How Information Technology Service Unit Leaders in North Carolina Deploy Mutual Aid Resources for State and Local Incidents
The Cybersecurity and Infrastructure Security Agency (CISA) introduced the Information Technology Service Unit Leader (ITSL) position and course in 2018 with the purpose of providing information management, cybersecurity, and application management for incident planning and response.
In 2019, three regional leaders from the State of North Carolina attended the first ITSL course held in Charlotte, NC. Having deployed to multiple callouts during their tenure on the team, they have seen first-hand the impact of natural and man-made incidents on information systems infrastructure critical for governments and public safety to operate.
CISA recently interviewed Greg Hauser, Scott Clark, Randy Cress, Mark Seelenbacher, and Dr. Shannon Tufts to discuss the impact of ITSL training in the field and to provide use-based feedback for future course updates.
Have you been able to exercise the ITSL role during real-life incidents since taking the course in 2019?
After attending the ITSL class, IT Strike Team leaders Randy, Mark, and Scott put their skills to use almost immediately. Like many organizations, multiple state/local government agencies within North Carolina have increasingly been the victims of cyber-attacks, including ransomware and denial of service. Cyber incidents are complex because there is continuity of government, operations, and criminal investigation components involved. Incident Command System (ICS) operational understanding during events has proved to be beneficial for establishing structure and leadership to task IT staff when responding to an emergency.
One of the most important takeaways from the ITSL course was the need for ICS forms for thorough incident documentation. This was a relatively new concept for many IT professionals, particularly documenting incident objectives, resource assignment, and all activity recording for potential reimbursement.
In addition to these reactive cases, North Carolina Emergency Management has deployed ITSL resources in a proactive support role. Municipal, primary, and general elections are a unique opportunity for would-be attackers to disrupt important activities. Having an ITSL coordinate monitoring and response capabilities helps ensure integrity of the process.
Can you explain the importance of establishing a hierarchal structure and process for IT support?
The ITSL program has provided an opportunity to engage a niche within the communications world that is often the weakest area. Before the ITSL position was created, communications in the ICS structure was primarily focused on the land mobile radio (LMR) function, resulting in a gap for data communications. IT touches all aspects of communications, so bringing an IT leader into the hierarchy makes for a more robust and capable communications unit.
Cybersecurity incidents are very chaotic. Taking the ITSL course helped the North Carolina IT Strike Team leaders understand the importance of having one point of contact (POC) for task tracking, task prioritization, and task assignment. Having a single POC for IT support ultimately improved interactions with other key players, including the North Carolina National Guard Cyber Security Response Force (CSRF) and other state-level agencies.
Are you able to provide ITSL support remotely?
Pandemic planning has highlighted the need for remote support with structured leadership, and the need to provide support during concurrent events. In some incidents, it may be necessary for a small team of one ITSL and one support person to deploy to the incident to establish connectivity, and then leverage a larger team with resources outside the immediate area.
How do your day-to-day interactions with vendors differ from interactions during incidents?
North Carolina has strong relationships with its telecommunications providers. Vendors are involved in many aspects of IT, providing hardware, software, and services critical to operations. During normal day-to-day operations, most vendors have existing processes to engage sales or support resources that meet the customers’ needs. During an incident there is a clear escalation path with senior leadership within these providers to bring quick resolution or workarounds to any outages and fill any gaps or needs. ITSLs are the ideal position to help with critical escalations.
What have been some additional benefits of ITSL?
Real-life incident response and event planning by the IT Strike Team highlights important lessons learned for IT leaders across the country. The concepts of ICS are often foreign to local government CIOs, so the ITSL course content helps to fill that knowledge gap.
In 2005, Dr. Shannon Tufts implemented the first local government CIO Certification program in the nation at the UNC School of Government in Chapel Hill, NC. In close collaboration with the IT Strike Team, Dr. Tufts continues to run CIO certification programs for local and state government IT professionals, integrating ITSL field use experiences to bolster the ever-evolving program.
What challenges have you encountered as an ITSL?
As with any new concept, awareness is key for success. The ITSL position is perhaps the newest position within the ICS structure, so it is not always well-known or understood within Incident Management Teams. To optimize the position’s success, awareness within the relevant communities must be established. The IT world does not necessarily buy into ICS, so the ITSL course helps address this gap. The course provides IT professionals a place to fit into the emergency response system.
What are some next steps you would recommend?
- Socialize ITSL benefits within the Emergency Management and Incident Management Team communities
- Develop training for subordinate positions to the ITSL within ICS
- Market the course to IT professionals in state or local government, particularly those in management roles
- Provide option for virtual class
More information on the ITSL course can be found at cisa.gov.