Test Your Incident Response Plan Before a Crisis to Help Protect Critical Infrastructure

Organizations are now familiar with the threats to information technology (IT) systems posed by cyber threats, malicious insiders, and human error. Hardware and software connected to IT networks and the internet are increasingly utilized to help monitor and manage industrial and manufacturing assets and facilities. As a result, this operational technology (OT) puts physical infrastructure and facilities at risk for attack and compromise.

The National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) recently issued a Cybersecurity Advisory highlighting the threats that malicious cyberactivity poses to critical infrastructure (CI), including commercial facilities, communications, energy, financial services, information technology, and transportation systems, by exploiting internet-accessible OT.

Testing an Incident Response Plan is Critical

The Advisory emphasizes the importance of testing an incident response plan (IRP) as part of protecting critical infrastructure facilities:

“In a state of heightened tensions and additional risk and exposure, it is critical to have a well-exercised incident response plan that is developed before an incident.”

Because security incidents present organizations with numerous and potentially damaging financial, operational, and legal risks, creating an IRP is an essential part of any organization’s security program.

An effective IRP provides a “playbook” to follow when an unexpected and unfamiliar event forces an organization to investigate and take action.

The Advisory also underscores several important aspects associated with exercising an IRP:

• Conduct a tabletop exercise to test an IRP. During a tabletop exercise, members of the incident response team meet informally to discuss roles and responsibilities during an incident. A facilitator presents one or more incident scenarios, such as a ransomware attack, a stolen laptop or a power failure, to the group. Read more on the importance of tabletop exercises.
• Include your public affairs and legal teams, in addition to IT, OT, and executive management. The tabletop exercise is often the first time all key members of the incident response team have met to discuss the contents of the playbook, or considered all the steps that might need to be taken in response to an event.
• Make sure your IRP considers scenarios that address potential threats and risks. Potential attacks that might be simulated in a tabletop exercise include spearfishing, denial-of service, or a ransomware attack. All three of these exploits have been used to attack critical infrastructure assets.
• Discuss key decision points in the IRP and identify who has authority to make key decisions and under what circumstances. Presented with these scenarios, the incident response team members can walk through their roles, responsibilities, coordination, and decision-making that would take place when an actual security incident arises. The tabletop is often the first time the incident response team has met to discuss the contents of the playbook or considered all the steps that might need to be taken in response to an event.
• Consider what third parties will support your IRP and review service contracts for incident response and recovery support functions. Use appropriate due diligence to evaluate any third-party involved in incident response, or your security program in general.

An effective IRP is a crucial part of a comprehensive security program to protect OT and critical infrastructure assets. A tabletop exercise is the most practical and effective way to bring an incident response team together and test the organization’s ability to address significant OT risks before a crisis arises.