Overview of Playbook Guidance
This Playbook provides utilities with practical guidance and critical considerations in preparing for a cyber
incident and developing a response plan that enables staff to take swift, effective action. Cybersecurity
managers can use the playbook as a step-by-step guide to prepare for an incident.
Identify your cyber incident response team. Clarify who the key players are, outline roles and
responsibilities, and clearly identify which individuals have the authority to take critical response actions.
Document how to contact team members 24/7, designate an alternate for key roles, and outline a battle
rhythm for how and when the team will convene and deliver updates.
Identify contacts and response service contracts for cybersecurity service providers and equipment vendors.
Keep an updated list of vendor contacts and the support they can provide if a vulnerability is identified in vendor equipment. Identify a contact person for the Internet Service Provider (ISP). If the utility has contracted with third-party service providers for incident investigation, forensic analysis, or other forms of incident response support, identify the contact person, determine the process for engaging their support, and identify the person on the Cyber Incident Response Team (CIRT) who is authorized to engage their services. Determine the expected response timelines for each partner.
Understand the system and environment.
Document where system maps, logs, and inventories are kept and maintained, along with the person who has the credentials to access them. Document access credentials and procedures for removing access or providing temporary access to incident responders.