By Martine Chlela, PhD.
Global Head of Delivery - Industrial Cybersecurity
As cyberattacks across the globe leverage new tools to successfully complete their intrusions, critical infrastructure leaders are beginning to recognize that extra steps should be taken to protect their valuable operational assets. But the question is- where should they begin?
A foundational building block towards cyber resilience is an incident response plan (IRP).
Critical infrastructure, including power, water, gas, sewer, and transportation – are giving special attention to the implementation of their IRPs. Developing such plans is especially important for helping to protect one of the most vulnerable resources – their Operational Technology (OT) assets. These sensors, equipment, devices, and systems that fundamentally control so many resources miles away from a central location are often forgotten in the “big picture” of protection.
What Is an Incident Response Plan?
An IRP spells out in clear terms exactly how critical infrastructure should respond when an attack happens. It leaves no stone unturned. It informs the different teams exactly what they should do and when to do it. It is wide in scope, as an attack certainly impacts multiple teams throughout the organization.
An incident response plan focuses on clearly delineated roles and responsibilities for each team. There should be no “what do we do now?” questioning – that has already been decided and communicated to all. When an intrusion detection is set off, each sequential response step is delegated and understood ahead of time.
The plan catalogs all the equipment and technology that needs to be checked, and if isolation or segmentation is in order, prescribes precisely how to accomplish that. It shows the priority in which equipment should be examined. Since communication is vital during an actual incident, the plan outlines who needs to be notified and what that notification should state. The plan also encompasses how to make any public notifications if required.
All of this is accomplished with customized training to fit the organization’s unique operations. Tabletop exercises held on a regular basis can keep intrusion threats top-of-mind for all parties for a fast response. Drills are conducted to ensure the different teams are equipped with the right knowledge on how to respond. Training should be cross-functional, too, especially between IT and OT specialists. An attack has the potential to impact both ends of the operation and proper response should not be isolated to just a few individuals.
An incident response begins with some type of alarm or anomaly detection being triggered. But do organizations in critical infrastructure industries have the proper detection equipment and technology in place for this to happen? An incident response planning team will examine the tools the organization has on hand and make recommendations for upgrades or new technology, if required. As attack models become increasingly targeted and sophisticated, having the proper detection mechanisms in place is no longer optional, but a must-have. New detection tools are being introduced while existing ones are being upgraded and tailored to the critical infrastructure domain in place. Selection of the right tool is an important step to ensure a fast and efficient response.
There are several international standards that serve as frameworks for incident response planning, including IEC 62443, NIST, CISA’s ICS-CERT Incident Response Playbooks, ENISA guidelines and NIS2 Directive. These standards and guidelines provide the key building blocks of a proper IRP, outlining best practices for critical infrastructure.
Lack of Confidence. Why?
Many critical infrastructure stakeholders lack confidence in their current IRPs. This could be due to unrealistic assumptions of the plans, including outdated threat models or plans that are not adapted to the modern OT environments. In some cases, critical infrastructure owners and stakeholders have inadequate response plan testing – or a complete absence of testing – leading to ineffectiveness during an actual incident, or they struggle with insufficient training to respond to the incident, leading to staff unpreparedness.
Black & Veatch’s 2024 Electric Utility Report shows “Incident Response Plan” as one of the top 5 most needed efforts to mitigate cybersecurity risks at the utilities, next to threat intelligence, monitoring and response, vulnerability assessment and management and hardening – all activities directly connected with an IRP. In the water industry, the Black & Veatch’s 2024 Water Report shows “Incident Response” as one of the top areas of concern, where utilities are seeking external support to address their challenges.
The consequences of not having a trusted and well-tested IRP are enormous. For some organizations, it can mean extended downtime leading to significant operational and financial impacts. It could be followed by regulatory penalties and increased scrutiny from a myriad of regulatory bodies. Organizations could also have to deal with reputational damage resulting in a loss of trust from customers, stakeholders, and the public.
But it doesn’t have to be that way.
An incident response plan is not static– it’s a living document. It’s updated continuously to reflect the latest threats and vulnerabilities; especially now as artificial intelligence (AI) is working its way into attack modeling. The IRP will outline any needed investment in visibility and control tools to detect and respond to threats in real-time.
Detection resources are increasingly becoming very adept at finding intrusions. Some of the more popular tools include Security Information and Event Management (SIEM) and Intrusion Detection System (IDS). And just as the bad actors are using AI as a weapon, organizations can use AI as a defense barrier. This can help automate portions of the response process, reducing human error and speeding up the decision making.
In addition, organizations are benefiting from collaborative information sharing to fight attackers and improve their IRPs. Known as Information Sharing and Analysis Centers (ISACs), these industry groups have begun sharing confidential information about their respective sectors. While this information is valuable, a collective effort to share garnered cybersecurity knowledge would be significantly more impactful in helping industries across the board respond to cyber incidents.
For critical infrastructure, they’ve been formed for electricity (E-ISAC), water (WaterISAC), oil and natural gas (ONG-ISAC) downstream natural gas (DNG-ISAC), petrochemical (American Chemistry Council -ACC), aviation (Aviation ISAC), communications (Communications ISAC), maritime (Maritime ISAC), and transportation (ST, PT and OTRB ISAC). Leadership should consider getting involved with their peer organizations, as they all have the common goal of effectively fending off the threat actors.
Implementing a Cultural Shift in Critical Infrastructure
One area that needs special attention is a cultural shift in how OT cybersecurity is viewed. Traditionally, organizations in critical infrastructure focus on protecting their IT and enterprise environments, which they understand perfectly. When it comes to OT systems, with different priorities and specificities, a security-by-obscurity approach is followed – where stakeholders decide to have little to no visibility into the OT environment, so they don’t need to think about ways to secure it. However, an “out-of-sight, out-of-mind” tactic here can be detrimental. This approach must change, and the change must begin within the organizations’ leadership. OT cybersecurity is a business risk, one that can directly impact the employees, the community, and the environment, and why it should be imbedded into the overall organization’s governance. This change should come from the highest levels, filtering down to all teams so there is understanding across the organization of the underlying risks and be collectively to detect and effectively respond to an incident.
Both the Black & Veatch 2024 Electric Report and the 2024 Water Report show that leaders are aware their cyber protection game is not up to par and are looking for solutions to guide them through what can be a complex process. There is no generic one-size-fits-all plan to be handed out. Rather, each IRP is and should be unique, tailored to each organization’s equipment, technology, personnel, needs and challenges.
As an expert in critical infrastructure spanning from design to commissioning, to operation and decommissioning, Black & Veatch has the experience and knowledge to integrate all the missing parts of the puzzle to design and implement a comprehensive IRP that meets the organization’s unique needs.
To learn more about how we can help you with the development, review, and implementation of your IRP, reach out to connect with our Industrial Cybersecurity experts.
