Cybersecurity professionals who perform Incident Response and Digital Forensics in industrial environments are typically aware that they will need slightly different equipment to succeed in these environments than in enterprise environments. Figuring out exactly what that means can be tricky, and customers often ask Dragos for comprehensive lists of equipment to have on hand for industrial cyber incident response. While there is no single list of incident response tools for every environment, we can set you on the right track given our experience.
The primary objective in building an Incident Response toolkit is to have the hardware, tools, personal protective equipment (PPE), and software to perform the entire lifecycle of in-house incident response activities, as directed by the Corporate Incident Response Plan. This can run the gambit from basic triage, all the way to advanced forensics. Performing these tasks requires dedicated equipment not typical to everyday operations. Given that incident response situations are high pressure and can have substantial operational impact, it is important to be prepared with the right tools in advance.
Types of Incident Response Toolkits
We can generally divide incident response kits into three categories:
- Fly-Away Kits: Incident responders centrally maintain fly-away kits in one physical office location and check them out for engagements. These are great for an incident response team that is mostly located at one location and will dispatch from there to remote sites. The downside of fly-away kits is that incident responders must stop by an office to pick them up or have them shipped to their destination quite promptly at a substantial expense.
- Go-Bags: These are individual kits that are maintained by each incident responder. These are great for geographically distributed or remote incident response teams. The downside of these kits is that they can become costly to supply and maintain, as every single incident responder has their own toolkit.
- On-Site Kits: In some instances, organizations prefer to keep the required tools at the locations where incident response may be performed, for easy access by both local personnel and dispatched incident responders. These are a great choice when sites require unique tools and equipment, or incident responders are highly distributed. The downside is that they must be carefully secured and routinely inventoried (because they contain useful computer tools and are often poached from without notification to the incident response team).
An organization doesn’t need to select only one of these options. They may choose to issue some PPE and lower-cost standard tools to every incident responder for their go-bag, while maintaining a centralized fly-away kit with more costly equipment and keeping site-specific tools on location. Ultimately, how to distribute incident response gear is a risk management and financial decision which must be made for every unique environment.
Cyber Incident Response Toolkits in Industrial Spaces
Many organizations already have cyber incident response kits for their enterprise operations and expect to use them during industrial cybersecurity incidents. However, there are several impactful considerations unique to these spaces that must be taken into consideration.
- The prevalence of legacy equipment
- The prevalence of embedded, custom, and ruggedized equipment
- Safety considerations
- The potential need to access lower-level digital (non-PC) devices effectively for analysis
Know Environmental Safety Protocols
All of these differences must be taken into account when preparing the tools and equipment which incident responders will take to industrial sites. The foremost consideration is always safety. Incident responders need to have appropriate and serviceable personal protective equipment (PPE) for the environment they will be entering. This may mean composite toe shoes, fire-resistant clothing, hard hats, hearing protection, eye protection, or respirators. Some of these items can be overnighted for a fee or purchased in areas with heavy industry, but some are special orders which will not arrive in sufficient time for emergency incident response efforts. The responders should also understand how to safely don and doff their equipment.
In addition to PPE, most industrial facilities have unique safety requirements including training and emergency procedures. If responders do not receive this information in advance, they will have to spend costly time performing it before they can begin their work. Inadequately trained personnel can also pose a risk to health and safety.
Be Ready to Connect to Legacy Equipment
Industrial equipment is often substantially older than Enterprise hardware and software. There are also typically strict restrictions on the installation of software or hardware on vendor-supported systems performing critical functions. This means that modern security, forensic, and collection hardware and software will frequently not work on impacted systems. Responders should be prepared with cables, adapters, storage media, and tools appropriate to deal with the era of systems they may encounter in the facility. When in doubt, plan to collect and analyze systems up to 20 years old, with very limited hardware resources.
Understand Access for Ruggedized, Lower-Level Equipment
There is also the problem of systems which are ruggedized or lower-level, and therefore do not have standard, accessible ports or interfaces. Plan to be able to connect to a variety of communications interfaces and use a selection of modern and legacy storage media to interact with the systems. Some familiarity with the facility hardware and software will be a great boon here, particularly in the form of a Collection Management Framework.
Essentials for Industrial Cyber Incident Response Toolkits
As previously noted, it is not possible for Dragos to provide one, static list which covers every vertical, facility, and eventuality. However, here are some essential pieces of equipment that we highly recommend every cyber incident responder entering industrial environments have immediately on hand:
- Hard hat*
- Safety goggles or glasses*
- Composite toe safety shoes*
- Hearing protection*
- Fire-resistant clothing (including undergarments and outerwear) *
- Facility safety documentation / card
- Camera (authorized per Incident Response Plan)
- Notetaking materials
- Electronics screwdriver set
- Antistatic protection
- Universal control cabinet key set
- Analysis laptop (with authorized, preinstalled, and tested forensic tools and playbooks per Incident Response Plan)
- USB A / C adapters and extension cable
- Ethernet dongle (if the laptop is not equipped with an ethernet port)
- Serial dongle or adapter cable (if the laptop is not equipped with a serial port)
- DVD-R Drive
- Ethernet cable
- Ethernet crossover dongle or cable
- Clean removable hard drives (1 TB+ recommended, hardware-encrypted recommended)
- Write blocker (supporting SATA and IDE laptop and desktop hard drives at a minimum)
- Digital evidence bags and tags
- Chain of custody forms as specified by Incident Response Plan
*All PPE should be properly fitted and appropriately rated and certified for the facility and meet local government regulations.
Learn more about Dragos and its industrial cybersecurity products and services here.
Ready to put your insights into action?
Take the next steps and contact our team today.