{"id":514,"date":"2021-12-05T18:32:08","date_gmt":"2021-12-05T15:32:08","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=514"},"modified":"2022-06-27T11:32:02","modified_gmt":"2022-06-27T08:32:02","slug":"ics-cyber-incident-response","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2021\/12\/05\/ics-cyber-incident-response\/","title":{"rendered":"ICS Cyber Incident Response"},"content":{"rendered":"\n<p>Incident response (IR) is very important for every ICS company . Being able to recover from and respond to cyber attacks and unexpected incidents is vital for businesses. Many organizations don&#8217;t have the resources or the skills to do IR. This is a summary of an <a rel=\"noreferrer noopener\" href=\"https:\/\/us-cert.cisa.gov\/ics\/Abstract-ICS-Cyber-Incident-Response-Plan-RP\" target=\"_blank\">incident response guide<\/a> published by CISA. This guide should help ICS organizations start in the right direction. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"406\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2021\/12\/ICS-IR-1024x406.jpg\" alt=\"\" class=\"wp-image-521\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2021\/12\/ICS-IR-1024x406.jpg 1024w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2021\/12\/ICS-IR-300x119.jpg 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2021\/12\/ICS-IR-768x304.jpg 768w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2021\/12\/ICS-IR.jpg 1399w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Image Source: 1<\/figcaption><\/figure>\n\n\n\n<p><strong>Stage 1 &#8211; Planning [Proactive]:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Team organisation<\/li><li>Policies and procedures<\/li><li>Build a plan<\/li><li>Execute a plan<\/li><li>Report: system state and status <\/li><\/ul>\n\n\n\n<p>Distribution of team roles and responsibilities is vital in IR and cybersecurity. Their responsibilities towards incident response and their cyber security vision should be reflected in the organization&#8217;s policies and procedures. Execution and evaluation of IR plan must follow by doing a simulation, to make sure it works and to adjust unexpected behavior. Enabling system state and status is crucial. In the case of an incident, logs and information are important. There are many approaches to get this information: Intrusion detection and prevention technologies, configuration , network and device logging solutions can provide value. Make sure that the previous methods are compatible with legacy ICS systems and they don&#8217;t cause any problems. <\/p>\n\n\n\n<p><strong>Stage 2 &#8211; Incident prevention [Proactive]:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Tools and guidelines<\/li><li>Patch management<\/li><li>Vendor interaction<\/li><\/ul>\n\n\n\n<p>Organizations can prevent incidents from happening by following and implementing existing ICS security guides, there are plenty of them. Patching is also important because it can prevent an incident from happing and reoccurrence. Vendors should be responsible to provide technical support and fixing bugs for their customers. The relationship between organizations and their ICS vendors should be unified. <\/p>\n\n\n\n<p><strong>Stage 3 &#8211; Incident management [Reactive]:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Incident detection<\/li><li>Containment<\/li><li>Remediation<\/li><li>Recovery and restoration<\/li><\/ul>\n\n\n\n<p>Reporting incidents and cooperating with ICS organizations can enhance detecting threats. Detection can also be achieved by observation and checking out existing guides on how to detect symptoms.  Detection automation tools can enhance detection and prevention (eg. IDS). Usage of other IR tools  such as traffic and network analysis can be useful.<\/p>\n\n\n\n<p>The primary goal of Containment in ICS is to stop the spread of malware and to prevent further damages. Containment can also be achieved by controlling or stopping  unauthorized access to an infected system. Malware containment can be done in 3 ways: usage of automated tools , halting services (undesirable) during an incident and filtering and blocking  certain network connectivities. Some methods don&#8217;t work with ICS systems. Caution must be taken when choosing the desired action, consult with ICS engineers. <\/p>\n\n\n\n<p>Removal of malware in an ICS environment can be achieved by: using automated eradication tools (antivirus), detection software , patch tools or restoring a system to a previous infection-free state. Make sure the tools  work for ICS systems. Caution is also important at this stage, because it could lead to modification or loss of ICS system files.  <\/p>\n\n\n\n<p>The goal of recovery is to restore the  system to its previous state but it has to be better and more secure, especially against its previous weaknesses. <\/p>\n\n\n\n<p><strong>Stage 4 &#8211; Post-incident analysis and forensics [Proactive]:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Lessons learned<\/li><li>Recurrence and prevention<\/li><li>Forensics and legal issues<\/li><\/ul>\n\n\n\n<p>Every organization should conduct an in-depth analysis of the causes of incidents and their impact on their system. Doing this exercise should provide lessons that can help organizations improve their cyber security and prevent repeating the same mistakes. Sharing these lessons with the ICS community should also be encouraged.  <\/p>\n\n\n\n<p>To conclude this summary is by no means technical . It&#8217;s a high level approach to get the mentality right. You should fill the gaps and follow up with the following guides and best practices. Enjoy the process. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Guides and resources:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a rel=\"noreferrer noopener\" href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-184.pdf\" target=\"_blank\">NIST SP 800-184, &#8220;Guide for Cybersecurity Event Recovery&#8221;<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-40\/rev-3\/final\" target=\"_blank\">NIST SP 800-40, \u201cCreating a Patch and Vulnerability Management Program\u201d<\/a>\u00a0<\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-61\/rev-2\/final\" target=\"_blank\">NIST SP 800-61, \u201cComputer Security Incident Handling Guide\u201d\u00a0<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-82\/rev-2\/final\" target=\"_blank\">NIST SP 800-82, &#8220;Guide to Industrial Control Systems (ICS) Security&#8221;<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-83\/rev-1\/final\" target=\"_blank\">NIST SP 800-83, \u201cGuide to Malware Incident Prevention and Handling\u201d<\/a>\u00a0<\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-86\/final\" target=\"_blank\">NIST SP 800-86, \u201cGuide to Integrating Forensic Techniques into Incident Response\u201d\u00a0<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-92\/final\" target=\"_blank\">NIST SP 800-92, \u201cGuide to Computer Security Log Management.\u201d<\/a>\u00a0<\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetid=6305\" target=\"_blank\">Handbook for Computer Security Incident Response Teams (CSIRTs) by Carnegie Mellon University<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/www.acq.osd.mil\/eie\/Downloads\/IE\/ACI%20TTP%20for%20DoD%20ICS_Rev_2_(Final).pdf\" target=\"_blank\">Advanced Cyber Industrial Control System Tactics, Techniques, and Procedures (ACI TTP)<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/www.plc-security.com\/\" target=\"_blank\">Top 20 Secure PLC Coding Practices<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisa.gov\/uscert\/sites\/default\/files\/recommended_practices\/final-RP_ics_cybersecurity_incident_response_100609.pdf\" target=\"_blank\">Developing an Industrial Control Systems Cybersecurity Incident Response Capability<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/www.youtube.com\/watch?v=76fuTjzuiLg&amp;t=1282s\" target=\"_blank\">CSS2017 Session 7 SANS Training &#8211; Incident Handling Process<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/meirwah\/awesome-incident-response\" target=\"_blank\">Awesome Incident Response<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf\" target=\"_blank\">Cybersecurity 3284 Incident &amp; Vulnerability Response Playbooks<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>References:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><a href=\"https:\/\/us-cert.cisa.gov\/ics\/Abstract-ICS-Cyber-Incident-Response-Plan-RP\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/us-cert.cisa.gov\/ics\/Abstract-ICS-Cyber-Incident-Response-Plan-RP<\/a><\/li><\/ol>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Incident response (IR) is very important for every ICS company . Being able to recover from and respond to cyber attacks and unexpected incidents is vital for businesses. Many organizations don&#8217;t have the resources or the skills to do IR. This is a summary of an incident response guide published by CISA. This guide should [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,92,3,48],"tags":[99,7,96,6,98,93,11,97,47,89],"class_list":["post-514","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-ics-incident-response","category-ics-security","category-ot-security","tag-antivirus","tag-cyber-security","tag-ics-ir","tag-ics-security","tag-ids","tag-incident-response","tag-malware","tag-ot-ir","tag-ot-security","tag-patching"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=514"}],"version-history":[{"count":57,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/514\/revisions"}],"predecessor-version":[{"id":816,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/514\/revisions\/816"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}