版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
GUIDANCE:ConsiderationsforCyberIncidentResponsePlanningwithinIndustrialControlSystems/OperationalTechnology.
Introduction
Thisguidanceisdesignedtohelporganisationsunderstandspecificconsiderationsthatare
requiredwithinIndustrialControlSystems(ICS)/OperationalTechnology(OT)systemsandtobetterprepareforacyberincidentwithinanICS/OTenvironment.Itisdesignedtocomplementandtobereadinconjunctionwiththe
NCSC’sgeneralIncidentResponseandManagementguidance,
and
focusesonthespecificanduniqueaspectsrelatingtoICS/OTenvironments.
HavinganeffectiveIncidentResponsePlaninplacealsosupportsseveralOutcomeswithinthe
NCSC’sCyberAssessmentFramework(CAF)
.AsummaryoftherelatedIndicatorsofGoodPractice(IGPs)coveredinthisguidanceisshownattheendofthisarticle.
IfyouareresponsibleforthemanagementormaintenanceofICS/OTassets,thisarticlewillhelpyoutonavigatethechallengesyoumayencounterwhenadoptingmatureincidentresponse
planningprocesses.
Per
NCSC’sguidance
itisimportanttoassumethatyoursystemsICS/OTwillbebreachedinthefuture,thiscouldbedueto:
•highnumbersoflegacysystemswithinICS/OTenvironments,
•limitedvisibilityintheoperationofthesystemsfromtheperspectiveofassetmanagement,
•limitedvisibilityofnetworkcommunications,
•communicationconduitstoexternalsystems.
Additionally,ICS/OTenvironments,despitebestefforts,canoftenbelackinginsegregationfromtheInformationTechnology(IT)environment,and/orsegmentationwithintheICS/OTenvironment.
Itisworthnotingthatfor
OperatorsofEssentialServices(OES)
covered
bytheSecurityofNetwork
&InformationSystemsRegulations(NIS-R)
thattheywouldberegulatedviatheuseofNCSC’sCAF
andwouldhavetohaveaccesstotheappropriateloggingandmonitoringwithintheirICS/OTenvironments.
Forthoseoperatorsthatarecoveredbythe
HealthandSafetyExecutive,OG86,Appendix2,Section
D,detailsrequirementsforIncidentResponseplanning.
WhileCyberIncidentResponsePlans(IRPs)shouldcaterforbothITandICS/OTsystems,
considerationmustbemadeforthe
keydifferentiatorsfoundinICS/OTenvironments.
So,inthisarticle,we'regoingtowalkthroughspecificconcernsinICS/OTIncidentResponsepreparationandplanning.
Wehavebrokenthespecificareasofconcerndowntothefollowing:
•Preparation
•Detection
•Triage
•Takingresponsiveaction
•TrackingandReporting
•StakeholderEngagement
•LessonsLearned
Preparation
Lessonslearnedfromrespondingtohighprofilecyber-attacksprovidesaclearmessagethat
preparationisessential,suchasthe
E-ISAC/SANSDefenseUseCase1fromtheAnalysisofthe
CyberAttackontheUkrainianPowerGrid.
Preparation-Definerolesandresponsibilities.
WhenconsideringrolesandresponsibilitieswithintheICS/OTCyberIRP,hereareacoupleofconsiderationstomake:
•ForICS/OTregardlessofwhichteamsperformanalysisand/orcollection,therolesand
responsibilitiesshouldbeclearlydefined.Thisisparticularlyimportantinrelationtoplantoperation,safetyanddecisionmakingassociatedwithproduction,quality,andsafety,
whichrequirestheidentificationandneutralisationofthethreatandbuildingconfidencethatthesystemcanbereturnedtoasafeoperationalstate.
•IncidentResponsecompaniesthatareheldonretainershouldbecapableofbeingabletoprovidesupportwithresourcesthatarecomfortableoperatinginhazardousenvironments.Insomecases,thoseresourcesmayneedtobecertifiedtooperateontheindustrialsites,soyoushouldconsiderwhotouseandhowtoon-boardthemincludinganyrequiredhealthandsafetyinductions,drugsandalcoholchecksetc.
RolesandResponsibilitiesshouldalwaysincludethefollowing:
•PlantOperations
•Safetysystemandassurancemanagers
•Productionmanagers
Forfurtherinformationonrolesandresponsibilitiespleasesee
NCSC’sGuidanceonbuildingA
CyberSecurityIncidentResponseTeam(CSIRT).
AnICS/OTspecificIncidentResponsedecisiontreedescribinghowthecommunicationwillflowthroughoutthewholeIncidentResponselifecyclewouldhelpdefinetherolesandresponsibilitiesneeded,andhowkeystakeholderswillbeintegratedandcalledon/off.
Actionpoint:DevelopanICS/OTspecificIncidentResponsedecisiontree/playbook.
ItisimportanttoestablishCross-Functionalincidentresponseteams,comprisingmembersfrombothITsecurityandICS/OTdepartments.Havingpre-designatedteamleadswhoareresponsibleforcoordinatingcommunication,decision-making,andtaskassignmentsbetweentheITsecurityandICS/OTteams.Theseindividualsandteamscansharerelevantthreatintelligence,indicatorsof
compromise(IOCs),andforensicfindingsbetweenITsecurityandICS/OTteams,acrossimplementedsecurecommunicationchannelsandinformationsharingplatforms.
Actionpoint:IdentifyandtrainkeyindividualstoactasthecoordinationpointbetweenITandICS/OTTeams.
Preparation-PrepareanICS/OTspecificCyberIncidentResponsePlan
ICS/OTsystemsandnetworksaretypicallysensitivetoavailabilityandintegrityrequirements,
requiringtheIncidentResponseprocedurestoconsiderhowsystemscanbeinteractedwithforforensiccollection.ThoseconsiderationsshouldbedocumentedinanICS/OTspecificresponseplan,whichmayhavetocaterfordifferentsystemsusedacrossanICS/OToperator’sestate,suchasdifferentsites,industrialprocesses,orfunctionalityofthesystems.
•Actionpoint:CreateanIRPthatisspecifictoyourICS/OTenvironment.KeysectionstoincludeinyourICS/OTCyberIRPincludethefollowing:
•Scope
oConsiderwhethertheICS/OTCyberIRPistobeenforced,whetheritcoversallofyourICS/OTenvironmentorisonasiteorbusinessunitbasis.Ifthelater,considerinteractionpointsandescalationroutesbetweenteams.
•Contactdetailsforkeyroles.
oAppointrolesandprovidetheircontactdetails.
•DescriptionofIncidentResponseprocesscoveringthefulllifecycleofanincident
oUseestablishedframeworkssuchasthe
SANSPICERLframework
(asshowninFigure1below)or
NIST.SP.800-61r2.
•Templatesforrecordingandreportingincidents.
oIfyouareanOperatorofEssentialService(OES),produceatemplateforthe
reportingrequirementstoassisttheIRteaminensuringthattheycapturetherightinformationinatimelymanner.
CISAhaveproducedanexcellentdocumentprovidingfurtherdetailonwhatshouldbeincluded
withinanICS/OTCyberIRP.
The
InformationCommissioner'sOfficeprovidesfurtherdetailson
reportingrequirements
forOES,althoughwithinintheUKeachCompetentAuthoritymayhavea
specificrequirement-forinstancetheDepartmentforEnergySecurity&NetZero
(
DES
NZ)provide
thefollowingguidancefortheEnergySector,whichisbasedonthresholds(seeAnnexD).
InadditiontoexercisingtheICS/OTIRPasmentionedlaterinthisarticle,trainingandawarenessofonelementscoveredwithintheplanneedtobeprovidedtothoseidentifiedwithinitashaving
responsibilities.
ActionPoint:ProvideTrainingandAwarenesstostaffinvolvedintheICS/OTIRP,sothattheyarebettertrainedfortherolestheyareresponsiblefor.
Figure1-SixPhasesintheIncidentResponsePlan(PICERL)
Detection
DetectionofcybersecurityeventsfromICS/OTnetworkshasbeenalong-standingchallengeforICS/OToperators,particularlythosewithlegacysystemswhichwerenotdesignedwithsecurityinmind.Beingabletodetect,correlateandanalyseeventsfromICS/OTiscrucialinbeingableto
respondandrecoverfromanincident.
Figure2-EventDetectioninICS/OTenvironments
FurtherguidanceandinsightsonloggingandmonitoringwithinICS/OTenvironmentsthatsupportseventdetectioncanbefoundonthe
ICSCOIWebsite.
OperatorsalsoutilisetheconceptofSecurityOperationsCentres(SOCs),withspecialisedSOCanalysts,whowillmonitoreventsona24/7
basis
.NCSChasadditionalguidanceonSOCsandthefunctionsandroleswithinthem.
Detection-People
Operations,engineering,andmaintenanceteamswillknowyoursystemsbestandhowthey
behave.Trainingtheseteamstoreportsuspiciousbehaviour,and
Buildingaculturethat
encouragesthereportingofsuspiciousbehaviour
isanecessarylong-termorganisationalactivity,thatwillincreaseeventdetectioncoverage,andalsohelpstoraiseawarenessofcybersecuritywiththosewhodonotperformcybersecurityrolesfulltime.
AusefulreferenceforwhattoconsiderwhentrainingICS/OToperatorstoreportpotentialcybersecurityeventshasbeencreatedby
NERCintheUSandisfoundhere.
•Actionpoint:Documenttheeventdetectionexamplesfromyourenvironmentinyour
ICS/OTCyberIRP.Includingnotificationscouldcomefromhelpingtoreinforcesecurity
cultureacrosstheorganisation,andregularreviewsoftheICS/OTCyberIRPcanbeusedtocheckvalidityoftheeventdetectioncapability.
Detection-Process
Securityeventsfromnetworkmonitoring,hostloggingorsecurityappliancessuchasfirewallscanbeusedbyyourICS/OTmonitoringteamstodetectandrespondtoevents.Thiscouldbetaking
decisiveandspecificactiontoanevent,oritcouldbeactivatingtheincidentresponseplanto
gathertheteamandinvestigateinmoredetail.ItcanbechallengingforICS/OToperatorstohireandretainICS/OTsecurityspecialiststoperformthemonitoringfunction.ThirdpartymonitoringarrangementscanbeconsideredtosupplementICS/OToperators’organisationalcapability.
OptionsforsupportrangefromtheintegrationofICS/OTmonitoringsolutionsintoenterpriseSOC
iSCrelatedguidance),
oroutsourcingthemonitoringtoaManagedSecurityServices
Sourcesofcybersecurityeventscanalsobefoundfromoutsideofyourownorganisation.ICS/OT
operatorscanutilisecommunitynotificationarrangementssuchas
InformationSharingand
AnalysisCenters,
monitoring
NCSCCISPnotifications
andsubscribingto
NCSC’searlywarning
system
.FurtherinformationonThreatinformationisalsoavailableonNCSCswebsite.T
heUK
governmentalsopublishedapapertohelpgovernmentdepartmentswithunderstandinghowthey
shouldhandlethreatinformation
whichoperatorswillalsofinduseful.
Detection-Technology
Detectioncapability
forICS/OTsystemsifITbasedcanrelyonthedeploymentofEndpoint,
DetectionandResponse(EDR)solutionswhicharecommonlydeployedacrossentireenterprise
networks(althoughquiteoftenabusiness/riskdecisionismadetonotenabletheresponse
solution).PassivenetworkmonitoringisoftenagoodsolutiontodeploytominimisedisruptiontoICS/OTsystemsandassetswhereactivescanningorhost-basedagentsareprohibited,impracticalordangeroustodeploy.
RegardlessofthechoicesthatICS/OToperatorsmakeintermsofthreatdetectiontechnology
deployment,services,orin-housecapability,theyshouldhaveaclearunderstandingof
what
loggingandmonitoringcoverageexiststodayfortheirenvironment
.Thisiskeytohelpunderstand
potentialgapsandimprovementstologgingandmonitoringcoverage.Evenmoreimportantly,itprovidestheincidentresponseteam(howeveritiscomposed)withaclearpictureofwhereandhowtocollectlogstofacilitateanalysis.
•Actionpoint:DevelopaCollectionManagementFramework,sometimesreferredtoasa
logginginventory,thisisdocumentedresultofdeterminingwhatloggingandmonitoringisinplaceacrossanenvironment.Thiscanincludedocumentingthingslikewherenetwork
monitoringiscurrentlydeployed,whichhostsareconfiguredwithlogforwarding.This
documentcanalsobeusedtolistoutwhereforensiccollectioncanbeperformedfrom
assets.Forexample,theremaybelittlemonitoringdeployed,butpointingoutwherelogsorimagescouldbemanuallycollectedwillstillbeveryusefultoanincidentresponseteam.
Triage
Triage-Identifycriticalsystems.
OperatorsofICS/OTshouldhaveawell-documentedinventoryidentifyingcriticalsystemsand
assets.Thesemayhavebeenidentifiedthroughbusinesscontinuityplanningactivities,risk
managementactivities,tabletopexercise's,
crownjewelanalysis
o
rCCEactivities.
Regardlessofhowtheyareformed,theyshouldbeusedtodeterminewhatmattersmosttotheICS/OT
operations,andthereforeinformtheincidentresponseteamonwheretoprioritiseeffortsforperformingtriageandforensiccollection.
Triage-scopeandscale.
ICS/OToperatorsshouldfocusonhowtoscopeoutthescaleofanincidentintermsofhowmanysystems,sitesorbusinessunitsareaffectedandintermsofhowseveretheincidentis.Thisis
importantinhelpingtoinformwhichresourcesarerequiredinternallyandexternally,whichteamsneedtobeinformed,whichregulatoryreportingneedstobeinitiated.Itisalsovitallyimportantforinformingtheteamsresponsibleforcollectingforensicevidenceorperforminganyadditional
monitoring.Collectingforensicevidenceinindustrialenvironmentsandtransferringitto
somewhereitcanbeanalysedistypicallyachallengingprocessthattakessignificantamountsoftimeandspecialisedresource(ausefulresourcedevelopedbyNISTintheUScanbefound
here)
.Beingabletousecollectioninatimelyandstrategicmannerwillreducetheloadontheincidentresponseteamandhelpthemkeepagileintheirresponseefforts.
•Actionpoint:DocumentintheICS/OTCyberIRPwheretheincidentresponseteamcanfindICS/OTspecificforensiccollectionprocedures.
•Actionpoint:Planaheadtothinkaboutwhichcollectiontoolscanbeused,bywhomandhowtheywouldbeauthorisedforuse,andhowcollectedevidencecanbesecurely
transferredtowhereitcanbeanalysed.
Takingresponsiveaction
Takingresponsiveaction-Increasedthreats
Plansshouldbeinplacetotemporarilyenhancethesecurityofyournetworkandinformation
systems.Youmaychoosetoenacttheseplansinresponsetoneworheightenedlevelsofrisk(e.g.awidespreadoutbreakofverydamagingmalware),informedbyanorganisation’ssecurity
awarenessandsourcesofthreatintelligence.
Takingresponsiveaction-Containment
Beingabletoimplementcontainmentmethodologiescanprovideresponseteamwithsomequickresponseoptionsduringanincident.Containmentmethodologiesforindustrialenvironments
shouldbeclearlydefinedandagreedaheadoftimetoallowfortheirswiftimplementationinan
authorisedmanner.ICS/OToperatorsshouldusea
zonesandconduits
modeltohelpidentify
whereandhowcontainmentcanbeimplemented.Caremustbetakenwhenconsideringand
actingtoimplementcontainmentmeasures,astheresponsibilityfordoingsowillalmostcertainlylaywiththeauthorisedoperatorsofthesystems,nottheIncidentResponseTeam.TheIncident
ResponseTeamneedtobeabletoprovidetheadvice,withoutoversteppingdesignatedplant
operatingresponsibilities.Havingpre-developed,testedandagreedcontainmentmethodologieswillobviouslydecisionsneededtobemadeduringanincident.
ConsiderationshouldbegiventothedisconnectionofthelikesofSCADAservers/workstationsandHMIsfromtheICS/OTnetworkifinfectedwithmalware.Ideallythemethodologies(likelycentredarounddisconnectingnetworksfromIT/DMZ’s/vendorremoteaccess/SiteIslandMode)willalso
clearlydescribewhattheimpactwillbetoplantoperationsinorderforstakeholderstomakeariskinformeddecision.Forexample,ifplantdisconnectionatthislocationoccurs,visibilitywillbelosttoXsystems,orservicestoYwillbeaffected.Theseactionswouldsupport:
•IsolationoftheICS/OTenvironmentifthethreatisdetectedinthewiderIT/EnterprisebusinessnetworkandhasnotyetreachedtheICS/OTenvironment.
•Topreventmalwareconnectingouttoitscommandandcontrolnetwork.
•Stopanyremoteaccessthathasbeenestablishedbyathreat.
Actionpoint:DocumentwhereandhowcontainmentcanbeimplementedacrosstheICS/OTenvironment.IncludethisinformationintheICS/OTCyberIRPalongsidetheconsequencesandpotentialconsequencesassociatedwiththeaction.Forexample,cuttingthelinkstothesystemmayreduceriskfromfurtherlateralmovementofanattacker,butmayalsoresultinalossof
visibilitytooperatorsofthesystemorvisibilityofsecuritymonitoringtothatnetworksegment.HavingdetailednetworkmappingdocumentationavailableofallconnectionsinandoutoftheICS/OTenvironmentdefiningthepurposeofeach,includingwhichconnectionsareessentialtomaintainnormaloperationsandwhatcanbesafelydisconnectedwouldsupportquicker
containmentactivities.Anotheractivitytohaveundertakentosupportquickercontainment
activitieswouldbetohaveaseparatefirewallpolicypre-definedthatlimitsconnectivitytotheminimumnecessarywhichcanbequicklyinstalledonenforcement/containmentpoints.
Takingresponsiveaction-Recovery
Iftheanalysishasdeterminedthatrecoverymeasuresarerequired,awell-documented
arrangementforperformingsystemrestorationwillbeneeded.ItiscommonforICS/OToperatorstoutilisecontrolsystemvendorsorintegratorstosupportintherecoveryandrestorationefforts.As
withcontainmentactions,theIncidentResponseteamshouldbeprovidingadviceandguidancetotheoperationsteamwhowillhaveresponsibilityformakingtherecoverydecisionandactions.
FormanyICS/OToperatorstherewillbearelianceonvendorstosupporttheprocessforrecoveryfrombackup.Therewillalsobearelianceonpromptaccesstobackups,(andforthelikesof
ProgrammableLogicControllers(PLCs),theprogrammingsoftwaretodownloadtheprogramtothePLC).FormanyICS/OTpackages,itislikelytobepossibletousestandardhardwareandoperatingsystems.However,forothervendorsolutions,morebespokehardwarewillberequired.ThiswillrequireadditionalconsiderationforICS/OToperatorsoverITrecovery/remediation.
Additionally,itisnotuncommonforthesameICS/OTsitetousemultipleversionsofthesameorsimilarsystems(whichcouldmeanthatmakingrelevantbackupsofassetsmore
challenging).Considerationshouldbegiventothefactthatassetsmayneedtobereplacedastheyhavebeenrenderedunusable,orafasterresponsetorecoverywouldbethereplacementofthe
asset.
AspartofthedocumentedarrangementforperformingsystemrestorationitwoulditbeusefulforICS/OToperatorstoworkouthowlongrestoringsystemstoaknowngoodstatewouldtake,asanoperatormighttakedifferentstepsiftheyknowthatitwouldtake2hourstowipeandrestoreknowngoodbackupsontotheirICS/OTsystemsratherthan2weeks.
Factoringsystemrestorationtimethatwouldensuresafetyandintegrityislikelytobeveryimportant,inadditiontoconsideringwhatresources(time/expertise/software/hardware)isrequiredtoachieveit.
ItisalsoimportanttomakesurethatICS/OTOperatorsknowwhethertheycouldfullyrebuildtheirsystemsiftheywereimpactedisimportant.EspeciallygiventhelegacynatureofalotofICS/OT
environments,understandingifthereareviablelikeforlikespares,orwhatwouldbedoneiffor
instancethemanufacturerofanoldWindowsbasedHMIbeenboughtoutandtheoriginalsoftwarecopyisnolongeraround.
Actionpoint:DocumentintheICS/OTCyberIRPthesupportrequiredfortherecoveryand
restorationofsystemsandindustrialprocesses,includingcontactdetailsforvendorsand/or
systemintegrators.ICS/OToperatorsmayalreadyhaveinplacearrangementsforthestorageandtestingofbackupimagesandtheacquisitionsparesforrestorationfromtheresultofbusiness
continuityplanninganddisasterrecoveryprocedures.Wherethesealreadyexist,considerifthey
canbeusedinrelationtorespondingtoacyberincident.Forexample,considerhowtestingoftheimagescanbeperformedtoensurethatbackupsarenotalsocompromised,andconsiderhowthecontainmenteffortscanbevalidatedtoensurethatareplacementsystemisnotintroducedintoanetworkwhichisstillcompromised.
Actionpoint:ReferenceBusinessContinuityPlan(BCP)andDisasterRecoveryPlan(DRP)outputsintotheICS/OTCyberIRP,listingoutorprovidingdocumentreferencestowhereandhowbackupsarecreated,stored,andtested.
TrackingandReporting
TrackingandReporting-Timelines
Buildingatimelineofanincidentiscrucialregardlessofwhetheritisacybersecurityeventin
andITorICS/OTenvironment,orwhetheritisanindustrialaccidentormalfunctionofasystemresultinginanoperationalincident.ICS/OToperatorsshouldputinplacearrangementstoensurethattheincidentresponseteamarerecordingincidenttimelinesthroughouttheincident.
Keyinformationtorecordincludes:
•Timeofeventoccurring,includingcheckingthattimefromsystemsissynchronisedoradjustedfordrift.
•Timethatinformationwasreceivedfromstakeholders.
•Timethatactionwastakenandwhoactionswereassignedto.
Actionpoint:Createatemplatethatincidentresponseproviderscanusetorecordandtrackdetailsonanincidentandincludethis(orareferencetoit)withintheICS/OTCyberIRP.
TrackingandReporting-Communicating
ICS/OTtypicallyisperformingfunctionsthatarethecoreofthebusinessintermsofrevenue
generationandwillbeperformingfunctionalitythatispreventinghazardoussituationssuchaslossofcontainment,personnelprotectionorprotectingagainstuncontrolledenvironmentaldischarges.
Therefore,itisvitallyimportantthatincidentresponseteamsareabletoadviseoperationsandsafetypersonnelontheimpactorpotentialforimpactonoperationsandthesystemsperformingsafetyfunctions.Incidentresponseteamsarerecommendedtokeepthisinmindthroughoutanincidentresponseinvestigation,andactivelyconsiderandrecordthisduringregularincident
responseupdatecalls.Regularandclearcommunicationiskeyfromtheincidentresponseteamwithotherstakeholderswhichshouldincludeoperations,health&safetyrepresentatives,
engineering,andmaintenanceteams.
Communicationsacrossteamsshouldcoverandregularlyrevisit:
•Whatisknownabouttheattackand/ormalware?(orwasitanattackorafailure/mistakeinachangeconfiguration?)
•Whatisthepotentialimpactontheplant?
•Whichsystems/siteshavebeenaffected?
•Whataretheactionsthatneedtobeassignedandtowhom?
Theuseoftemplatescanaidthesediscussionsaswellasreferringtoapredefinedandagreed
incidentseveritymatrixwhichshouldberecordedwithintheICS/OTCyberIRP.Examplesof
incidentseveritymatricesareprovidedinthe
NCSC’sIncidentManagementguidance.
AnICS/OTspecificexamplecouldbe:
•Critical–Lossofessentialserviceforextendedduration,majorequipmentdamage,offsitemultipleinjuriesorfatalities,
•High–Reductioninoperationalproduction,plantdamage/systemoutage,longtermimpactonbusinesscontinuity,onsiteinjury
•Medium–shorttermimpactonproduction,losttimeaccident,
•Low–minordeviationonlowimportancesystem
The
MitreATT&CKICSspecificframework
lists
12techniquesunderthe‘Impact’tactic
thatcouldbeconsideredwhendevelopingthismatrix.
Anunderstandingisrequiredoftheregulatoryrequirementsrelatedtoincidentreportingand
complianceobligationsspecifictoICS/OTenvironments.Nominatedindividualsshouldnotify
regulatoryagenciesasrequiredbyapplicableregulationsandstandards,providingtimelyand
accurateinformationabouttheincidentandremediationefforts.Identifiedstaffshouldwork
closelywithlegalteamstonavigatethelegalandregulatoryconsiderationsassociatedwith
incidentresponse,suchaspreservingevidenceforpotentiallegalproceedingsandcomplyingwithdataprotectionlaws.
Actionpoint:DecideanddocumenttheICS/OTincidentseveritymatrixalignedtoyourICS/OToperations.
LessonsLearned
Aswithanyincidentresponseorprojectcloseout,takingthetimetodiscuss,documentand
disseminatelessonslearnedarekeytoimprovinganorganisationscapability.ThisisnodifferentforICS/OTincidentresponsebutisprovidedheretoensureitisnotforgotten.Itisrecommendedto
includethefollowareasforconsiderationduringanylessonslearnedactivities:
•Whatwentwell,wherecanwecelebratethecapabilityandcommitmentfromourteams?
•Howcanweensurewecanbetterprotectanddetectagainsttheattackvector?
•Whatweretheblockerstomakingdecisions?
•Whereareimprovementsrequiredonmonitoringandloggingcoverage?
•Whatnewcriticalassetswereidentified?(andfedbackintothetriageprocess).
LessonsLearned-TestingCapability
Whilelearningfromarealincidentisveryuseful.Thereisnobetterwayoftestinganorganisation’sabilitytoperformincidentresponsethantotestit.Oftentheterm“exercising”conducesthoughtsthatanexercisemustinvolveasignificantamountofplanningandtimeawayfromaday-jobforkeyoperationalstaff.However,exercisingcanandshouldincludearangeofwalk-throughs,drills,
tabletopexercisesuptocompany-wideandsector-wideexercises
.NCSCguidance
isavailable
providingeffectivestepstocreatingacybersecurityexercise.Examplesofexercisingcapabilitycanincludethefollowing:
•Gamificationusing
decisionsanddisruptions
orsimilar.
•Rehearsalofconceptdrill
•TeamwalkthroughofCyberIRPand/orprocedure
•
Genericscenariotabletopexercises
•Customisedtabletopexercisecraftedtobespecifictosystems,operationsandproceduresusedbytheoperator.
•Sector-wideexercisesuchas
PowerPlay
and
GridEx
Tabletopexercisesareveryusefulforexercisinganoperator'sabilitytoactivateanICS/OTincidentresponseteam,andworkincollaborationwithotherteamsincludingcorporatecommunications,operationsandlegal.ForICS/OT,thereisoftenaneedtoensurethatthereissufficientcyber
securitymaturityofanoperatorpriortoundertakingareasonablysizedtabletopexercise(i.e.½
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2026四川大学华西临床医学院、华西医院科研岗、实验技术岗社会招聘笔试模拟试题及答案解析
- 成都市胜西小学文兴分校招聘(4人)笔试备考题库及答案解析
- 2026安徽合肥荣事达科技发展有限公司猎聘1人考试备考题库及答案解析
- 2026福建三明市商务局直属事业单位选聘1人笔试备考试题及答案解析
- 2026广西贵港市就业服务中心招募高校毕业生就业见习人员5人笔试备考题库及答案解析
- 2026年20大笔试题及答案
- 2026广东东莞望牛墩镇杜屋村村民委员会招聘工作人员2人考试备考试题及答案解析
- 2026重庆奉节县白帝镇人民政府招聘公益性岗位人员2人笔试备考题库及答案解析
- 2026湖南常德桃源县人民医院招聘46人考试备考试题及答案解析
- 2026广东湛江市公安局经济技术开发区分局招聘警务辅助人员33人考试参考题库及答案解析
- 中国资源循环集团有限公司子公司招聘笔试题库2025
- 标本采集错误课件
- 应急救灾物资项目方案投标文件(技术方案)
- 邮政员工违规管理办法
- 《房屋市政工程生产安全重大事故隐患判定标准(2024版)》解读
- 基于PLC的苹果自动多级分拣控制系统设计
- 妇幼健康服务工作培训方案
- 气象局观测站建设项目可行性研究报告
- 2025CSCO非小细胞肺癌诊疗指南解读课件
- 学习《水利水电工程生产安全重大事故隐患判定导则-SLT 842》课件
- 部编人教版五年级下册小学语文全册教案(教学设计)(新课标核心素养教案)
评论
0/150
提交评论