Proactive Approach to Incident Response. Part 1 – Introduction
OT infrastructure attacks
Cyber-attacks on Operational Technology infrastructure are becoming more frequent and more sophisticated in recent years. Just to refresh our memory here is a very short list of the most well publicised attacks of the recent past:
- Colonial Pipeline, USA – May 2021
- Natanz Nuclear Complex, Iran – April 2021
- Power Grid, Ukraine – December 2016
- Power Grid, Ukraine – December 2015
- Steel Mill, Germany – December 2014
These attacks are proof that the smallest vulnerability in your IT and OT infrastructure can be abused by adversaries to infiltrate the system and cause harm.
Reactive approach to Incident Response (IR)
Unfortunately, many companies think it won’t happen to them and if it does, they will act then, often with dramatic consequence. This reactive approach to cybersecurity focuses on rectifying immediate incidents and preventing repeat attacks or technology disruption from occurring in the future. The tools used in this approach are usually focused on patch management, log monitoring or SIEM. Further consequences of this approach are the hard to predict results of attacks. Experience shows the longer OT systems are offline the more it effects the company’s net income. In many plants compromised computerised automation system can pose an immediate threat to human health and safety. And in some cases, can have disastrous consequence bringing harm to people inside and outside the plant.
Proactive approach to Incident Response (IR)
Proactive approach to OT cyber security is the opposite.
In this approach organisations:
- identify and prevent incidents from ever becoming a threat
They do it through a proactive Incident Response (IR) which quickly identifies hidden threats and possible potential threats.
IR helps to:
- recognise security weaknesses
- add processes to identify threats quicker
- point out hidden threats already present in the system
- boost cyber confidence
- allow responder to quicker identify, isolate, contain and remove future threats
IR may also identify important improvements and configurations changes leading to enhancement of the organisation’s security stance.
Incident Response and the regulatory aspect
But there is more to IR than the subtle and technical aspects of it which primarily feed into the IR’s constant improvement process increasing the cyber resilience of the company. Currently, organisations are subject to various state-imposed data breach notification laws. These legal requirements force companies to have in place IR systems that satisfy these external requirements too. According to Brian Seaberg from Radar First there are five phases to a successful Incident Response cycle.
- The first step is the ability to identify and investigate cyber incidents. For this to occur a clear procedure for staff to be able to identify and report particulars of an incident must be in place. Once incidents are reported and if need escalated to relevant privacy and security teams, they can be investigated in gathering the complete information about the origins of the issue and mitigating factors can be identified.
- This is followed by assessing the severity of the incident and mitigation which can be introduced to minimise it.
- Depending on the results of the assessment and the company’s internal privacy policies the organisation makes the decision to notify, or not, the relevant authorities. These decisions as well as the reasons behind them must be documented and applied consistently. This is particularly important, as it shows the level of the organisation’s maturity and is an important factor when the report is being reviewed by the regulators.
- If the decision to notify the regulator is taken the organisation must ensure the right information and language are used consistently in the notification communications. These communications must fulfil all agency, jurisdictional, and contractual obligations.
- The last phase in the process is data analysis of all reported and recorded incidents to assess the efficiency of their privacy policies. If data indicates that a particular department is more prone to incidents extra training resources can be allocated to improve the situation.
In articles to follow we will discuss what necessary steps a company must take to enable the proactive IT/OT cybersecurity.
Do you require help with preparing your IR plan?
If you have questions regarding a Proactive Incident Approach for IT and OT solutions, please contact SEQRED, we will be happy to help.
SEQRED specialises in providing tailored cybersecurity solutions for companies big and small.
Our services cover such areas as Critical Infrastructure Protection, Cloud Services Security or Audits, and Threat Intelligence. For a full list of our services visit our services page – https://seqred.pl/en/services/