Similarly, although the Colonial Pipeline attack could not be prevented, the damage was contained by following an industrial cyber incident response protocol, in this case taking key assets offline. This ensured both employee and customer safety and enabled Colonial to quickly get the system up and running.
Contingency planning can mitigate losses of different sorts, whether it be financial or physical; the correct measures can even save lives. This is why a key element of any cybersecurity scheme should be a comprehensive incident response plan.
Finding the right formula for an industrial cyber incident response
In order to be prepared for any industrial cyber incidents, the National Institute of Standards and Technology (NIST) recommends a 4-step plan tailored to ICS cybersecurity:
- Preparation
This includes compiling a list or database of all system components and assets, as well as knowing who is responsible for each of them. Industrial systems are usually a hybrid of many parts and can involve several different professional disciplines, so forming a committee with representatives from each field will ensure the best level of preparation.
The committee will investigate which types of incidents to prepare for and the best way to respond in each scenario. The level of detail will depend on the industry, and could include emergency response steps, provision of PPE (personal protective equipment) if needed, contact details for response teams and possibly the ability to isolate or even shut down the OT system.
- Detection and Analysis
When a breach or industrial cyber incident has been detected, the most essential tool for the response team will be information. This forensic analysis enables them to understand both how to close the breach and undo any harm, and also how to prevent any similar attacks from occurring.
- Containment, Eradication, and Recovery
At this point, it is up to the security team to close any breach and remove the threat from the system. In serious cases this can take months, either because it took too long to identify the attack giving the code time to spread from asset to asset, or because the tools available are insufficient to stop the spread.
- Post-incident Activity
Learning from any industrial cyber incident is the best possible outcome, as it can become part of your future toolbox for threat detection and incident prevention.
Step 4 cycles back to step 1 as it becomes part of the planning process for future incidents. Regularly regrouping and fine-tuning will ensure that even if you can never guarantee that there will not be an industrial automation cybersecurity incident or breach, you are at least as prepared as you can possibly be.
As an ICS specialist, Radiflow is best placed to assist you with planning your industrial cybersecurity solutions including an incident response plan. With an in-depth understanding of the specific OT security needs, Radiflow Solutions ensure you are aware of any network vulnerabilities and can suggest the best measures to increase security whilst maximizing ROI.
Radiflow’s CIARA employs a proprietary algorithm to perform breach and attack simulations (BAS), based on each device’s properties and vulnerabilities, helping you to plan and prepare for any security incident.
Contact our team for more information on how our risk assessment solutions can help you to protect your OT system, and to help prepare for security events.