Asfalis Advisors

Menu
1-833-ADV-ISME (238-4763)

Case Study

How Charlotte-Mecklenburg Emergency Management Office Took a Citywide Approach to Cyber Readiness and Business Continuity

In one of the nation’s fastest-growing metro areas, the Charlotte-Mecklenburg Emergency Management Office (CMEMO) engaged Asfalis Advisors to simulate a coordinated response to a cyber disruption, evaluating leadership roles, business plans, and department-wide coordination.

Executive Summary:

Charlotte-Mecklenburg’s Emergency Management Office asked Asfalis Advisors to test a critical question: if a cyberattack shut down systems, could the City keep services running?

In this engagement, more than 50 participants from 18+ departments faced a scenario that escalated from phishing to call center outages to a kerberoasting attack. A kerberoasting attack exploits a Windows security feature where any user can request encrypted service tickets, then takes those tickets offline to crack the passwords and steal high-privilege account credentials.

The exercise revealed both strengths and opportunities:

  • Strengths: Committed staff, strong partnerships, institutional knowledge.
  • Risks: No clear business continuity lead, uneven plan awareness, and siloed communication.
  • Outcome: The After-Action Report became CMEMO’s first business continuity strategy, with priorities to assign program accountability, routine training, update plans, and improve communication.

Overview: Why CMEMO Needed a Citywide Exercise

The City of Charlotte manages services that people rely on every hour of the day: water, housing, IT, transportation, aviation, and more. Each department had business continuity plans, but until this exercise, they had not been evaluated together in a realistic cyber scenario. Leadership recognized the risk: cybersecurity incidents take    weeks and sometimes months to recover from. Practicing business continuity capabilities due to a cyber threat is critical for sustainability.

The exercise confirmed that while some staff could quickly reference continuity procedures, others’ continuity strategies were no longer relevant based on the organization’s evolution. There was no business continuity program accountability, and limited resources to update and train on plans. When departments defaulted to their own communication channels, coordination slowed.

At the same time, the exercise proved that the city has strengths to build on. Partnerships with external agencies are strong. Public servants across departments are dedicated. Teams that leaned on their continuity plans showed the potential to shorten recovery and reduce downtime. The takeaway was not that the City is unprepared, but that continuity must move from being fragmented across departments to being coordinated at the enterprise level.

The Challenge: What the Exercise Revealed

Before designing the exercise, CMEMO and Asfalis Advisors reviewed existing continuity practices to ensure the scenario reflected how departments operate. This process highlighted several coordination factors that shaped the engagement:

  • No centralized continuity accountability or responsibility: Without a citywide continuity coordination role, departments developed their COOPs independently, leading to differences in format, assumptions, and update cycles.
  • Limited exposure to cyber-related continuity scenarios: Many participants had experience responding to traditional emergency events, but few had tested continuity operations during a prolonged technology disruption.
  • Unrehearsed Recovery Transitions: Most departments had not had the opportunity to practice transitioning from emergency response to long-term continuity. Practicing that transition felt necessary.
  • Over-reliance on tech. Departments leaned on systems without enough backup processes. When outages hit, manual workarounds became critical.
  • Service Disruptions: Service delays could last 48-72 hours longer than in cities with business continuity programs, affecting close to 1 million residents relying on essential services like public safety.

These were not minor flaws. They showed CMEMO that while continuity existed on paper, in practice, the City was still vulnerable to disruptions that could last days, not hours.

Goals: What the Engagement Was Built to Achieve

This engagement was not about introducing new plans. It was about testing what was already in place. Departments needed a space to apply those plans, clarify roles and responsibilities, and practice making decisions under pressure. The following goals guided the engagement:

  1. Evaluate continuity under stress. The scenario was designed to push departments beyond theory to prove how they would sustain services as systems degraded.
  2. Benchmark against recognized standards. The exercise was built to align with NFPA 1600, ISO 22320/22313, FEMA’s Federal Continuity Directive, and Disaster Recovery Institute International standards. This ensured the evaluation reflected global best practice, not just local expectations.
  3. Leadership in business continuity. Leadership wanted to see how plans translated into action, who knew their COOPs, who defaulted to improvisation, and where coordination broke down. In the survey, 32.86% of participants cited collaboration with executives as the most valuable outcome, confirming that leadership visibility mattered.
  4. Build a foundation for improvement. The After-Action Report was meant to do more than capture lessons. It was intended to become the City’s first continuity strategy, a working document to guide program ownership, training cycles, plan updates, and communication protocols across departments.

CMEMO and Asfalis used these goals to shape the scenario design, planning process, and post-exercise recommendations, focusing on fostering long-term continuity across departments.

The Asfalis Approach: How the Exercise Was Structured

The engagement ran over 28 weeks, from early planning and coordination with city departments to the final After-Action Report. Every step was designed to ensure the exercise was realistic, inclusive, and actionable. 

Planning and Design
  • The scenario was developed with input from CMEMO and city partners to reflect real cyber threats.
  • Asfalis mapped the exercise to ensure credibility and rigor.
  • Departments were briefed ahead of time, with objectives aligned to business continuity.
The Scenario in Action
  • The exercise began with a phishing attack that compromised city accounts.
  • It escalated into call center outages, forcing departments to consider alternative ways of serving residents.
  • Finally, it advanced into a kerberoasting attack, simulating a deeper penetration that tested whether continuity plans could sustain services over weeks, not just days.
Participation
  • 50+ leaders, including the City Manager’s Office, aviation, water, transportation, housing, IT, legal, police, HR, economic development, etc., were actively involved.
  • The mix of executives, managers, and frontline staff created a complete picture of how continuity would work in practice.

What made the engagement with Asfalis different

Unlike typical tabletop exercises that end after a few hours of discussion, this one was structured to reveal gaps and opportunities in real time. Departments had to work across silos, explain decisions, and show how plans would actually play out under pressure.

Results: Highlights from the Continuity Exercise

The exercise gave CMEMO a baseline for continuity, a clear picture of the City’s current state, and recommendations for improving business continuity maturity. A few outcomes the City has been able to accomplish as a result of the exercise:
  • Increased alignment with the Emergency Management Office and the City’s cyber team.
  • Greater awareness at an executive level of the risks and vulnerabilities that effective business continuity programs provide to local governments.
  • The value of a functional enterprise risk management (ERM) program and how business continuity supports the goals and objectives of ERM.

Feedback from participants reinforced both the value of the exercise and the credibility of the facilitation:

“Very organized and professional. Stayed on point and required participation.”
“Well planned, executed, and very knowledgeable staff.”
“The event fostered a sense of unity among participants and emphasized the importance of coming together to address crises collectively.”

Leaders called the Final Report “a staple” now serving as the City’s first continuity strategy.