and provide relevant information). We hypothesise that the achievement of a secure and resilient society requires a shared protocol among CI stakeholders, that would facilitate communication and cooperation. In order to validate our hypothesis and explore effective communication structures while facing a cyber incident and during recovery, we developed a discussion-based exercise using an Industrial Control System (ICS) incident scenario, and implemented it in pilot workshops where a total of 91 experts participated. Results suggest there are three possible incident communication structures centered around the IT department, the production department, and management, respectively. In future, these structures can be used as the framework to build an ICS-Security Incident Response Team (ICS-SIRT), which would strengthen cooperation among CI stakeholders.


CIP exercise Cyber incident management ICS security Communication management Business continuity management 



This research is partially supported by the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Scientific Research (A), No. 16H01837 (2016); however, all remaining errors are attributable to the authors.


  1. 1.
    SANS Institute: 2016 Security Awareness Report. SANS Institute (2016).
  2. 2.
    Department of Homeland Security: Training available through ICS-CERT.
  3. 3.
    Sitnikova, E., Foo, E., Vaughn, R.B.: The power of hands-on exercises in SCADA cyber security education. In: Dodge, R.C., Futcher, L. (eds.) WISE 2009. IAICT, vol. 406, pp. 83–94. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  4. 4.
    Foo, E., Branagan, M., Morris, T.: A proposed Australian industrial control system security curriculum. In: 2013 46th Hawaii International Conference on System Sciences (HICSS), pp. 1754–1762. IEEE (2013)Google Scholar
  5. 5.
    European Network for Cyber Security: E.ON teams get trained on ICS and smart grid cyber security during the ENCS red team blue team course—ENCS.
  6. 6.
    Branlat, M.: Challenges to adversarial interplay under high uncertainty: staged-world study of a cyber security event. Ph.D. thesis, The Ohio State University (2011)Google Scholar
  7. 7.
    Branlat, M., Morison, A., Finco, G., Gertman, D., Le Blanc, K., Woods, D.: A study of adversarial interplay in a cybersecurity event. In: Proceedings of the 10th International Conference on Naturalistic Decision Making (NDM 2011), 31 May–3 June 2011Google Scholar
  8. 8.
    Aoyama, T., Naruoka, H., Koshijima, I., Watanabe, K.: How management goes wrong? The human factor lessons learned from a cyber incident handling exercise. Procedia Manuf. 3, 1082–1087 (2015). 6th International Conference on Applied Human Factors and Ergonomics (AHFE 2015) and the Affiliated Conferences, AHFE 2015. CrossRefGoogle Scholar
  9. 9.
    Aoyama, T., Naruoka, H., Koshijima, I., Machii, W., Seki, K.: Studying resilient cyber incident management from large-scale cyber security training. In: 2015 10th Asian Control Conference (ASCC), pp. 1–4. IEEE (2015)Google Scholar
  10. 10.
    Watanabe, K.: Developing public-private partnership based business continuity management for increased community resilience. J. Bus. Contin. Emerg. Plann. 3(4), 335–344 (2009)Google Scholar
  11. 11.
    Borell, J., Eriksson, K.: Learning effectiveness of discussion-based crisis management exercises. Int. J. Disaster Risk Reduct. 5, 28–37 (2013). CrossRefGoogle Scholar
  12. 12.
    US Department of Homeland Security and United States of America: Homeland security exercise and evaluation program (HSEEP) volume I: HSEEP overview and exercise program management (2007)Google Scholar
  13. 13.
    Aoyama, T., Koike, M., Koshijima, I., Hashimoto, Y.: A unified framework for safety and security assessment in critical infrastructures. In: Safety and Security Engineering V. Witpress Ltd., September 2013.
  14. 14.
    Takagi, H., Morita, T., Matta, M., Moritani, H., Hamaguchi, T., Jing, S., Koshijima, I., Hashimoto, Y.: Strategic security protection for industrial control systems. In: 2015 54th Annual Conference of the Society of Instrument and Control Engineers of Japan (SICE), pp. 986–992. IEEE (2015)Google Scholar
  15. 15.
    Sheffi, Y., Rice Jr., J.B.: A supply chain view of the resilient enterprise. MIT Sloan Manag. Rev. 47(1), 41 (2005)Google Scholar
  16. 16.
    Bigley, G.A., Roberts, K.H.: The incident command system: high-reliability organizing for complex and volatile task environments. Acad. Manag. J. 44(6), 1281–1299 (2001)CrossRefGoogle Scholar
  17. 17.
    Converse, S.: Shared mental models in expert team decision making. In: Castellan, N.J. (ed.) Individual and Group Decision Making: Current Issues, p. 221. Lawrence Erlbaum, Hillsdale (1993)Google Scholar
  18. 18.
    Mathieu, J.E., Heffner, T.S., Goodwin, G.F., Salas, E., Cannon-Bowers, J.A.: The influence of shared mental models on team process and performance. J. Appl. Psychol. 85(2), 273 (2000)CrossRefGoogle Scholar
  19. 19.
    Bronk, H., Thorbruegge, M., Hakkaja, M.: A step-by-step approach on how to set up a CSIRT (2006)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Tomomi Aoyama
    • 1
    Email author
  • Kenji Watanabe
    • 1
  • Ichiro Koshijima
    • 1
  • Yoshihiro Hashimoto
    • 1
  1. 1.Department of Architecture, Civil Engineering and Industrial Management EngineeringNagoya Institute of TechnologyNagoyaJapan

Personalised recommendations