Skip to content ↓ | Skip to navigation ↓

In recent years, cyber espionage has been growing in magnitude and complexity. One of the most common targets is Industrial Control Systems (ICS) within critical infrastructure sectors.

With many organizations relying more heavily on ICS networks, there has been an increase in threats and cyberattacks aimed at these systems. Not only do these attacks have an economic impact, but they also put national security at risk. To make matters worse, there are no network security guidelines or best practices for ICS systems.

This calls for a solution that will ensure companies take proper steps in case of an emergency. How important is the need for Incident Response (IR), especially in ICS security?

What are Industrial Control Systems (ICS)?

Industrial control systems are computer-based systems that monitor and regulate the operation of manufacturing and processing plants. They are often used in large businesses, such as power plants, oil refineries, chemical plants, and other manufacturing facilities. To clarify, not all industrial systems are part of a large governmental enterprise.  Something as unassuming as a sugar refinery will use ICS to regulate its operations.  Although still part of critical infrastructure, a sugary refinery, like many other manufacturing entities are often overlooked as hosts to ICS. Since these control systems are important to the functionality of a plant, as well as the output of that plant, it is imperative to ensure that they are secure.

How does Incident Response Impact ICS Security?

Incident response is the process of addressing and assessing an event or potential event in order to limit its scope, contain its damage, identify affected systems, and learn how the matter occurred. The ability to react quickly and efficiently in the event of a cyber attack is paramount for any organization.

Incident response is quite different from general IT security in that it plays a more hands-on role, such as evaluating the scene after an attack or containing the damage. Since ICS networks are vulnerable to cyberattacks, the IR process is essential for these systems.

The U.S. Department of Homeland Security (DHS) has classified ICS as a subcategory of critical infrastructure, which means that they are subject to the same protections as other critical infrastructure sectors including the power grid and water supply.

ICS security has been a challenge for many organizations due to their critical position in the organization’s security strategy. By implementing a comprehensive IR plan that incorporates a company’s overall risk management program, organizations can protect their ICS networks from potential cybersecurity risks.

Why is Incident Response Necessary for ICS Security?

Since the goal of incident response is to promptly identify, halt, and limit attacks and potential damage, this is quite beneficial and necessary for ICS networks. This is why the National Institute of Standards and Technology (NIST) has already developed an incident response process in order to help protect companies in a variety of technology fields.

This guide covers a variety of incident response team models, how to choose the optimal model, and how to run the team effectively. It is actually a cyclical activity that involves four main stages: Preparation, Detection/Analysis, Containment/Eradication, and Recovery.

  • Preparation:

This involves monitoring, compiling, and determining the relevance of IT assets such as network and servers so as to identify the critical/sensitive assets and prepare for incidents.

  • Detection/Analysis:

Detection includes gathering data from IT systems, security tools, publicly available information, and people. This also involves predicting whether an incident will occur in the future or whether it has already occurred.

In Analysis, the baselines of the impacted systems are identified and linked to relevant events to determine if they vary from normal behavior.

  • Eradication/Containment:

This aims to halt and contain attacks before they cause significant harm.

  • Recovery:

Following the incident, it’s essential to learn and ask important questions. Questions like:

    • What actually happened and when did it happen?
    • How was the situation handled?
    • Were the procedures followed?
    • Were there any grave mistakes?
    • What could have been done differently?
    • What tools do we need to mitigate similar incidents?
    • How will this be avoided in the future?

According to the NIST methodology, this plan is simply more than a list of actions, it’s actually a road map for the company’s incident response program, with short-and long-term objectives, success indicators, training, and job criteria for incident response roles.

A past survey noted that 1 in 10 UK companies lack an incident response plan. The IR plan should include out an outline of the goals and objectives, define and group ICS events, create critical roles, responsibilities, and procedures and determine the appropriate response actions to safely eliminate and contain the threat.

What Needs To Be Done To Develop A Healthy Incident Response Program?

There are a wide range of healthy practices when it comes to successfully implementing an incident response program:

1. Develop and Maintain an IR plan.

An IR plan can help organizations respond to incidents by providing a set of guidelines for how to react based on type and severity. Incident response plans are meant to be used as a guide and should be tailored to an organization’s needs, threats, vulnerabilities, and resources.  This includes identifying the scope of the problem, such as identifying the affected area, reviewing the log files for suspicious activity, and determining if there’s an active attack or not.

2. Create and Train an Incident Response Team (IRT).

Incident response teams are responsible for analyzing the situation, mitigating any risks, and ensuring that the system continues to function as it should. Team members should be trained about their role on the IRT.

3. Be Clear about Expectations

Assign roles and responsibilities to team members, including secondary points of contact, and various levels of escalation within the organization’s hierarchy.

Also ensure that any other individuals outside the IRT who might be expected to be involved are trained on their specific duties and have clear instructions about what they need to do in case of an incident.

Industrial control systems are everywhere, from the largest water dams, treatment plants, and electrical grids, all the way to the humble bicycle manufacturing facility.  As these systems become more connected to the internet to expand a plant’s capabilities, it becomes more important than ever to develop and maintain an incident response plan to control the risk to these systems.

About the Author: John Iwuozor is a content writer with expertise in the cybersecurity niche. He loves breaking down complex technical works into easy-to-understand articles.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.