How to plan your ICS cybersecurity incident response

Organisations operating critical systems must plan and prepare to respond to Industrial Control Systems (ICS) cyber incidents, whether caused by unintentional insiders or malicious attackers.

Proper ICS cyber incident response (IR) planning minimises financial losses from system downtime, data loss, higher insurance premiums, tarnished corporate image, and decreased employee and public safety. This paper applies only to ICS (e.g., supervisory control and data acquisition systems, building management systems) because most organisations already have information technology (IT) IR plan (IRPs) in place. It provides a high-level view of IR stages, says Robert Talbot, senior IT manager, Parsons Information Security Office and Jack D. Oden, principal project manager, Parsons Critical Infrastructure Operations.


Today’s ICS are commonly managed by Windows- or LINUX- based human-machine interfaces, communicate via Internet protocols, and connect to the enterprise local area network and the Internet. The new architecture provides significant benefits, including cost savings, reduced reliance on proprietary equipment vendors, and easier/faster data transfer to the accounting department and to upper management.

Unfortunately, with the benefits come increased risks due to Internet-based cyber attacks. It is no longer a question of whether there will be an attack, but when. No company or organisation can prevent all cyber attacks, yet most ICS organisations remain unprepared.

Pre-Incident preparation

Although it is wise to create an IRP and IR team (IRT) for ICS, cyber incident prevention saves significant time and money. While offices function effectively without email for a day or more, ICS cannot afford downtime. Controlling ICS access reduces pathways available for attackers to insert malware. Because most ICS attacks come in through the enterprise, that access should be secured first. In addition, intrusion detection systems that recognise ICS protocols have recently appeared in the marketplace, making it possible to pinpoint how an attacker gained system access.

Robert Talbot

Some basic steps reduce the effects of an incident and help get the ICS back online quicker. Testing backup tapes periodically ensures functional backup ICS configurations are available. Using intrusion detection systems capable of proprietary protocols is essential because proprietary systems are susceptible to cyber attacks and vulnerable to individuals with system knowledge.

Incident response preparation

Assemble a cyber Incident Response team

Assembling a cyber IRT is the first of two important steps in developing effective IR capability. The team should comprise ICS engineers and administrators, network and system administrators, facilities operators, and representatives from IT, cybersecurity, human resources, communications, and legal. The IRT should coordinate with various law enforcement agencies, industry regulators, and vendors.

IRT composition must balance internal staff against outside experts experienced in IR, forensics, evidence collection and preservation, attacks and exploits, or various other cybersecurity fields. Outside experts may be faster and more thorough, while ICS staff have systems knowledge.

Create an Incident Response plan

An effective IRP is as important as the IRT. Once an ICS goes down, responders need time to find the source and extent of the infection despite organisational pressure.

Once the plan has been reviewed and finalised by the entire IRT, several important tasks must be accomplished:

    • Initial and periodic testing
    • Relationships with law enforcement
    • Contact lists with external entities
    • Alternate communications paths
    • IRT organisational chart and contact information
    • System password secure storage

Incident Response Plan

Scope and purpose

The IRP applies to suspected or verified ICS cybersecurity incidents. It outlines general guidelines for detecting, classifying, and responding to ICS cybersecurity incidents in order to minimise disruptions of ICS operations.

Incident handling procedures

Following proven procedures will enable faster production restart and lessen the chance of making mistakes. Several Internet sites outline good best practices that the IRT can use to develop company-specific procedures.

Incident identification

Jack D. Oden

Finding, containing, and eradicating breaches during the first 24 hours is crucial. ICS administrators must work with IR personnel quickly but carefully to accurately characterise the situation as either a cyber incident or just a system malfunction.


When an incident has been confirmed, the IRT leader, the chief information security officer, executive management, and the legal department should be notified. If appropriate, law enforcement should be contacted.


It is critical to identify infected systems, when infected, and entry point used. With proper network segmentation and secured outside connections, firewall and other logs can help determine when the malware entered the network. For a cybercrime, preserve evidence and maintain the chain of custody; compromised evidence is inadmissible in a court of law. Also, identify any witnesses.


Once contained, malware must be cleaned from each infected system and Windows registry. If any traces remain, the systems will become reinfected when reconnected to the network.

System restoration

Before restarting the system, restore corrupted data using uncorrupted backup data. If unsure when malware entered the system, reload the operating system and applications from the original backups.

Lessons learned

The IRT should formalise lessons learned to document successes and improvement opportunities and to standardise the IRP.


Successful IR depends on planning and funding for an incident, and it must be part of the company’s overall risk program. Because no single entity provides both IT and ICS cybersecurity funding, some diplomacy and homework is necessary. Usually, one high‑level manager understands the importance of an IRT. If recruited as the team’s champion, that manager can convince other senior managers to provide team members.

Parsons Cyber Solutions Centre

Assessments alone do not secure systems. Establishing controls is best achieved by engaging a qualified external organisation to perform IT and ICS vulnerability assessments.

Although the IT world realised over 20 years ago that cyber incidents cause financial loss, the ICS world has been slow to recognise the benefits of cybersecurity, despite incidents such as Stuxnet and the Target™ point of sale attacks.

Conclusion and recommendations

Highly publicised attacks have raised awareness of the need to secure ICS and possess IR capability through an effective IRP and a well-trained IRT. A culture shift is necessary to advance cyber incident prevention and recovery. The change is coming, but slowly. Companies should accelerate development of cyber IR for ICS.

The authors of this blog are Robert Talbot, senior IT manager, Parsons Information Security Office and Jack D. Oden, principal project manager, Parsons Critical Infrastructure Operations

Here is the link back to the full Anthology

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow


Ericsson, Thales launches IoT accelerator device connect with eSIMs for enterprises

Posted on: December 2, 2022

Ericsson’s Internet of Things (IoT) business, in partnership with Thales, launches IoT Accelerator Device Connect, a service offering generic eSIMs unbundled from pre-selected Service Providers. For the first time, enterprises have the flexibility to select one or more Service Providers easily and instantly at the time of device activation. This new business model dramatically accelerates

Read more

Airtel Business wins IoT solution mandate for Smart Meters from TPWODL

Posted on: December 2, 2022

Burla, Odisha, 29 November 2022 – Bharti Airtel (Airtel), India’s communications solutions provider has announced that it has won a cellular IoT solution mandate with TP Western Odisha Distribution Limited, (TPWODL), a Joint venture between Government of Odisha and Tata Power. The mandate will see Airtel power 200,000 Smart Meters with IoT solution, of which 70,000

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more