Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. Resources & Tools
  3. Programs
  4. Cyber Storm: Securing Cyber Space
Share:

Resources & Tools

  • All Resources & Tools
  • Services
  • Programs
  • Resources
  • Training
  • Groups

Cyber Storm: Securing Cyber Space

Related topics:
Cybersecurity Best Practices

Cyber Storm, Cybersecurity and Infrastructure Security Agency’s (CISA) biennial exercise series, provides the framework for the most extensive government-sponsored cybersecurity exercise of its kind. The exercise series brings together the public and private sectors to simulate discovery of and response to a significant cyber incident impacting the Nation’s critical infrastructure. Cyber Storm exercises are part of CISA’s ongoing efforts to assess and strengthen cyber preparedness and examine incident response processes.

Cyber Storm participants perform the following activities:

  • Examine organizations’ capability to prepare for, protect from, and respond to cyberattacks' potential effects;
  • Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures;
  • Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information; and
  • Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.

Each Cyber Storm builds on lessons learned from previous real-world incidents, ensuring that participants face more sophisticated and challenging exercises every two years. CISA is currently planning for Cyber Storm X.

Cyber Storm IX: April 2024

CISA hosted the ninth iteration of the National Cyber Exercise, Cyber Storm IX, in April 2024. Over 2,200 players from around the globe examined their cyber resilience and coordination mechanisms in response to a distributed attack on organizations’ cloud resources. Response and recovery efforts included internal collaboration, coordination with incident response and cloud vendors, public messaging, and federal reporting. The exercise provided players a realistic, no-fault environment to validate cyber incident plans, policies, and procedures. 

Cyber Storm IX Highlights

  • Featured the Food and Agriculture sector as the primary impacted sector for the first time in CS exercise history.
  • Highlighted critical considerations in the cloud security shared responsibility model.
  • Exercised reporting to Sector Risk Management Agencies (SRMAs) and other federal government entities.
  • Examined cyber information sharing networks both domestically and internationally.

More on Cyber Storm IX

Read more
Cyber Storm VIII: March 2022

Cyber Storm VIII, 2022, engaged 2000+ participants through a multi-layered scenario that impacted both industrial control systems (ICS)/operational technology (OT) and enterprise IT networks, raising awareness of the rapidly expanding cyberattack surface.

In March 2022, CISA conducted the eighth iteration of the Cyber Storm exercise series. Over 2,000 players participated in Cyber Storm VIII, which examined discovery of and response to a large-scale, coordinated significant cyber incident impacting multiple critical infrastructure sectors. Cyber Storm VIII further strengthened public and private partnerships and assessed areas of improvement for national cybersecurity plans and policies.

Cyber Storm VIII Highlights

  • Raised awareness of the rapidly expanding cyberattack surface and the nuances of response to incidents impacting Industrial Control Systems (ICS)/Operational Technology (OT) and enterprise IT networks​.
  • Integrated one new sector into the exercise, Water and Wastewater Systems​.
  • Emphasized information sharing and communication as International Watch and Warning Network (IWWN) partner nations worked toward improving their incident response communications​.
  • Achieved the development and dissemination of an in-exercise joint Cybersecurity Advisory (CSA) for the first time in a Cyber Storm exercise.

More on Cyber Storm VIII

Read more
Cyber Storm 2020: August 2020

Cyber Storm 2020, 2020, provided 2000+ distributed players from approximately 210 organizations the opportunity to stress test incident response procedures in a remote environment and raised awareness of long-standing and ongoing vulnerabilities in the core infrastructure of the Internet.

Cyber Storm 2020 was executed in August 2020. Sponsored by CISA, the exercise included more than 2,000 players from over 210 organizations across critical infrastructure sectors, exercising incident response procedures in a remote environment. Cyber Storm 2020 raised awareness of long-standing and ongoing vulnerabilities in the core infrastructure of the Internet and was the seventh iteration of the Cyber Storm series.

Cyber Storm 2020 Highlights

  • Exercised federal, state, private sector, and international response to a significant cyber incident targeting underlying core services of the Internet.
  • Planned for and exercised incident response across components of the following critical infrastructure sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Energy, Financial Services, Healthcare and Public Health, Information Technology (IT), and Transportation Systems.
  • Tested the capacity of participating state and local governments to respond to cyber incidents and coordinate via the Multi-State Information Sharing and Analysis Center (MS-ISAC).
  • Organizations gained an opportunity to identify improvements to distributed communication and coordination processes – increasingly in place due to pandemic restrictions.

More on Cyber Storm 2020

Read more
Cyber Storm VI: April 2018

Cyber Storm VI, 2018, focused on response an incident affecting to non-traditional IT devices and included new participants from critical manufacturing and the automotive industry.

The sixth iteration of the Cyber Storm exercise series, Cyber Storm VI, took place in April 2018. Cyber Storm VI focused on the critical manufacturing and transportation sectors and included participation from the information technology and communications sectors; law enforcement, defense, and intelligence agencies; state and local governments; and international partners.

Cyber Storm VI Highlights

  • Exercised federal, state, private sector, and international response to a significant cyber incident affecting non-traditional IT devices.
  • Integrated new stakeholders into the exercise, including one new sector, Critical Manufacturing, and one new sector component, Automotive.
  • Raised awareness of the rapidly expanding cyberattack landscape and the nuances of response to incident impacting Internet of Things (IoT) and operational technology (OT) devices.
  • Integrated a simulated and dynamically-updated media and social media platform to replicate the customer and public components of an incident and provided a no-fault learning environment to practice strategies that support this aspect of response.

More on Cyber Storm VI

Read more
Cyber Storm V: March 2016

Cyber Storm V, 2016, included more than 1,000 distributed players and brought together new sectors, including retail and healthcare participants.

Cyber Storm V returned to the capstone, distributed exercise format of Cyber Storms I-III. The exercise took place March 8-10, 2016, with the Exercise Control located at the United States Secret Service headquarters in Washington, DC.

Cyber Storm V Highlights

  • For the first time in the Cyber Storm exercise series, the exercise featured dedicated participation from the Healthcare and Public Health sector and Commercial Facilities: Retail subsector. The Information Technology and Communications sectors also played significant roles in the exercise.
  • Federal agencies, and organizations from the law enforcement, intelligence, and defense communities also participated.
  • Eight states participated as full players, with other states playing through the Multi-State Intelligence and Analysis Center (MS-ISAC).
  • Participation included over 100 organizations and more than 1,200 registered players from across the globe.

More on Cyber Storm V

Read more
Cyber Storm IV: 2011-2014

Cyber Storm IV included 15 building block exercises between 2011 and 2014 to help communities and states exercise cyber response capabilities for escalating incidents.

Cyber Storm IV consisted of individual building block exercises at the federal, state, and international levels which provided the cyber incident response community with the opportunity to design focused events to evaluate specific capabilities. The building block approach also introduced cyber exercises to new stakeholders and prepared them for participation in future Cyber Storm exercises.

Cyber Storm IV included 15 tabletop and distributed exercises that involved over 1,250 participants from 16 states, 11 countries, and 14 federal agencies. 

Cyber Storm IV exercises for external stakeholders included:

  • State-specific exercises with Idaho, Maine, Mississippi, Missouri, Nevada, Oregon, and Washington. A state coordination exercise with the Multi-State Information Sharing and Analysis Center (MS-ISAC) that included Delaware, Iowa, Massachusetts, Michigan, Minnesota, New York, North Carolina, Pennsylvania, and Wisconsin.
  • An international exercise with the International Watch and Warning Network that included Australia, Canada, France, Germany, Hungary, Japan, the Netherlands, Norway, Sweden, Switzerland, and the United States.
  • Cyber Storm IV: Evergreen, a distributed national level exercise that engaged hundreds of players from the private sector, state and local entities, and the federal government in operational play.

More on Cyber Storm IV

Read more
Cyber Storm III: September 2010

Cyber Storm III, 2010, focused on response according to national-level frameworks and provided the first operational test of the National Cybersecurity and Communications Integration Center (NCCIC).

Cyber Storm III built upon the success of previous exercises; however, enhancements in the nation's cybersecurity capabilities, an ever-evolving cyber threat landscape and the increased emphasis and extent of public-private collaboration and cooperation, made Cyber Storm III unique.

  • National Cyber Incident Response Plan
    • Cyber Storm III served as the primary vehicle to exercise the newly-developed National Cyber Incident Response Plan (NCIRP), a blueprint for cybersecurity incident response, to examine the roles, responsibilities, authorities, and other key elements of the nation's cyber incident response and management capabilities and use those findings to refine the plan.
  • Increased Federal, State, International and Private Sector Participation
    • Administration-Wide - Eight Cabinet-level departments including Departments of Commerce, Defense, Energy, Homeland Security, Justice, Transportation, and Treasury in addition to the White House and representatives from the intelligence and law enforcement communities.
    • Eleven States - California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas, and Washington, as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC) compared to nine states in Cyber Storm II.
    • 12 International Partners - Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom compared to four international partners in Cyber Storm II.
    • 50 Percent More Private Sector Partners - 60 private sector companies participated in Cyber Storm III, up from 40 in Cyber Storm II, several of which participated on-site with DHS for the first time. DHS worked with representatives from the Banking and Finance, Chemical, Communications, Dams, Defense Industrial Base, Information Technology, Nuclear, Transportation, and Water sectors as well as the corresponding Sector Coordinating Councils and Information Sharing and Analysis Centers to identify private sector participants.
  • CISA Central
    • Cyber Storm III represented the first opportunity to test CISA Central, which serves as the hub of national cybersecurity coordination and was inaugurated in October 2009.

More on Cyber Storm III

Read more
Cyber Storm II: March 2008

Cyber Storm II, 2008, exercised individual response capabilities and leadership decision making.

Cyber Storm II Highlights

  • Involved 5 countries (Australia, Canada, New Zealand, United Kingdom, and the United States); 18 federal cabinet-level agencies (Departments of Defense, State, Justice, etc.); 9 states (Pennsylvania, Colorado, California, Delaware, Texas, Illinois, Michigan, North Carolina, and Virginia); and over 40 private sector companies (Juniper Networks, Microsoft, McAfee, Cisco, NeuStar, The Dow Chemical Company, Inc., PPG Industries, ABB Group, Air Products & Chemical Inc., Nova Chemical, Wachovia, etc.);
  • Affected 4 critical infrastructure sectors including chemical, information technology, communications, and transportation (rail/pipe) and used 10 Information Sharing and Analysis Centers;
  • Exercised the processes, procedures, tools, and organizational response to a multi-sector coordinated attack through and on the global cyber infrastructure;
  • Allowed players to exercise and evaluate their cyber response capabilities to a multi-day coordinated attack and to gauge the cascading effects of cyber disasters on other critical infrastructure, shaping response priorities; and
  • Exercised government and private sector concepts and processes developed since Cyber Storm I, requiring great interaction and coordination at the strategic, operational, and tactical levels.

More on Cyber Storm II

Read more
Cyber Storm I: February 2006

Cyber Storm I, 2006, marked the first time the cyber response community came together to examine the national response to cyber incidents.

Cyber Storm I Highlights

  • First government-led full-scale cyber exercise;
  • Included over 115 organizations, including federal, state, and local governments and the private sector;
  • Featured four sectors: information technology, communications, energy, and transportation (air); and
  • Allowed participants to respond to a variety of cyber and communications degradations and simulated attacks against critical infrastructure and to collaborate at the operational, policy, and public affairs levels.

More on Cyber Storm I

Read more

Contact

To learn more about Cyber Storm please send an email to cyberstorm@mail.cisa.dhs.gov.

Tags

Audience: Federal Government, Industry, State, Local, Tribal, and Territorial Government
Topics: Cybersecurity Best Practices
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback