OT Cybersecurity Best Practices for SMBs: Communication Channels to Use During Cyber Incident Response
This is our monthly blog detailing best practices for operational technology (OT) cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), which provides free resources to help small and medium businesses (SMBs) create or enhance their OT cybersecurity program. The Category and Practice from the “OT-CERT OT Cybersecurity Fundamentals Self-Assessment Survey” is noted for each best practice. Hopefully, you filled out the survey and identified your gaps – these best practices can be implemented to begin to address those gaps. If not, there’s no time like the present – join OT-CERT and get started today.
Larger Organizations Take Note
If you have been increasing your security posture and reduced risk of a significant cyber attack in your enterprise, including your OT environment, that’s excellent news! However, does your risk assessment include the possibility of a cyber attack on one of your critical suppliers, and the impact that would have on your company’s operations? Could you still produce your product or provide services to your customers? Read on to ensure that you are quantifying the likelihood and impact of that risk correctly in light of the current threat environment. And strengthen your supply chain security risk posture by promoting OT-CERT to your suppliers.
What Communication Channels Should I Use During OT Cyber Incident Response?
A ransomware attack or physical incident could render your electronic communications like email and chat unusable, or an adversary could potentially listen in on communications after they’ve breached your environment. You should prepare your team and devices in advance in case you require an alternate means to communicate with each other and with third parties. Ideally everyone can use their company devices, but it is also possible that you will have to use personal devices to respond to an incident.
We provide the following solutions for secure end-to-end alternatives to your typical communication channels.
|Operational Resiliency |
Cybersecurity Incident Response
Cybersecurity Program Management
|During an incident, large organizations may have an established means of spinning up a mirror of the communications platform they use normally. Even if they don’t, one of the first things an external incident response company will set up is out-of-band communications (i.e. not your normal day-to-day email) to ensure secure and private communications. Luckily there are many free solutions that small and medium businesses can use that can easily be set up in less than a day so they are ready to be used in the case of an incident. |
Below we provide a list of free communication mediums for your consideration, but these are not the only options. Each of you should assess whether there is a better alternative for you.
Dragos Recommendation #1 – Email
During an incident email will likely be one of your main platforms to communicate internally and externally, track incident updates and data, and provide an easy audit trail after the incident has been resolved. Unfortunately, it is possible that your email has also been compromised – in fact, it may have been the initial vector used for the larger network compromise.
Proton Mail offers a free account that gives users end-to-end encryption that can be accessed through a browser or as an app on either Android or iOS. Proton won’t store your decryption keys, which means that even if they get hacked your sensitive information won’t be accessible. The downside is if you forget your master password or recovery keys then there is no way for you to access or recover your account.
Another consideration is that the data (although encrypted) will exist on Swiss-based servers. If data sovereignty is a concern for your organization then either speak to your legal expert or consider a different platform.
Dragos Recommendation #2 – Video conferencing
This will be the second most useful communication mechanism when responding to an incident as there will likely be a daily meeting to catch up on what is happening. Most of you probably use a platform like Microsoft Teams or Zoom. Like email, during a compromise you’ll need to use a different platform. At the creation of this blog Zoom recently introduced end-to-end encryption (or E2EE on their website) for free tier users so it is a viable option.
Signal offers group calling for up to 40 members, and there is a desktop app (which must be linked to a mobile app account) which enables you to video call and join in on the group conversations from there. Since it’s also an option for SMS/Calls (keep reading!) it provides a good, comprehensive solution.
If you want a standalone communication medium for video conferencing then Google Duo is another option which allows up to 12 participants. Just beware that not all services are end-to-end encrypted (at least the free ones) and therefore your communications could be accessible to Google.
Dragos Recommendation #3 – SMS / Calls
Usually not of great concern during incident response unless you’re sending updates via TikTok to your collegues. Nevertheless it is good practice for your personal life to have secure, end-to-end encrypted SMS and voice communications.
For this we recommend the platform Signal. It is available on Android or iOS, is simple to set up and use and offers a wide variety of options to communicate including text, video and voice calls, sound bites, images, and creating groups.
As you are setting up these accounts here are some finally points to keep in mind:
The last consideration to take into account depends on where your assets are located. If you need someone to assist with the incident in a remote location will there be reception Internet access and cellular reception? This could require use of 4G routers or Wi-Fi hotspot devices, and in extremely isolated areas even satellite phones.
This incident response planning will not only benefit you in the event of an OT incident, but it will also be valuable when responding to any type of incident where communications may be affected.
Dragos Recommendation #5 – Two Way Radios
Many SMB organizations already utilize two-way radios for communications. If your coverage area supports it, utilizing that option may be the easiest secondary communication mechanism to include in your incident response plan.
Stay Up to Date with SMB Cybersecurity Resources: Join Dragos OT-CERT!
Dragos OT-CERT offers FREE resources to help SMBs build their own manufacturing / OT / industrial control systems (ICS) cybersecurity program without hiring any cybersecurity experts. OT-CERT membership is free and globally available to OT asset owners and operators. Resources are oriented toward small and medium businesses and resource-challenged organizations with OT environments that lack in-house security expertise. Members have access to a growing library of resources such as reports, webinars, training, best practices blogs, assessments, toolkits, tabletop exercises, and more.
Currently available resources include:
- OT Cybersecurity Fundamentals Self-Assessment Survey
- OT Asset Management Toolkit
- Self-Service OT Ransomware Tabletop Exercise Toolkit
- Collection Management Framework for Incident Response
- OT Cybersecurity Incident Response Toolkit
- OT Data Backups Guidance
- Host-Based Logging and Centralized Logging Toolkits
- Access to an introductory ICS/OT cybersecurity module in Dragos Academy
If you haven’t joined Dragos OT-CERT don’t delay! Membership is open to organizations that own or operate a manufacturing / ICS / OT environment. Please join and spread the word to your community and supply chain so we can all work together to raise the security posture of the entire ecosystem – we are only as strong as our weakest link.
We look forward to working with you to safeguard civilization!
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.