Building a proactive OT incident response plan
June 2, 2021
The increasing frequency and sophistication of successful OT cyber-attacks should serve as a wake-up call to IT and OT security teams that the smallest hole in your defenses can serve as an attack path for adversaries.
Unfortunately, too many companies fail to plan for that worst day. Often stating: It can’t happen to us, we are just too busy, or our vendors will respond if we need them. This reactive only mindset often results in a far worse outcome.
Time and again we receive calls from panicked customers desperate to respond to a cyber incident. And far too often, it is not the first occurrence. The losses and impacts are real, and this reactive only approach time and again results in deep, long-lasting damage. Even worse, companies try to hide what has happened only to be exposed later.
On the other hand, a proactive approach to OT and IT cybersecurity helps preemptively identify security weaknesses; add processes to identify threats more rapidly; identify latent threats already on the system; improve cyber confidence; and may enable responders to more rapidly identify, isolate and contain, and remove future threats. Organizations deft at identifying and responding to cyber events create more confidence in the system, more confidence in operations, and in some cases, better their public reputation.
When it comes to attacks on OT systems, the longer systems are offline the more damage to a company’s bottom line. Worse yet, cyber physical systems in many plants can be an immediate threat to health and human safety, and even result in catastrophic failures that bring harm to those inside and outside the plant. Being able to quickly detect, respond, and recover from an attack are critical elements of a security program.
Tasks involved in reactive cybersecurity, such as patch management, log monitoring, and SIEM, are primarily focused on rectifying immediate incidents and preventing repeat attacks or technology disruptions from happening in the future. However, a proactive approach utilizes tasks that may allow your organization to identify and prevent incidents from ever becoming a threat. Proactive Incident Response (IR) services turn the traditional model on its head to utilize and leverage extensive knowledge of proven cyber experts to rapidly identify latent threats and possible potential threats. Additionally, IR services may be able to rapidly identify significant enhancements and configuration changes leveraging your existing environment to improve your security posture.
In order to shift your security organization toward a reactive approach, your IR plan should incorporate a strategic balance of prevention, detection, and response. Further, given the cyber-physical consequences of OT systems, your IR plans and responders must be mindful of these consequences to prevent further impact and help assure that attacker actions against controls have been identified and eradicated to provide confidence in safely returning to normal operations. But beyond a plan, there are critical components your organization should embrace in order to realize the benefits of being proactive.
Consider this scenario: One day your diligent IT systems engineer gets an alert. He calls down to the plant floor to have them check the system in question. OT systems engineer checks. Nothing wrong, everything is working as usual. Alert is marked a false positive. But was it?
Five days later, and several more alerts that are now disregarded, the system is under a hacker’s control. The machines have stopped. Now what?
This, unfortunately, is a real and cautionary tale. During my many engagements I have found that most OT attacks do not originate on the OT networks themselves. More often, a hacker gains access through the corporate network and then drills down through the network until he finds an opening to infiltrate an OT system.
What was missing from this scenario was collaboration and a better understanding of the threat from both sides of the proverbial table. Had the teams been “speaking the same language,” perhaps that alert would not have been so quickly dismissed as a maintenance, lubrication schedule, or condition monitoring system problem. They likely would have worked together and taken a little closer look at what was transpiring.
Cross-training and collaboration between IT and OT provide much needed context and understanding to both sides of the business. On the OT side, engineers benefit from the IT engineers’ understanding of how the networks really work at a deep level. They understand the firewalls, endpoints, and much of the fundamentals of newer internet-enabled OT systems. The IT folks benefit from OT’s deep understanding of the machinery and mechanics that actually make the cash register run at their company. Ultimately, cross collaboration improves identification and accelerates issue resolution.
On the technology side, you should incorporate the tools you’ve been using on the IT side into the OT environment so you can achieve end point data protection, host intrusion detection, sensor deployment, and log aggregation. These tools will provide meaning to contextual events up to the right location so they can be detected and responded to in a timely fashion.
For many, integrating these tools into an OT environment can be challenging without advance testing. The inability to safely test new technology is a common issue across most OT industries. A mistake in a real environment is very costly. But it’s also costly, and sometimes downright impossible, for a company to create a development environment.
Our OT Cyber Fusion Center (OT CFC) provides a fully functioning lab, with field control systems and logic controllers, that mimics your full environment down to the hardware, software, and network communication. Utilizing the OT CFC’s OT network environment, you have a place to safely test updates, upgrades, new technology, etc. at a fraction of the cost to set up the infrastructure internally. In fact, we have clients who use our facility to text next generation architecture for their sites. They have us set their specific switch gears and switches in the lab, connect them all remotely, and then they can remote desktop in and do any type of testing before implementation.
Many organizations have a written IR plan to meet a compliance requirement. However, few proactively test the plan to see what might be missing (or just plain doesn’t work) if an actual event occurs. Testing your end-to-end recovery process gives you confidence that your process will work and is not just theoretical.
Regular tabletop and disaster recovery exercises, which we offer at our OT CFC, provide security teams with common scenarios to test their IR process against. Such exercises help uncover gaps that will hurt an organization most during an actual recovery when people don’t have the time or luxury to plan.
Gaps could include discovering:
In addition to testing, our OT CFC can provide a standardization check on an environment to identify potential problems. We find system weaknesses and help clients resolve them. These could be limitations in their detection capabilities, staffing, skills, and process.
Ready to embrace a proactive incident response approach? Learn more >
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.