Incident Response Planning

“Plan to Fail, don’t Fail to Plan”

It might be a difficult message for some in our industry to hear, but the reality is that at some point there will likely be a security incident in your OT system. Whether it is some forgotten about remote connection for maintenance that was never properly secured, or an inadvertent (or malicious) operator action that causes an event, the key to whether it brings your process down or is managed and contained in an orderly way will be down to your Incident Response Plan (IRP).

Whilst most businesses will have a response and recovery plan for their IT infrastructure, it does not necessarily follow that this plan can also be utilised in an OT context. There are key differences in the requirements and operation of Industrial Control systems that mean having a dedicated OT IRP will pay dividends when things go wrong.

For example, the loss of a part of your Industrial Control System (ICS) could mean the plant or process will stop, so you will need to ensure that Control Systems engineers and technicians should be on the key contacts list, rather than just IT focussed staff. Also, recovery from an incident can be more difficult because often ICS are within validated systems, so there needs to be some process to manage & revalidate the workstations and databases servers which have been reimaged from backups, before operations can start. Not to mention that Distributed Control Systems (DCS) and Programmable Logic Controllers (PLCs) can’t be reimaged in the same way that PCs can.

Another point to note is that if you have an incident, but the systems are still operational, then one can’t simply remove and replace the affected items. Availability is crucial in ICS, so managing the running process is just as much of a concern as managing the security incident.

What are the key considerations you should be looking for when designing your OT IRP?

First, there are lots of good sources of information to help you to get started. Government agencies are typically a good place to start. The US ICS-CERT has published a document with recommended practices (https://ics-cert.us-cert.gov/Abstract-ICS-Cyber-Incident-Response-Plan-RP ).

In the UK, the new NIS Directive has a clear objective (D1. Response and Recovery Planning) to ensure that Operators of Essential Services have put some thought into their Incident Response Planning. The NCSC CAF (https://www.ncsc.gov.uk/guidance/caf-objective-d) has a list of Indicators of Good Practice (IGP) for response and recovery. These recommendations are useful not only for the operators who will be directly affected by the NIS regulation, but are also good advice for any company with ICS looking to develop and mature their own incident response plan.

Key areas to look at:

Planning – Plan the IRP, brief everybody who has a role, and make sure that the plan is tested in a table-top exercise or some other simulated scenario. Understand the most critical areas of your system, so a graded response can be enacted depending on the location of the incident.

Communications – how will you co-ordinate with team members in the event of an incident? If your internal network is unavailable due to the incident, then an alternative to email will be required, such as text messaging, WhatsApp etc. Make sure you have an up to date record of everyone’s phone numbers and other contact details.

One important area to consider as part of the IRP is the collection/storage of the system forensics to allow full analysis of the security event to take place, to understand how it happened which will enable the correct mitigations to be put in place to prevent future occurrence. Dedicated ICS tools are available that can detect these incidents and store all the system logs. Such tools can also push the information into a Security Incident and Event Management (SIEM) system which could be part of a dedicated OT Security Operations Centre (SOC), or a shared Enterprise SOC. (There are lots of additional questions on this topic: whether to go for a combined IT/OT SOC, or dedicated for OT; whether to go in-house or to a manged SOC service provider, etc etc. These will be the focus of a future blog post).

Sharing information within the community – you may be able to find answers to your problems, plus you can warn similar organisations of the incidents you are experiencing, the indicators of compromise etc, to help the community become more robust. In the UK, forums such as the CiSP (https://www.ncsc.gov.uk/cisp) are invaluable for this type of information sharing.

If you have any questions on Incident Response Planning or would like to explore how Regency / Airbus CyberSecurity can help your organisation, please contact us on our office number 01242 225699 or email us at enquiries@regencyitc.co.uk

By Ben Worthy (Security Consultant – OT Cyber Consulting Team)