Incident Response Preparedness Assessment Tool (IRPAT)

Be prepared for incident response and recovery

Do you have questions on information technology (IT) and preparedness? Or do you have a robust IT​ ​system in place but are unsure of its ability to protect against the latest internet attacks? ReliabilityFirst’s Incident Response Preparedness Assessment Tool (IRPAT) can help evaluate readiness, preparedness, and robustness. You can register for the IRPAT system with a username and password and access a series of wide-ranging, scenarios, based on past real-world threats. Read the threat descriptions and submit your answers within the tool to learn how well-prepared and resistant your IT systems and infrastructure may be to the latest threats.

As your team works through the self-guided scenarios and injects, you can reach out to the Entity Engagement department. We have Critical Infrastructure Protection (CIP) subject matter experts who can help answer any questions about the tool and provide guidance on lessons learned and how to improve your incident response program and help strengthen specific areas of your cyber security posture.

Does your organization have people experienced in planning and facilitating a tabletop exercise? If not, ReliabilityFirst CIP subject matter experts can help! We have experience in planning and facilitating tabletop exercises.

Does your organization want to modify or develop your own injects or scenarios? We have that covered too! We can work with your team to develop scenarios and injects that can be added to IRPAT. They can be tailored for your specific organization, or we can generalize them so you can help contribute to the current library of scenarios for others to use.

To learn more or request access to IRPAT, please visit our Contact Us page and reach out to the Entity Engagement department.

Frequently asked questions

What is the Incident Response Preparedness Assessment Tool (IRPAT)?
The IRPAT provides the opportunity for registered entities to evaluate and benchmark their incident response and recovery posture, as well as measure effectiveness by performing simulated cyber or physical incident exercises.

It helps characterize an entity’s ability to gather and analyze threat intelligence and information from the affected systems and test incident response procedures as they relate to the entity’s corporate and Bulk Power System (BPS), IT, and OT environments. The IRPAT’s output is an extensive report that will provide BPS operators and personnel the ability to identify areas of improvement through deeper insights and introspection into components and processes that affect incident response and recovery.

Why is measuring incident response and preparedness important?
The potential for disruptions in the BPS can be attributed to the dependence and vulnerabilities of the computer network interconnecting corporate systems, substations, generation plants, control centers, and physical security of those assets. The IRPAT works to promote and enhance grid reliability, security and resilience by enhancing the entity’s capabilities to respond to various types of cyber or physical security incidents. As an integral part of the program, incident response focuses on developing, implementing and maintaining comprehensive resilience capabilities through on-demand assessments and drills to prepare for a real-life cyber or physical security incident.

There is a need to develop and test incident response capabilities for the BPS by providing quantitative insights into security controls to:

• Support risk management and mitigation decisions
• Provide qualitative insights to ensure operational resilience and assist in development of cost-effective mitigations
• Motivate BPS operators and IT to work together to continually assess their incident response capabilities and benchmark performance
• Identify gaps in incident response and recovery capabilities to continuously improve and prepare for the next incident
• Educate entities on factors contributing to grid resilience

Who is eligible to use the IRPAT?
Any registered entity within the Electric Reliability Organization (ERO) that is involved with ensuring the security, reliability, resilience and operations of the BPS is eligible to use the IRPAT.

The IRPAT is a facilitated tabletop exercise based on a scenario customized by a cyber or physical security subject matter expert (SME) at your organization. The SME can include any number of users from relevant departments depending on the type of role/level of access each person has within the organization related to the incident response.

ReliabilityFirst encourages the involvement of as many applicable SMEs as possible in order to derive individual and collective understanding and test the organization’s incident response capabilities. Participation is especially important for SMEs in the areas of cyber, IT/OT and physical security, communications, as well as any personnel involved in operations or securing the BPS.​

Is the information submitted in the IRPAT protected?
The information stored in the IRPAT is in a database. The data in this database is always encrypted at rest. The data in transit is secured by secure sockets layer encryption.

Access to the IRPAT is controlled by multi-factor authentication and stringent password policies. Further, the data is segmented in the IRPAT (and database) in such a way that confidentiality and integrity is maintained between individual users and the entities.

How will ReliabilityFirst use the information submitted in the IRPAT?
The IRPAT is not used to assess compliance to the NERC Standards or in any compliance-related activities. The IRPAT is designed as a voluntary tabletop engagement exercise for entities to measure and benchmark their incident response capabilities during a cyber or physical security incident.

ReliabilityFirst will periodically analyze the information in aggregate to generate anonymized regional observations and provide anonymized benchmarking.

How will I access my report?
The report and results generated from the IRPAT are provided as generic recommendations on areas of improvement. The report can be accessed from each user’s “Assessment Summary” page within the IRPAT. The report can be viewed directly within IRPAT and downloaded as an editable Word document or a PDF.

Who can the report be shared with?
The report is a valuable internal resource to be used within an entity by anyone who may benefit from the information, but the document must be handled according to the entity’s data distribution and security policy.

How long does the IRPAT take to complete?
The IRPAT scenarios are modeled after real-world threats to the BPS and are highly customizable to meet the organization’s goals in testing and drilling incident response, procedures and capabilities. Some scenarios are large campaigns that can be spread out over several days with multiple departments. Some scenarios are smaller and focus on a specific type of risk. It can be a company-wide engagement or a small group. The scenarios can be paused and resumed at your convenience, and the responses will be automatically saved.

Is there a cost to use the IRPAT?
No, this is available free of charge. You are free to complete any of the scenarios as many times as you’d like. As you mature your incident response program, you can help benchmark against past performance or another entity’s performance.  

Is the IRPAT a replacement for GridEx?
No, the IRPAT is not a replacement for GridEx. However, it is complementary to GridEx and they can be used together. GridEx is a well-established, remote, distributed grid exercise simulation performed across North America every two years. It is led by NERC’s E-ISAC, which helps facilitate the development of scenarios and manages and leads the exercises. The IRPAT can help entities improve and prepare for GridEx, as well as other real-world events. The best way to use these two tools together is to use IRPAT to test, improve and hone incident response capabilities on a continuous basis and use GridEx as a way to test and grade capabilities and progress every two years.

Who should I contact if I have questions?
To submit questions or a request for access to IRPAT, please visit our Contact Us page and reach out to the Entity Engagement department.