Incident Response for Critical Industrial Organizations
An incident response plan that doesn’t affect network and system availability.
In the last few years, cyberattacks on industrial organizations have become mainstream. In this article, Ryan McConechy, CTO of Barrier Networks, discusses how to build an effective industrial cyber incident response plan, with a key focus on keeping employees, civilians and the environment safe while also maintaining network and system availability.
Cyber attacks on Oldsmar Water, JBS Foods and Colonial Pipeline that deeply affected functions and cost the victim organizations dearly have each demonstrated to the world the credible threat cybercriminals pose to industrial organizations and the consequences that can happen when they occur.
As a result, many industrial organizations are actively working to strengthen the security of their networks and build out incident response plans to help them prepare for attacks and navigate them safely.
But what does this planning look like, and what are the key areas industrial organizations must focus on to improve their response to future cyberattacks?
Understanding the Unique Nature of Industrial Plants
Industrial organizations are the pillars of a smooth-running society. They manufacture food, operate oil and gas supplies, or they run wind farms or nuclear plants to generate energy. Because of the critical processes they facilitate, cyberattacks on their systems can have devastating consequences on societies.
When it comes to building out incident response plans, industrial organizations, therefore, must prepare for attacks that disrupt their systems and work to minimize losses, with a focus on three key issues: employee and civilian safety, environmental consequences, and the availability of their services.
Employee and Civilian Safety
With much of the machinery in industrial plants now being operated through automation, this means if security is not embedded properly, criminals can reach critical operational technology (OT) systems remotely using the IT network as a conduit. The impact of this could be switching off or tampering with processes, such as nuclear reactors or the levels of chlorine in water, which would directly impact the safety of employees and civilians.
A safety-related incident occurred in the summer of 2022 at an Iranian steel manufacturer when the hacking collective Predatory Shadow launched an attack on its infrastructure, causing a fire to break out on the plant floor and endangering lives. This is a situation all industrial organizations want to avoid.
Furthermore, given that many of the functions industrial organizations operate impact the public, they also must ensure no cyberattacks could affect the safety of civilians. This was a situation Florida residents managed to avoid in 2021 when criminals breached the networks of Oldsmar Water and poisoned the water supply. Fortunately, the attack was spotted before the water supply reached civilians, but it did highlight the dangers that could very easily occur.
The Environment
Because of the harsh chemicals and hazardous gasses within industrial plants, attacks on their systems could impact the environment.
If attackers were to alter systems, cause physical damage to plants, or cause a fire on a remote wind farm by changing the speed of wind turbine rotors, this has the potential to cause serious and very harmful impacts on the environment.
This is another situation organizations must strive to avoid.
The Availability of Services
When cyberattacks target enterprise IT networks, they can cause digital outages. But within industrial environments, outages can directly impact societies in the way of food, oil, gas, electricity or water shortages.
When industrial organizations modernize their plants through automation, they must ensure that no technical or digital outages would interrupt physical processes because the unavailability of their services could have devastating impacts on civilians.
If food or gas supplies were suddenly halted, it wouldn’t be long before chaos erupted within societies.
See More: How To Protect Critical Infrastructures Before an Attack Happens
Industrial Incident Response Plans
When building out plans, industrial organizations need to assess their environments and identify the different safety, environmental and availability issues that can occur in their networks and then work to minimize disruptions.
Working to minimize disruptions should be a mix of digital and physical measures, such as cybersecurity solutions to prevent cyber criminals from reaching industrial networks, but also maintaining and auditing physical controls which allow organizations to manage and limit damage, even when attackers do get in. Segmentation of systems is key to a defense-in-depth solution that now incorporates the OT network.
For instance, what measures can be put in place to protect the safety of employees or prevent environmental spillage if a system is compromised? This could be technical measures such as cyber defensive tools and network segmentation, but also ensuring that physical safety shutdown systems are segmented from the IT networks, so they cannot be accessed or compromised by unauthorised intruders.
Teams need to also take steps to assess risks that could impact the availability of their services. Are there technical measures in place to prevent attackers from compromising systems? These technical measures should focus on layering all connected OT with cybersecurity defenses and keeping them up to date with vulnerability patches.
It is also essential to map the different routes attackers could take to reach OT and work to close these pathways. Ideally, IT and OT networks should be carved up into Purdue layers with limitations enforced to prevent, for example, direct traversal from internet edge systems directly to OT systems, all with an aim to prevent lateral movement attacks.
Once organizations have carried out these assessments and closed gaps to minimize losses, it is essential to rehearse their response to different incidents. These ‘fire drill’ learning and training exercises provide an opportunity for the organization to test their awareness and readiness against different attack types, for instance, ransomware, so they can understand precisely what they stand to lose, and they can then work to minimize those losses.
Enabling Quick Action
In this planning, everyone should have pre-allocated roles and responsibilities so they can step into action straight away. This information must also be put into the physical incident response plan, along with incident response team member contact details, so that when real incidents do occur, everyone can be contacted immediately, and all team members know their roles and responsibilities. It is also essential that team members familiarise themselves with the incident response plan and know where to find a physical copy of the document should their IT infrastructure ever become compromised.
Incident response planning is essential for all industrial organizations today, and the key focuses must be prioritizing employee and civilian safety, minimizing environmental damage and maintaining availability.
Once industrial organizations have identified how threats can impact these three critical areas, they must work to identify weaknesses within their infrastructure and then address them to minimize damages.
By carrying out this planning, industrial organizations will be prepared for attacks and know how to respond to them, so they can minimize disruptions while keeping employees, civilians, and the environment safe.
How are you building a system for agile and effective incident response? Share with us on Facebook, Twitter, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON CYBER INCIDENT RESPONSE
