The importance of having a robust incident plan
Most organizations have mature cyber incident response plans for their corporate IT infrastructure, but often, response plans for industrial control systems (ICS) and critical processes are not as mature or may only address physical hazards. The most common ICS devices are:
- field telemetry devices, such as instruments and sensors
- field controllers, such as remote terminal units, intelligent electronic devices and programmable logic controllers
- human machine interfaces, which allow operators to monitor and control processes
Cyber attackers can exploit vulnerabilities in these devices or other network connected systems that impact your ICS devices and systems. So, it’s important to have a robust incident response plan that specifically addresses your organization’s ICS.
To develop an efficient incident response plan, here’s a list of the most important topics to cover:
An incident response team must be established in advance and documented in the response plan. Clearly defined roles and responsibilities should be assigned to various team members. The team should be comprised of individuals who are familiar with incident handling and response, and who have the authority and management support to make key decisions; however, having technical staff with hands-on knowledge of your organization’s control system architecture and ICS equipment is critical. Depending on the number and location of your organization’s facilities, the response team may be centralized, distributed or a combination of both.
A description of methods to identify cybersecurity incidents is required, including both automated systems, such as an intrusion detection system (IDS) or security information and event management (SIEM), and detection of abnormal system or component behaviour by human observation. Methods to identify failures in automated systems are also recommended, as these systems are potential targets for cyber attackers.
It’s necessary to define and describe what qualifies as cybersecurity and non-cybersecurity incidents. An organization may choose to have different types or levels of cybersecurity incidents based on scope or impact. This will assist in appropriately scaling the resources and engagement effort required to respond to different incidents and to prioritize response to multiple incidents.
Procedures must be established to notify incident response team members and appropriate external agencies, such as vendors, and law enforcement or government security agencies. All relevant contact information should be included (phone numbers, email addresses, etc.)
Detailed procedures must be developed for each class of security incident that address how to contain the attack, eradicate the compromise and restore to normal operations. Data retention should be included to support future forensics, lessons learned and prosecution of attackers. Be sure to include contingency situations, such as 24/7 operations, unavailable responders and loss of power or communications.
Once your incident response plan is in place, it is important to:
- Ensure all named responders are trained and aware of their responsibilities.
- Keep the plan up to date. Named responders may change roles or leave the organization and, therefore, need to be promptly replaced. Phone numbers and email addresses may change, and contact lists will need to be updated quickly. Automated systems or technologies may be upgraded or replaced, and response procedures need to be updated.
- Go through the plan on a regular basis. Any lessons learned should be documented and incorporated into the plan. If the plan is updated, ensure it’s shared with all named responders.
ICS cybersecurity incidents can lead to physical or safety process incidents. Therefore, consider leveraging existing organizational incident response structures and approaches, such as integrating an ICS cybersecurity incident response plan into physical process and safety incident response plans.
If your organization requires help in setting up a new incident response plan or reviewing an existing one, please contact us.