Issue 9: Cyber Incident Response Planning

by Smart Grid Forums on April 9, 2021

Cyberweekly No.9

Recent research indicates that over 75% of enterprises and 48% of industrial organisations worldwide do not currently have a comprehensive Cyber Incident Response Plan to guide them through an attack in the most effective way. This presents a significant problem for organisations that are about to come under their first serious cyberattack given the rapid rise in data breaches since Covid-19 and the ‘preparedness’ conditions of cyber insurers when considering the viability of a claim.
 
With slight variations for IT and OT environments, a typical Cyber Incident Response Plan consists of 6 key elements: 1) Preparation, 2) Identification, 3) Containment, 4) Eradication, 5) Recovery, 6) Lessons Learnt.
 
These steps ensure that organisations have the right expertise on board to lead an effective response and recovery procedure, collect and make sense of forensic data under intense time pressure, stem the flow of the data bleed in as targeted a manner as possible, reset systems and software without destroying forensic evidence, transition back to normal operations with confidence, and apply the lessons learnt to strengthening their security posture, eliminating the possibility of a repeat incident, and continually improving their incident response procedure.
 
Most organisations that do have an Incident Response Plan in place tend to concentrate their efforts on Containment, Eradication and Recovery, whilst neglecting the Preparation, Identification and Lessons Learnt stages, that would ensure a smoother, less chaotic process. Too many organisations accept the unreasonable loss of time in the initial stages of a response, due to manual diagnosis of large volumes of equipment and applications, as well as complexities around dealing with multi-vendor multi-technology systems, as the norm, when fine-tuning the incidence response procedure would significantly reduce the time and cost of recovery.
 
So, what should organisations do to prepare more fully for cyber incidents on the horizon? 1) Get an incident response expert on board in advance of any incident arising to help create a robust plan, 2) Designate clear roles and responsibilities to each individual on your cybersecurity team to eliminate the chaos and confusion that often ensues in situ, 3) Be precise about the communication and reporting protocol during an incident to balance getting things done with keeping stakeholders informed, 4) Do not rush the forensics stage, collection and provision of hard evidence is key to a successful ‘attribution’ process, insurance claim, and eliminating repeat attacks, 5) Take time to reflect on the lessons learnt so that you can continually raise your defences, improve your surveillance, and fine-tune your incident response procedure.
 
Finally, know that we are on the precipice of major change! The rules of cyber attribution are being re-written and your incident response procedure provides the vital intelligence policy makers, law enforcement agencies, and governments need, to ensure that justice can be served in cyberspace in exactly the same way it is being served in our physical spaces.
 
Please enjoy this week’s selection of news, views and resources below, and feel free to share this newsletter with colleagues in other departments, and peers in other organisations.
 

Kind Regards,

13491583329318294

Mandana White
CEO | Smart Grid Forums

News, Views & Resources

REPORT: Crowdstrike. You’ve Been Breached, Now What? How to Responds to a Worst-Case Cyber-Scenario.
Companies need to be prepared to identify, respond to and mitigate a targeted attack with the same amount of effort that goes into implementing a disaster recovery plan. This document summarizes recommendations for responding to a breach and the expertise required to do so quickly and effectively. These recommendations were derived from decades of collective experience from the cybersecurity consultants at CrowdStrike, who work on the front lines fighting threat actors every day.
To read the report, click here!
 
REPORT: Dragos. Industrial Threat Detection and Response Technology and Services.
There is a critical shortage of staff with deep ICS cybersecurity knowledge across all industrial sectors today. This fact, coupled with the general lack of available ICS-focused cybersecurity technology solutions and increasing connectivity to enterprise networks and the Internet (IIoT/Industry 4.0), contributes to a broadening range of potential security vulnerabilities including: incomplete asset visibility, insufficient industrial cyber-threat detection, lack of situational awareness around what threats and vulnerabilities matter, limited industrial specific incident response planning and resources.
To read the report, click here!
 
REPORT: Secura. Red-Teaming in IT/OT Systems.
Security in the Operational Technology (OT) domain is a wide, wild landscape. With a large number of risks that belong to the category of ‘unknown unknowns’ and pushed by sophisticated cybercriminals and nation state threat actors, companies and states are combatting an ongoing flood of attacks. Dealing with such events requires more than a dedicated Security Operations Center (SOC); it requires hands-on training and learning by doing. An increasingly popular way of testing and training in a controlled way is ‘Red Teaming’.
To read the report, click here!
 
REPORT: Splunk. Top 5 SIEM trends to Watch in 2021.
Security incident and event management (SIEM) technology has been around for a while, with the fundamental capabilities of the platform dating back to over a decade ago. Since then, SIEM solutions have become more of an information platform, with enterprise demands for better security driving much of the SIEM market. In the last year alone, demand for SIEM technology has remained strong, with threat management as the primary driver, and general monitoring and compliance secondary.
To read the report, click here!
 
VIDEO: The RAND Corporation. Accountability in Cyberspace. The problem of Attribution.
Recently, several cyber incidents with geopolitical implications have received high-profile press coverage. Identifying the responsible party behind malicious cyber incidents is a necessary prerequisite for holding these actors accountable, but there are many challenges that accompany cyber attribution. In this video we review how cyber attribution is handled, presented, and received today, and consider the value of an independent, global organization whose mission consists of investigating and publicly attributing major cyber-attacks. Hosted by mechanical engineer and science correspondent Shini Somara.
To watch this video, click here!
 

CyberAware Webinar Series

Screen Shot 2021-03-02 at 13.49.00

 

 
 
 
 

Topics: CyberAware