Many organizations are in the process of merging their Information Technology (IT) and Operational Technology (OT) under initiatives known as Business Intelligence, Digital Transformation and Operational Excellence. Through this convergence, organizations hope to gain real-time insight into their industrial processes to optimize their efficiencies. But facilitating this convergence comes with its fair share of challenges.
Public Safety Canada, legally incorporated as the Department of Public Safety and Emergency Preparedness (PSEPC), is aware of these obstacles. To help Canadian organizations navigate this process, PSEPC published “Developing an Operational Technology and Information Technology Incident Response Plan” in partnership with the Communications Security Establishment and the IT/OT working group members. This blog post explores this publication and discusses how organizations can use it to address the IT-OT convergence.
Inside Public Safety Canada’s Guidelines
The purpose of Public Safety Canada’s publication is to help Canadian organizations develop a joint IT-OT Cyber Incident Response Plan (CIRP). As it is, many organizations have the means to resolve common security incidents that affect the IT side of their infrastructure. Still, they are not as prepared to address the associated risks for their OT. Drafting a joint IT-OT CIRP can give organizations the requisite skills and preparedness to confront digital threats that jeopardize their entire infrastructure.
Before organizations can do that, however, they need to lay some foundations first. This groundwork consists of the following steps:
Get an Idea of the Risks
First, organizations need to assemble an inventory of all the IT and OT devices connected to their network. They need to know what devices they have if they hope to protect them, after all. Second, they must conduct a risk assessment to gain a more thorough understanding of the assets they do have. They can then use the assessment’s results to determine how attackers could leverage vulnerabilities within their devices to harm them.
Get an Idea of the Organizational Structure
The aim here is to create an IT-OT Cyber Security Incident Response Team (CSIRT) that reflects the organization’s structure and needs. In general, a CSIRT consists of resources dedicated to responding to events and resources that could augment existing incident response capabilities. Organizations can formulate this type of team by referring to the asset inventory and risk assessments as well as the size of the organization, the number of geographical locations, the systems and platforms that support the organization, the Incident Response Team (IRT) services that are to be offered and the technical expertise of the existing staff members. From there, organizations can choose the CSIRT members, including a manager and IRT responders.
Get an Idea of the Desired Approach
Organizations have two choices when it comes to approaching incident response. There’s a centralized approach where organizations have a dedicated CSIRT that responds to all incidents within the organization. This team is usually located in the same building or complex as that of the organization’s IT and OT assets. Alternatively, organizations can use a decentralized approach consisting of a virtually distributed CSIRT where team members are located in different buildings, continents, time zones, etc. This approach is more flexible as members have job roles outside of IRT and can assist if an incident arises. Ultimately, organizations can settle on an approach using a tabletop exercise to figure out or confirm how they handle IRT best.
Develop the Joint IT-OT CIRP
Once organizations have implemented the former steps, they are ready to develop the joint IT-OT Cyber Incident Response Plan. They can formulate this strategy in the following sequence:
Assemble a Cross-Functional Team
To be effective, the cross-functional team needs to have key stakeholders from within both IT and OT. Organizations can build such a team by reviewing emergency and crisis plans to see if specific roles and responsibilities have already been defined. This review can be performed using workshops or interviews to evaluate different people’s response effectiveness and viewing previous incident response scenarios to weigh in on essential roles/responsibilities.
Review Existing Incident Response Plans within the Team
Organizations can use these plans as a starting point for their IT-OT CIRP. Specifically, they can host open discussions or tabletop exercises to reflect on how those existing plans might work in the context of joint response. If they don’t have IRPs, they can potentially find one on the web, turn to a vendor-provided solution or use a template from a cyber insurance underwriter.
Define an Incident
To begin, organizations might consider differentiating neutral cyber “events” from intentional or unintentional cyber “incidents” that in some way undermines the confidentiality, integrity and/or availability of a digital asset. From there, organizations can attempt to classify a security incident depending on what systems it affects and what its potential impact might be. They can subsequently use that classification to respond to the incident with an appropriate response.
Determine How Teams Will Assemble
Ideally, organizations need two teams. The first team, a Cyber Security Incident Response Team (CSIRT), should consist of IT and OT team members with subject matter expertise capable of investigating and responding to incidents. The CSIRT should also have an incident commander who can take the lead on developing and maintaining processes, managing tools, and assigning roles. The second team, a Senior Leadership/Crisis Management Team (SLT/CMT), should serve as the primary liaison in the event of an IT-OT incident by coordinating communications with external parties such as law enforcement. Organizations can fill this team with individuals from Legal, Finance, Corporate Communications, and HR.
Determine How Teams Will Communicate
Organizations need a common communication plan for effective response. This strategy should include escalation thresholds for when to involve stakeholders, rooms, and conference bridges designated for emergencies and alternate means of communication if an incident takes down organizations’ usual communication channels.
Determine Necessary Response Actions
Organizations must be able to determine the nature of an incident or event and identify an appropriate response. First, they can conduct triage to figure out what happened by collecting forensic data and analyzing it to determine the threat’s nature. They also need to have the communication channels to coordinate a feasible response, use indicators of compromise (IOC) identified in the initial phase to apply countermeasures, and consider whether to disable operations if there’s an imminent threat to the organization’s physical operations.
Determine How the CIRP Will Fit with a Crisis Management Plan
Organizations can augment their CIRP by linking it to an existing Corporate Crisis Management Plan (CMP) or Emergency Response Plan (ERP). They can do this by reviewing and modifying definitions of what constitutes an emergency or crisis, reviewing and adding new roles and responsibilities, updating information surrounding the escalation of a security incident, and using tabletop exercises and training to keep everyone informed.
Determine How to Maintain the Joint IT-OT CIRP
CIRPs are not one-time engagements. Organizations need to continuously engage these plans by having regular review meetings to keep IRT members and management informed about the progress of the CIRP. They can also regularly run communication checks and tabletop exercises to strengthen their ability to respond to an actual incident.
How ORIGNIX Can Help
ORIGNIX can help organizations design an integrated IT-OT cybersecurity incident response plan following Public Safety Canada’s publication. ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial processes.We utilize systematic cyber and operational risk assessments with well-established techniques and templates. Our Process Risk Assessment (cyberPRA) methodology identifies potential gaps, hazards, vulnerabilities, and independent protection layers associated with engineered industrial processes at plant facilities. Our cyber Operational Resilience Management (cyberORM) framework can help you fast-track and achieve your cyber-physical systems’ (CPS) desired functional and strategic risk tolerance level. For more information on how ORIGNIX can help, click here.
You can also learn about the Public Safety Canada publication’s strengths and limitations by reading Saif Shariff‘s review article here.