ICS Cyber Incident Response

Incident response (IR) is very important for every ICS company . Being able to recover from and respond to cyber attacks and unexpected incidents is vital for businesses. Many organizations don’t have the resources or the skills to do IR. This is a summary of an incident response guide published by CISA. This guide should help ICS organizations start in the right direction.

Stage 1 — Planning [Proactive]:

• Team organisation
• Policies and procedures
• Build a plan
• Execute a plan
• Report: system state and status

Distribution of team roles and responsibilities is vital in IR and cybersecurity. Their responsibilities towards incident response and their cyber security vision should be reflected in the organization’s policies and procedures. Execution and evaluation of IR plan must follow by doing a simulation, to make sure it works and to adjust unexpected behavior. Enabling system state and status is crucial. In the case of an incident, logs and information are important. There are many approaches to get this information: Intrusion detection and prevention technologies, configuration , network and device logging solutions can provide value. Make sure that the previous methods are compatible with legacy ICS systems and they don’t cause any problems.

Stage 2 — Incident prevention [Proactive]:

• Tools and guidelines
• Patch management
• Vendor interaction

Organizations can prevent incidents from happening by following and implementing existing ICS security guides, there are plenty of them. Patching is also important because it can prevent an incident from happing and reoccurrence. Vendors should be responsible to provide technical support and fixing bugs for their customers. The relationship between organizations and their ICS vendors should be unified.

Stage 3 — Incident management [Reactive]:

• Incident detection
• Containment
• Remediation
• Recovery and restoration

Reporting incidents and cooperating with ICS organizations can enhance detecting threats. Detection can also be achieved by observation and checking out existing guides on how to detect symptoms. Detection automation tools can enhance detection and prevention (eg. IDS). Usage of other IR tools such as traffic and network analysis can be useful.

The primary goal of Containment in ICS is to stop the spread of malware and to prevent further damages. Containment can also be achieved by controlling or stopping unauthorized access to an infected system. Malware containment can be done in 3 ways: usage of automated tools , halting services (undesirable) during an incident and filtering and blocking certain network connectivities. Some methods don’t work with ICS systems. Caution must be taken when choosing the desired action, consult with ICS engineers.

Removal of malware in an ICS environment can be achieved by: using automated eradication tools (antivirus), detection software , patch tools or restoring a system to a previous infection-free state. Make sure the tools work for ICS systems. Caution is also important at this stage, because it could lead to modification or loss of ICS system files.

The goal of recovery is to restore the system to its previous state but it has to be better and more secure, especially against its previous weaknesses.

Stage 4 — Post-incident analysis and forensics [Proactive]:

• Lessons learned
• Recurrence and prevention
• Forensics and legal issues

Every organization should conduct an in-depth analysis of the causes of incidents and their impact on their system. Doing this exercise should provide lessons that can help organizations improve their cyber security and prevent repeating the same mistakes. Sharing these lessons with the ICS community should also be encouraged.

To conclude this summary is by no means technical . It’s a high level approach to get the mentality right. You should fill the gaps and follow up with the following guides and best practices. Enjoy the process.

Guides and resources:

• NIST SP 800–40, “Creating a Patch and Vulnerability Management Program”
• NIST SP 800–61, “Computer Security Incident Handling Guide”
• NIST SP 800–82, “Guide to Industrial Control Systems (ICS) Security”
• NIST SP 800–83, “Guide to Malware Incident Prevention and Handling”
• NIST SP 800–86, “Guide to Integrating Forensic Techniques into Incident Response”
• NIST SP 800–92, “Guide to Computer Security Log Management.”
• Handbook for Computer Security Incident Response Teams (CSIRTs) by Carnegie Mellon University
• Advanced Cyber Industrial Control System Tactics, Techniques, and Procedures (ACI TTP)
• Top 20 Secure PLC Coding Practices

References:

1. https://us-cert.cisa.gov/ics/Abstract-ICS-Cyber-Incident-Response-Plan-RP

https://zerontek.com/zt/2021/12/05/ics-cyber-incident-response/