Stopping a production line for comprehensive drills is difficult, while maintaining a replica environment for testing is prohibitively expensive for most. One of the challenges in this step is regularly testing the ability and the backups themselves. Can the threat be contained simply by disconnecting one network host, or isolating a section of the production line? Is there a plan in place for segregating the OT network if malware is discovered on the corporate network? The right strategy will prevent unnecessary downtime and make forensic investigation simpler.Įradication and restoration: Steps four and five involve eradicating the threat and bringing the environment back online using a well-documented process for restoring it from trustworthy ‘golden image’ backups. Over-reaction could be just as damaging to operations as under-reaction.
Filtering out false positives requires experience and technical skills.Ĭontainment: This again requires protocols which lay out appropriate courses of action. Once an issue is confirmed, it’s important to understand the nature of an event and its potential to cause damage. Many of the penetration tests we conduct are successful, indicating that work needs to be done in this area. The ability to spot unusual behaviours and classify them are critical to taking appropriate action. Identifying events: It is here that many organisations struggle.
Contingencies for an incident which impacts communications, creates a hazardous environment or takes place in a remote site – such as an oil rig – must be in place and regularly updated. This means a thorough risk assessment which addresses all points, from staff training to developing contact lists in the event of an incident. Preparation matters: The key word in an incident plan is not ‘incident’ preparation is everything.
In the event of a cybersecurity incident, best practice incident response guidelines follow a well-established seven step process: Prepare Identify Contain Eradicate Restore Learn Test and Repeat: A successful attack on OT could impact numerous different systems from different vendors and understanding the appropriate response in the face of this complexity requires highly specialised skills and involvement from various parties, including engineers, vendors, system integrators and more.įurthermore, OT environments are at risk of very sophisticated, specific threats – and failure to take appropriate action could lead to devastating results that impact physical processes. There are, however, unique challenges in industrial domains. Having a robust incident response plan is just as important as having procedures in place to keep attackers out. What if an attacker were able to bypass the security measures in place and gain access to critical security systems? This has led many to re-prioritise their cybersecurity investments and, while that is a good starting point, there is no such thing as 100% cybersecure. Industrial facilities are beginning to take heed that, as operational technology (OT) becomes increasingly connected, cybersecurity must be a priority.
0 kommentar(er)
