Kai Thomsen, Director of Global Incident Response Services at Dragos, outlines the three most important points when formulating an incident response plan for industrial cyber attacks.
In a world where successful cyberattacks are an inevitability, incident response plans are more important than ever. This is especially true for industrial networks. The potential consequences of an industrial cyber attack go far beyond the financial or reputational – business continuity, equipment, and even human lives are at risk.
What’s more, incident response plans for industrial environments are distinct from their enterprise counterparts. Because of the potential kinetic impacts, security teams are forced to prioritise safety over business continuity and damage mitigation. Greater care must be taken to ensure that intervention doesn’t do more harm than good.
Industrial incident response teams often work in legitimately hazardous environments, meaning their work is in and of itself, hazardous. To complicate matters further, the technologies involved in industrial cyber attacks can differ considerably from other sectors. Often, there are legacy technologies or low-level systems involved, which may have poor documentation, or don’t run typical operating systems.
The challenges involved with responding to industrial cyber attacks are numerous and the stakes are high. An exhaustive, tried-and-tested incident response plan is the only way to effectively tackle a cyber incident in the ICS or OT sectors.
1. Get the fundamentals right
Before you start drafting your incident response plan, it’s important to get the fundamentals right.
Ensuring or establishing good working relationships between all your staff is a great place to start.
Speed is crucial in the event of a cyber attack, and it’s imperative that poor communication doesn’t slow down your response.
Too often in the industrial sector, industrial and cybersecurity staff are disconnected with different concerns and skill sets. It’s essential both teams not only understand the work one another does but how their roles overlap and how they should work together in the event of an incident.
Understanding an organisation’s environment and manufacturing processes is crucial to building an incident response plan, and cybersecurity teams can only gain that understanding by working with ground staff.
Once these relationships have been established, you should ensure you have a comprehensive understanding of your organisation’s environment – both physical and digital. Carrying out network mapping, asset inventories, and architectural deficiency audits are all crucial to truly knowing an environment.
The working relationships you have established will pay dividends here, as you can bring in staff from across the company to ensure you haven’t missed or misunderstood anything. It’s important that all of this is done in advance – conducting these activities before an incident has occurred costs relatively little, but incident response teams can charge a premium when the situation is urgent and resource intensive, as is most often the case in the wake of a cyber attack.
Now that you have a much deeper understanding of your environment, you’ll be better positioned to spot abnormalities and react to them before too much damage is done.
However, it’s important to remember that not every intrusion has immediately obvious impacts. If you stopped here, bad actors could spend months inside your systems, gaining their own understanding, and eventually leveraging this to wreak havoc on your organisation.
To prevent this, vulnerability management and passive detection are essential – you’ll be doing everything possible to stop cybercriminals from getting in and will know immediately if they do.
While the above processes may seem obvious, it’s important to remember that they are often neglected in industrial spaces. Assuming you have already bolstered staff relationships, gained an understanding of your environment, or have passive detection and vulnerability management in place – it’s important to not skip any steps.
2. Understand primary causes of concern
As soon as your house is in order, you’re ready to start thinking about your worst-case scenarios. Interview executive and industrial staff to find out what their worst possible day would be. Make sure you understand and log everything that could possibly go wrong – these are your primary causes of concern.
Once you have your worst-case scenarios, start thinking about what could cause them. Many of the causes won’t be cyber related, but it’s important that you map them anyway. Start at the top with more rudimentary, physical issues such as equipment failures or human error, and eventually you’ll reach computer issues.
This can include vulnerable digital devices in industrial networks that could cause issues throughout an organisation’s environment.
These causes and devices should be at the centre of your incident response plan. They are your crown jewels and must be protected. Run tabletop exercises, disaster recovery, network monitoring, and threat hunting on everything that could cause an issue in your environment.
This will help you understand what and how something could go wrong, as well as how to remediate the issue once it has occurred.
It’s important to remember that your crown jewels aren’t always immediately obvious. Assuming you know all of your primary causes of concern can result in disaster – should problems arise in an area of your organisation you hadn’t considered; you’ll be left unprepared.
It’s essential that you don’t neglect any of these stages.
3. The incident response plan must be fully tested
You need to run through your incident response plan frequently. Cyber attacks can often occur late at night, on public holidays, or both, and you need to know you can respond even when it’s not convenient. Someone must be prepared to spring into action at any moment, or all your work will be for nothing.
It’s also important that every single member of the staff understands their role in the event of a cyber attack. Run through your phone trees and ensure that they’re effective and up to date. If you keep an incident response team on retainer, make sure everyone in your company knows how to contact them, and run drills as you would for a fire or other disasters.
Avoid basic mistakes
Now that you know what it takes to build an effective ICS/OT incident response plan, it’s worth pointing out a few common mistakes people make, so you can avoid them.
Perhaps the most common mistake organisations make when it comes to cyber incidents is a lack of preparedness. Not having an incident response plan in place can result in huge, unnecessary expenses in the wake of an attack. Hiring incident response teams post-incident is simply not good practice – they may have to tend to their existing customers first and they’ll have to spend time coming up to speed on your networks and technology stack, when time is of the essence.
Finally, it’s important that you don’t panic. Incident response is inherently stressful, but you must keep a cool head. It’s inevitable that you will make mistakes, but a well exercised incident response plan will minimise their impact.