NYCPS Emergency Operations Plan (EOP) for Electromagnetic Pulse (EMP) Incident and a Cyberattack 

1. Purpose

This Emergency Operations Plan establishes a comprehensive framework for our organization to respond to and recover from a large-scale Electromagnetic Pulse (EMP), electromagnetic frequency (EMF) incident, a sophisticated cyberattack or other catastrophic events.

Such an event, potentially caused by a high-altitude nuclear detonation or a severe geomagnetic storm like a solar flare, poses a unique and catastrophic threat capable of causing widespread, long-term failure of the electrical grid and all electronic infrastructure. The purpose of this plan is to prioritize student and personnel safety, enable the continuation of our most critical business operations through predefined manual and alternate processes, and facilitate a coordinated, effective recovery effort. It is designed to be resilient and layered, acknowledging that standard recovery methods may be unavailable for an extended period.

2. Key Objectives

Our primary objectives during an EMP incident are sequential and focused:

  • Immediate Safety: Ensure the immediate safety, security, and accountability of all personnel.
  • Command & Control: Establish and maintain a reliable command, control, and communication structure using pre-staged hardened and alternate methods.
  • Asset Protection: Preserve our critical digital assets and facility systems from irreversible damage or encryption.
  • Business Continuity: Execute procedures to resume our most vital business functions within our target recovery time objectives (RTOs).
  • External Coordination: Proactively coordinate with external authorities, utility providers, and key partners to align efforts and share critical information.

3. Roles and Responsibilities

A successful response requires a clear chain of command and distinct responsibilities.

  • CoreCRT (Executive Leadership): Responsible for declaring an emergency, providing strategic direction, and authorizing the allocation of all resources.
  • DIIT Recovery Team: Charged with the hands-on execution of all technical recovery procedures for IT and infrastructure systems.
  • IT Infrastructure & Network Operations Team: Tasked with assessing IT system damage, performing rigorous data integrity checks, and restoring systems from backups.
  • Facilities Team: Manages all physical assets, including backup power systems (generators, UPS units), and operates manual overrides for building controls (HVAC, security doors).
  • Communications Team: Manages all inbound and outbound messaging using the contingency communication plan.

4. Response Procedures

Our response is phased to ensure a logical and effective progression.

  • Phase 1: Immediate Detection and Action (First 15-30 minutes)
    • Recognize indicators of an EMP (sudden widespread power/communications loss) or cyberattack (ransomware messages, unauthorized access).
    • Activate backup power and lighting.
    • Retrieve hardened communication kits to notify and activate the central response team.
    • For cyber events: Immediately isolate infected systems from the network.
  • Phase 2: Stabilization and Assessment (First 1-12 hours)
    • Assemble key teams at the pre-defined, ideally EMP-shielded, Emergency Operations Center (EOC).
    • Assess damage to IT hardware and facility systems using diagnostic tools. No unassessed electronic equipment should be powered on.
    • For cyber incidents: Designate a lead to determine the scope of the breach and preserve evidence for forensics.
  • Phase 3: Recovery and Restoration (24-72 hours and beyond)
    • Activate our geographically separate disaster recovery site.
    • Recover critical applications from backups.
    • Implement manual, paper-based processes for critical business operations to maintain continuity.

5. Communication Plan

Our communication strategy is built on redundant, hardened systems.

  • Primary Method: Satellite phones and/or pre-programmed HF/VHF radios.
  • Secondary Method: Hardened mobile devices stored in EMP-shielded bags or cages.
  • Fallback Method: Paper logs and manual runners for on-site messaging.
  • External Comms: Use primary methods to contact utilities, law enforcement (for deliberate attacks), and key vendors to activate disaster recovery clauses.
  • SLA Goal: Establish communication with CoreCRT within 15 minutes and achieve check-in with 90% of critical site leads within one hour.

6. Relocation and Resources

  • Leadership Relocation: The CoreCRT should relocate to a pre-identified, geographically separate, and ideally EMP-hardened alternate EOC.
  • Business Continuity: Utilize predefined out-of-region office sites equipped with offline tools. Remote work is not considered viable.
  • Pre-Stocked Critical Resources:
    • EMP-shielded generators and UPS systems.
    • Cages and bags containing spare routers and hard drives.
    • Backup tapes and drives.
    • Comprehensive hard copies of all plans, contact lists, and essential process manuals.

7. Training and Preparedness

Preparedness is ongoing and critical.

  • Exercises: Conduct annual EMP-specific and major ransomware attack scenario tabletop exercises simulating a total infrastructure blackout.
  • Training: Train essential staff annually in the use of satellite phones, radios, manual procedures, and cyber-security/phishing recognition.
  • Infrastructure: Continuously invest in hardening and cybersecurity measures (shielding, protected cabling, multi-factor authentication).

8. After-Action Reviews

  • A formal After-Action Review (AAR) should be conducted within 30 days of incident resolution.
  • The review will analyze the effectiveness of our response, identifying gaps in preparedness, communication, and recovery execution.
  • Outputs will be actionable items used to update all associated plans, this EOP, training materials, and preventative measures.
  • A summary of outcomes will be reported to executive leadership.