Skip to main content
Blog Post

Handling Incidents in ICS – Getting to the Root of the Problem

For most organizations, having an incident response plan is a regulatory or even legal requirement these days. Unfortunately just having an incident response plan that satisfies regulatory requirements does not enable an organization to fare any better when an incident occurs. In our whitepaper, “Preparing for Incident Response and Handling“, my colleague, Mark Stacey, and I describe all the facets of a mature IR plan in an ICS environment. We invite you to download the whitepaper, but the key points are summarized below.

When it comes to incident response, planning is key. But planning is not just about writing up an incident response plan. It is about enabling various teams within the organization to effectively collaborate during what is usually a very high-stress situation. Thus, enabling the designated incident responders and the teams supporting them and executing parts of the overall incident response plan is important as is exercising the plan regularly and adapting it to new threats and changes in the environment.

As the Cyber Planning for Response and Recovery Study (CYPRES) jointly conducted by NERC and FERC shows, effective communication is also critical. This covers not only the communications internal to the organization, but also with any external teams supporting the immediate response efforts such as dedicated incident response teams on retainer. A serious security incident in an ICS environment will have physical impact, causing disruption of plant processes or even physical damage to expensive and difficult to replace equipment, resulting in significant financial losses and business interruption. For some plants, environmental hazards and danger to personnel and the community also have to be considered. Ultimately this requires even more preparation than what organizations have to do for incidents that occur in their enterprise IT environments. Preparing for ICS incident response means working with first responders inside an organization and the surrounding community, and with regulators, authorities, and industry peers.

During an incident, it is easy to lose track of dedicating some resources to performing Root Cause Analysis, i.e. to find out how the adversary was able to compromise the environment and achieve their objective. Without finding the root cause, an organization might be prone to falling victim again to a very similar attack in the future.

If the appropriate steps are taken in preparing an organization for ICS Incident Response, ICS security incidents can be dealt with effectively and timely, minimizing the impact. Dragos not only provides incident response services, but also offers proactive services that aim to bolster preparedness and ICS security posture. Please reach out to us if you would like to discuss which ones may be beneficial for your organization.

Read next blog post

Blog

MITRE ATT&CK Evaluations for ICS: Detecting XENOTIME Activity

09.04.20

View more Blog Posts

Right Arrow

Ready to put your insights into action?

Take the next steps and contact our team today.