How to plan your ICS cybersecurity incident response

Organisations operating critical systems must plan and prepare to respond to Industrial Control Systems (ICS) cyber incidents, whether caused by unintentional insiders or malicious attackers.

Proper ICS cyber incident response (IR) planning minimises financial losses from system downtime, data loss, higher insurance premiums, tarnished corporate image, and decreased employee and public safety. This paper applies only to ICS (e.g., supervisory control and data acquisition systems, building management systems) because most organisations already have information technology (IT) IR plan (IRPs) in place. It provides a high-level view of IR stages, says Robert Talbot, senior IT manager, Parsons Information Security Office and Jack D. Oden, principal project manager, Parsons Critical Infrastructure Operations.


Today’s ICS are commonly managed by Windows- or LINUX- based human-machine interfaces, communicate via Internet protocols, and connect to the enterprise local area network and the Internet. The new architecture provides significant benefits, including cost savings, reduced reliance on proprietary equipment vendors, and easier/faster data transfer to the accounting department and to upper management.

Unfortunately, with the benefits come increased risks due to Internet-based cyber attacks. It is no longer a question of whether there will be an attack, but when. No company or organisation can prevent all cyber attacks, yet most ICS organisations remain unprepared.

Pre-Incident preparation

Although it is wise to create an IRP and IR team (IRT) for ICS, cyber incident prevention saves significant time and money. While offices function effectively without email for a day or more, ICS cannot afford downtime. Controlling ICS access reduces pathways available for attackers to insert malware. Because most ICS attacks come in through the enterprise, that access should be secured first. In addition, intrusion detection systems that recognise ICS protocols have recently appeared in the marketplace, making it possible to pinpoint how an attacker gained system access.

Robert Talbot

Some basic steps reduce the effects of an incident and help get the ICS back online quicker. Testing backup tapes periodically ensures functional backup ICS configurations are available. Using intrusion detection systems capable of proprietary protocols is essential because proprietary systems are susceptible to cyber attacks and vulnerable to individuals with system knowledge.

Incident response preparation

Assemble a cyber Incident Response team

Assembling a cyber IRT is the first of two important steps in developing effective IR capability. The team should comprise ICS engineers and administrators, network and system administrators, facilities operators, and representatives from IT, cybersecurity, human resources, communications, and legal. The IRT should coordinate with various law enforcement agencies, industry regulators, and vendors.

IRT composition must balance internal staff against outside experts experienced in IR, forensics, evidence collection and preservation, attacks and exploits, or various other cybersecurity fields. Outside experts may be faster and more thorough, while ICS staff have systems knowledge.

Create an Incident Response plan

An effective IRP is as important as the IRT. Once an ICS goes down, responders need time to find the source and extent of the infection despite organisational pressure.

Once the plan has been reviewed and finalised by the entire IRT, several important tasks must be accomplished:

    • Initial and periodic testing
    • Relationships with law enforcement
    • Contact lists with external entities
    • Alternate communications paths
    • IRT organisational chart and contact information
    • System password secure storage

Incident Response Plan

Scope and purpose

The IRP applies to suspected or verified ICS cybersecurity incidents. It outlines general guidelines for detecting, classifying, and responding to ICS cybersecurity incidents in order to minimise disruptions of ICS operations.

Incident handling procedures

Following proven procedures will enable faster production restart and lessen the chance of making mistakes. Several Internet sites outline good best practices that the IRT can use to develop company-specific procedures.

Incident identification

Jack D. Oden

Finding, containing, and eradicating breaches during the first 24 hours is crucial. ICS administrators must work with IR personnel quickly but carefully to accurately characterise the situation as either a cyber incident or just a system malfunction.


When an incident has been confirmed, the IRT leader, the chief information security officer, executive management, and the legal department should be notified. If appropriate, law enforcement should be contacted.


It is critical to identify infected systems, when infected, and entry point used. With proper network segmentation and secured outside connections, firewall and other logs can help determine when the malware entered the network. For a cybercrime, preserve evidence and maintain the chain of custody; compromised evidence is inadmissible in a court of law. Also, identify any witnesses.


Once contained, malware must be cleaned from each infected system and Windows registry. If any traces remain, the systems will become reinfected when reconnected to the network.

System restoration

Before restarting the system, restore corrupted data using uncorrupted backup data. If unsure when malware entered the system, reload the operating system and applications from the original backups.

Lessons learned

The IRT should formalise lessons learned to document successes and improvement opportunities and to standardise the IRP.


Successful IR depends on planning and funding for an incident, and it must be part of the company’s overall risk program. Because no single entity provides both IT and ICS cybersecurity funding, some diplomacy and homework is necessary. Usually, one high‑level manager understands the importance of an IRT. If recruited as the team’s champion, that manager can convince other senior managers to provide team members.

Parsons Cyber Solutions Centre

Assessments alone do not secure systems. Establishing controls is best achieved by engaging a qualified external organisation to perform IT and ICS vulnerability assessments.

Although the IT world realised over 20 years ago that cyber incidents cause financial loss, the ICS world has been slow to recognise the benefits of cybersecurity, despite incidents such as Stuxnet and the Target™ point of sale attacks.

Conclusion and recommendations

Highly publicised attacks have raised awareness of the need to secure ICS and possess IR capability through an effective IRP and a well-trained IRT. A culture shift is necessary to advance cyber incident prevention and recovery. The change is coming, but slowly. Companies should accelerate development of cyber IR for ICS.

The authors of this blog are Robert Talbot, senior IT manager, Parsons Information Security Office and Jack D. Oden, principal project manager, Parsons Critical Infrastructure Operations

Here is the link back to the full Anthology

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Infineon and Rainforest Connection create real-time monitoring system to detect wildfires

Posted on: October 22, 2021

Munich and San Jose, California, 21 October, 2021 – Infineon Technologies AG a provider of semiconductors for mobility, energy efficiency and the IoT, announced a collaboration with Rainforest Connection (RFCx), a non-profit organisation that uses acoustic technology, Big Data and Artificial Intelligence / Machine Learning to save the rainforests and monitor biodiversity.

Read more

Infineon simplifies secure IoT device-to-cloud authentication with CIRRENT Cloud ID service

Posted on: October 21, 2021

Munich, Germany. 21 October 2021 – Infineon Technologies AG launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication. The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership. Cloud ID is ideal for cloud-connected product companies

Read more