How to plan your ICS cybersecurity incident response
Organisations operating critical systems must plan and prepare to respond to Industrial Control Systems (ICS) cyber incidents, whether caused by unintentional insiders or malicious attackers.
Proper ICS cyber incident response (IR) planning minimises financial losses from system downtime, data loss, higher insurance premiums, tarnished corporate image, and decreased employee and public safety. This paper applies only to ICS (e.g., supervisory control and data acquisition systems, building management systems) because most organisations already have information technology (IT) IR plan (IRPs) in place. It provides a high-level view of IR stages, says Robert Talbot, senior IT manager, Parsons Information Security Office and Jack D. Oden, principal project manager, Parsons Critical Infrastructure Operations.
Today’s ICS are commonly managed by Windows- or LINUX- based human-machine interfaces, communicate via Internet protocols, and connect to the enterprise local area network and the Internet. The new architecture provides significant benefits, including cost savings, reduced reliance on proprietary equipment vendors, and easier/faster data transfer to the accounting department and to upper management.
Unfortunately, with the benefits come increased risks due to Internet-based cyber attacks. It is no longer a question of whether there will be an attack, but when. No company or organisation can prevent all cyber attacks, yet most ICS organisations remain unprepared.
Although it is wise to create an IRP and IR team (IRT) for ICS, cyber incident prevention saves significant time and money. While offices function effectively without email for a day or more, ICS cannot afford downtime. Controlling ICS access reduces pathways available for attackers to insert malware. Because most ICS attacks come in through the enterprise, that access should be secured first. In addition, intrusion detection systems that recognise ICS protocols have recently appeared in the marketplace, making it possible to pinpoint how an attacker gained system access.
Some basic steps reduce the effects of an incident and help get the ICS back online quicker. Testing backup tapes periodically ensures functional backup ICS configurations are available. Using intrusion detection systems capable of proprietary protocols is essential because proprietary systems are susceptible to cyber attacks and vulnerable to individuals with system knowledge.
Incident response preparation
Assemble a cyber Incident Response team
Assembling a cyber IRT is the first of two important steps in developing effective IR capability. The team should comprise ICS engineers and administrators, network and system administrators, facilities operators, and representatives from IT, cybersecurity, human resources, communications, and legal. The IRT should coordinate with various law enforcement agencies, industry regulators, and vendors.
IRT composition must balance internal staff against outside experts experienced in IR, forensics, evidence collection and preservation, attacks and exploits, or various other cybersecurity fields. Outside experts may be faster and more thorough, while ICS staff have systems knowledge.
Create an Incident Response plan
An effective IRP is as important as the IRT. Once an ICS goes down, responders need time to find the source and extent of the infection despite organisational pressure.
Once the plan has been reviewed and finalised by the entire IRT, several important tasks must be accomplished:
- Initial and periodic testing
- Relationships with law enforcement
- Contact lists with external entities
- Alternate communications paths
- IRT organisational chart and contact information
- System password secure storage
Incident Response Plan
Scope and purpose
The IRP applies to suspected or verified ICS cybersecurity incidents. It outlines general guidelines for detecting, classifying, and responding to ICS cybersecurity incidents in order to minimise disruptions of ICS operations.
Incident handling procedures
Following proven procedures will enable faster production restart and lessen the chance of making mistakes. Several Internet sites outline good best practices that the IRT can use to develop company-specific procedures.
Finding, containing, and eradicating breaches during the first 24 hours is crucial. ICS administrators must work with IR personnel quickly but carefully to accurately characterise the situation as either a cyber incident or just a system malfunction.
When an incident has been confirmed, the IRT leader, the chief information security officer, executive management, and the legal department should be notified. If appropriate, law enforcement should be contacted.
It is critical to identify infected systems, when infected, and entry point used. With proper network segmentation and secured outside connections, firewall and other logs can help determine when the malware entered the network. For a cybercrime, preserve evidence and maintain the chain of custody; compromised evidence is inadmissible in a court of law. Also, identify any witnesses.
Once contained, malware must be cleaned from each infected system and Windows registry. If any traces remain, the systems will become reinfected when reconnected to the network.
Before restarting the system, restore corrupted data using uncorrupted backup data. If unsure when malware entered the system, reload the operating system and applications from the original backups.
The IRT should formalise lessons learned to document successes and improvement opportunities and to standardise the IRP.
Successful IR depends on planning and funding for an incident, and it must be part of the company’s overall risk program. Because no single entity provides both IT and ICS cybersecurity funding, some diplomacy and homework is necessary. Usually, one high‑level manager understands the importance of an IRT. If recruited as the team’s champion, that manager can convince other senior managers to provide team members.
Assessments alone do not secure systems. Establishing controls is best achieved by engaging a qualified external organisation to perform IT and ICS vulnerability assessments.
Although the IT world realised over 20 years ago that cyber incidents cause financial loss, the ICS world has been slow to recognise the benefits of cybersecurity, despite incidents such as Stuxnet and the Target™ point of sale attacks.
Conclusion and recommendations
Highly publicised attacks have raised awareness of the need to secure ICS and possess IR capability through an effective IRP and a well-trained IRT. A culture shift is necessary to advance cyber incident prevention and recovery. The change is coming, but slowly. Companies should accelerate development of cyber IR for ICS.
The authors of this blog are Robert Talbot, senior IT manager, Parsons Information Security Office and Jack D. Oden, principal project manager, Parsons Critical Infrastructure Operations
Here is the link back to the full Anthology