How Incident Response (IR) Tabletop Exercises Strengthen OT Security Posture
Gamification is an amazing teaching and learning tool. To make learning a game engages audiences and reaches different learning and personality types. As members of Dragos Professional Services, we have the unique privilege to conduct gamified cybersecurity incident response tabletop exercises (TTXs) for a variety of industrial customers and partners on a routine basis.
In this blog, we cover 6 recommendations common to the exercises we have performed across the industrial spectrum. Consider implementing these recommendations to grow your team’s ability to succeed at TTXs, and at real-life cybersecurity incident response.
What Is a Tabletop Exercise (TTX)?
During TTXs, we develop and present a plausible industrial intrusion scenario to members of the customer incident response workforce, their leadership, and supporting teams. We then guide them through timed “injects” – events that occur during the course of the mock intrusion. Each inject presents realistic changes to conditions, awareness, and risk. They may include everything from personnel being pulled out of play, to adversaries tampering with systems.
TTXs are entirely simulated and pose zero risk to real industrial systems or processes. The participants follow their existing incident response plans (IRPs) and brainstorm responses, and the Dragos facilitators provide feedback on the results of their actions, the outcome of the analysis, and act as third parties who are contacted during response. At the conclusion of the exercises, Dragos provides constructive written feedback and suggestions of how to improve response capabilities.
Aside from having a lot of fun, participants consistently learn and grow as a team while performing TTXs. Testing out incident response methodology, training, and plans in a totally safe, imaginary scenario highlights team strengths, as well as challenges to overcome.
6 Tips to Prepare You for Cyber Incident Response
Over the course of performing many TTXs in the industrial space, we have seen commonalities between many teams’ challenges across a variety of verticals and organization sizes, and therefore recommend some practical areas of growth that may benefit many organizations performing cybersecurity in OT. We highly encourage all our readers to conduct a TTX and test their OT incident response capabilities. These tips can help you and your team prepare for success.
1. Document network separation processes.
There are a variety of scenarios during a cybersecurity event which may necessitate disconnecting segments of the industrial network from the enterprise network or from one another. However, disconnection can have unforeseen consequences on response capability, such as voice communication or evidence and document transmission, or on process operation. It can also be difficult to do without a firm knowledge of architecture and configuration. It is important to make and test plans for any disconnection which might be required during an incident, and fully understand the side effects of such disconnections. Include process engineers and network engineers in any discussion.
2. Plan for long-term operations.
Incident Response can be a high-pressure situation, occurring over multiple days or weeks. You should ensure a plan exists to hand off incident response command responsibilities and analysis roles at shift changes, and if personnel are sick or on vacation. For this reason, it is wise to name positions, rather than individuals, in IRP documentation. Regularly practice handoff procedures and ensure that knowledge transfer is effective. Try to avoid any human “single points of failure.” When we find a single critical individual exists in a team, we often pull them out of play as a TTX inject, to see how the team can cope without them.
3. Have a tested plan for notetaking and intra-team communication.
It’s important to maintain excellent notes and a consistent timeline during any incident investigation. This is not something that is easy to do on the fly without a plan. Additionally, the first tools one considers using during an incident may be the most likely to be removed as accessible – in the case of an IT incident, ticketing systems or cloud document solutions may be compromised. Alternatively, network segmentation or disconnection can cause loss of access to them. Note in your IRP who will maintain notes and the timeline, where it will be securely maintained, and how it will be accessed in special circumstances. Ensure that this process includes guidance for remote and on-site response, if applicable.
4. Establish OT cybersecurity incident thresholds.
IT and OT incident response are not interchangeable – particularly their risk elements. In industrial incident response, there can be physical, process, and life-threatening consequences to an intrusion. Therefore, thresholds for declaring a cybersecurity incident at varying severities should be discrete and carefully defined to consider consequences of concern, and scenarios that could impact the integrity of the process. These should be clearly defined in the IRP or its appendices. Many key operational and safety thresholds may already have been identified by your process engineers. Learn from existing emergency response plans when possible!
5. Know who your specialists are.
Your organization may perform OT incident response internally, retain an incident response provider, or some combination thereof. No matter your model, you should know who will perform granular technical tasks specifically for OT, such as collecting digital forensic evidence, analyzing that evidence, reverse-engineering malware, or validating the integrity of low-level industrial devices. These tasks may be performed by a combination of internal personnel, industrial vendors, partners, parent organizations, and external consultants. Whatever your team’s situation is, ensure that these roles and their contact information are in your IRP, and any SLAs, technical requirements, or retainer contractual details are worked out in advance. If possible, involve all possible parties in the exercise!
6. Establish healthy communication between IT and OT.
One of the greatest challenges many organizations face is a lack of comfort and open communication between the IT cybersecurity team and the OT engineers and operators. During a cybersecurity incident, collaboration between these groups is paramount. Your team’s OT-focused IRP documents should not only contain contact information and roles within the OT team but should also be collaborated with OT subject matter experts to ensure tie-ins to Business Continuity Plans and OT risk decision-making procedures. It’s a great idea to involve your OT team in the planning and execution of TTXs.
Tabletop Exercises teach us a lot about our incident response capability, organization, and ourselves. We highly encourage you to consider executing them routinely in your OT environment and use the outcomes as a tool to track growth and success.
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.