Managing ICS cybersecurity incident response: Going beyond containment, eradication and recovery

What is the Incident Command System?

The Incident Command System is a structured emergency management system designed to provide robust and efficient incident management focusing on command, control and effective coordination of facilities, equipment, personnel, procedures and communications during incident response. It was initially developed to support inter-agency responses to wildfires in California and Arizona.² The Incident Command System is now a proven and internationally accepted incident management system, designed to be flexible in managing events of all sizes. To avoid confusion with ICS, as used for industrial control systems, we will not be using the ICS acronym in this article when referring to the Incident Command System.

Many organizations responsible for cyber-physical systems and processes, both public and private, already use the Incident Command System for structuring and managing physical incident responses, e.g., coordinating mutual-aid reponders who are restoring power after a natural disaster.

Using the Incident Command System for cybersecurity incident response provides many benefits to an organization, including:

• Unified command hierarchy, regardless of the type and number of cyber-physical processes and systems impacted
• Clearly defined and standardized roles and responsibilities
• Easier integration of cross-functional or external resources to support response
• Efficient and effective use of resources:
  • Technical subject matter experts focus on the actions to resolve the incident (using the cybersecurity incident response cycle of contain, eradicate and recover),³
  • Incident/emergency response personnel, are experienced and trained in the Incident Command System, take care of coordinating logistics, planning, finances, legal and liaisons with leadership and external entities, and
  • Senior leadership and management can focus on higher level crisis management and business continuity, instead of overseeing day-to-day incident response activities.
• Management by objective: Cross-functional incidents are typically not resolved in a matter of hours or through a single workstream, but require structured short-term and longer-term objectives and multiple workstreams to address smoother transfer of command and hand-off between shifts for responses stretching over days, weeks or more.

How to get started with using the Incident Command System for ICS cybersecurity incidents

The keys to success in incident response are to be prepared, and that means:

• Planning. Have a documented plan, that clearly outlines the roles and responsibilities for the incident response team(s), detection methods, classification criteria, and notification, mobilization and response procedures. For some guidance, refer our previous blog about incident response plans.
• Training and exercises. Regularly exercise and test your incident response plan, and update it, as needed, to reflect lessons learned and organizational or other changes. Ensure that personnel who will be involved in incident response, whether as technical subject matter experts, command staff or other resources, are trained to an appropriate level in the Incident Command System for their roles. Many Canadian provincial emergency management agencies provide Incident Command System training, and the United States Federal Emergency Management Agency (FEMA) provides a number of free online courses and resources as part of their National Incident Management System (NIMS).⁴

A cross-sector international initiative has begun supporting the adoption of the Incident Command System for ICS cybersecurity incident response, referred to as ICS4ICS.

What is ICS4ICS?

In mid-2021, the International Society of Automation’s (ISA) Global Cybersecurity Alliance (ISAGCA) published a webinar⁵ and a blog⁶ explaining the use of the ICS4ICS cybersecurity incidents.

Supported by the ISAGCA, the Cybersecurity and Infrastructure Security Agency (CISA), and cybersecurity and incident response experts from multiple organizations, an effort is currently underway to adopt the Incident Command System framework for response structure, roles and interoperability for ICS4ICS.⁷ For more information and to contribute to this effort, go to the ICS4ICS web portal.⁸

Conclusion

The threat landscape continues to evolve and grow, and it is best to be prepared for when, not if, your ICS/OT cyber-physical processes and system may be attacked, compromised or indirectly impacted. Although still in the early stages, the ICS4ICS initiative promises to help bring structure to ICS cybersecurity incident response as well as integration with organizational and external emergency response frameworks.

In the near future, BBA will be publishing an ICS incident response playbook to help guide organizations in developing an ICS cybersecurity incident response plan and using the Incident Command System during incident response.

If your organization requires help in establishing or reviewing an ICS cybersecurity incident response plan or adopting the Incident Command System, please contact us to discuss.

References

1. bba | Do you have an incident response plan for your industrial…
2. Incident Command System - Wikipedia
3. SP 800-61 Rev. 2, Computer Security Incident Handling Guide | CSRC (nist.gov)
4. Emergency Management Institute - National Incident Management System (NIMS) (fema.gov)
5. https://www.youtube.com/watch?v=j1boIDFmFkM
6. Addressing the Downstream Effect of a Cyber Attack (isa.org)
7. Call for Volunteers: ICS4ICS Improves Management of ICS Cybersecurity (isa.org)
8. ISAGCA and ICS4ICS Cybersecurity First Responder Program