How SMBs Can Use the Collection Management Framework (CMF) to Prepare for a Cyber Incident

Most small and some medium-sized businesses (SMBs) with industrial environments do not have the internal technical resources to address corporate cybersecurity, especially when it comes to securing their industrial controls systems (ICS) and operational technology (OT) networks. In this blog, we provide some helpful tips that these organizations can apply to help them prepare for a cyber incident. Specifically, we focus on a Collection Management Framework (CMF) to help them gather the right information ahead of time.

What Is a Collection Management Framework (CMF)?

Whether it’s ransomware or another type of cyber incident, outside incident responders are often engaged to assist the victim organization to assess the impact, contain the incident, irradicate the intrusion, and sometimes guide recovery efforts. The speed, effectiveness, and efficiency of the response will be significantly improved when the victim organization has gathered some important information about their system in advance, such as information about what potential sources of forensic information is available, how long is that data retained, how it can be accessed, etc.

A Collection Management Framework, or CMF, is a practice of documenting all the potential sources of data that could be used by incident responders and investigators. The information is assembled into a living document, a spreadsheet really, and includes all the digital assets (such as computers, data loggers, network equipment, PLCs) that contain logging or other forensic information that could inform an analyst during an investigation.

How SMBs Can Build a CMF Without OT Expertise

Gathering information about what information is being logged in the various devices across an ICS/OT system can get technical pretty quickly; therefore, organizations that do not have the staff with the technical expertise in-house can benefit from utilizing their trusted partners and other maintenance projects creatively to gather this information. A relatively low level of effort and associated cost will occur when you add a line item in a contract or scope of work for consulting engineers or systems integrator to document this information as part of their typical system commissioning or maintenance work.

Where to Begin & Managing Your CMF Longer Term

Build An Asset Inventory

An early step in addressing cybersecurity preparation is building an asset inventory, which is a listing of all the components that enable the control system to work. OT-CERT provides you with an Asset Management Toolkit that includes the OT Asset Inventory Guide and OT Asset Inventory Tool. The asset inventory is the starting point for gathering the additional information pertinent to a CMF.

Engage Resources: In-House IT resources, Consulting Engineers, and Systems Integrators

Does your organization have any IT resources that could be brought in to capture information that is within their knowledge area? For example, they may be proficient in supporting Microsoft Windows systems, which are often running within ICS/OT systems. Can they help to understand what logs are being collected by the Windows operating system, how much space is allocated, and how long they are being retained? Alternatively, maybe you have access to a network whiz who can look at your network switches and routers to see what logging is enabled there?

Are there any upcoming construction or maintenance contracts where a requirement can be included for the contractor/consultant to build a spreadsheet of any relevant log information available on the devices being provided? Some control system equipment such as PLCs, data radios, and other devices have the capability to log events, authentication, etc. As systems are being commissioned or maintained, it is not a heavy lift for the integrators or contractors to capture this information.

Make the CMF a Living Document

As incidents or event exercises occur, review them against the CMF. Investigations into incidents as well as assessments and drills reveal visibility gaps and allow you to improve your cybersecurity readiness. For example, an assessment or drill may identify a need to enable a network device to log when its configuration has changed or the SCADA system to detect when the logic on the PLC has been modified.

Seek Out Other Available Resources

There are lots of available resources already developed that can guide technical staff in what to log and how to log it. Even if your systems integrator, for example, isn’t aware of what Windows events should be logged, once directed to the available resources, they likely already have the technical knowledge they need to follow the guidelines.

This month’s OT-CERT resources for SMBs offers several additional resources in addition to a CMF template that offer guidance through this process: a short video introducing CMF, followed by a longer video for practitioners on Building a CMF. If you’re an OT asset owner or operator in a SMB environment and not yet a member of OT-CERT, sign up today. Each month we release new, free cybersecurity resources to the ICS/OT community.

Two additional great resources for technical staff to review are:

• NSA Cybersecurity Advisories and Guidance, which is a repository of information that the National Security Agency has made public to support these efforts.
• The CIS Benchmarks is free repository of configuration guidelines for enhancing cybersecurity.

Don’t Procrastinate – Get Started Today!

More and more small and medium sized businesses are being hit with cyber attacks – if you don’t believe us read about it in a previous blog. Proactive steps like creating an asset inventory, CMF, and conducting tabletop exercises can make the difference between a major impact and one that is barely noticeable to your customers.

OT-CERT has been providing all the resources you need to take those proactive steps – a little at a time with little to no investment required. Don’t delay – get started ASAP!