Six Steps to Create a Strong OT Incident Response Plan

Operational Technology (OT) networks are all around us. They control almost all forms of industrial operations including critical infrastructure like electric power, transportation, and oil & gas. Normally, this makes operations much smoother and more efficient. However, the worst-case scenario with OT networks can be dangerous. Using an OT network, a hacker can disrupt power to a city, halt a pipeline that provides fuel to millions of people, and even put dangerous levels of sodium hydroxide into a town's water supply.

Cyber incidents have become too common, and as the OT environment continues to grow, so does the attack potential. To stay on top of the threat, asset owners and OT engineering teams know they must create solid OT response plans. The 2022 State of Operational Technology and Cybersecurity report from Fortinet indicated that 93% of organizations had 1+ intrusions in the past year and 78% had 3+. The same report also indicated that 61% of intrusions impacted OT systems. 

That is why you can't just protect and monitor your OT network—you have to plan for the very real possibility of network compromise. And, when a compromise occurs, your OT engineering team has one main task: restore operations to safe and acceptable levels in the shortest time possible. A well-planned and practiced incident response plan can and will reduce the downtime associated with a cyber event. This article will help you start your incident response planning with six practical steps.

1. Assign a Capable Leader for Your Cyber Crisis Management Team

Discovering and controlling cyberattacks is a team effort. However, to ensure orderly operations during a cyberattack, someone has to take charge. You should select someone who is in a leadership role, has a good understanding of your OT operations and the ability to work with your IT team.

Chaos is usually rampant during an attack, so the presence of a designated head is significant. If an attack occurs, this individual should immediately assess the extent and possible damage of an attack and coordinate the sequence of actions to return operations to normalcy. With a capable incident response leader involved in the recovery process, the downtime can be reduced, the extent of damage mitigated, and the pathway to recovery made easier to navigate.

2. Build a Response Team of Individuals from Across the Organization

A cyber incident team is tasked with discovering, containing, and responding to cyber events. A reliable OT Incident response team should be on the ground to help handle an OT cyberattack. If you properly assemble and train this team, you can reduce a crisis later on.

Your response team shouldn't be comprised solely of technology experts; in fact, it should include representation from across your business. Here's who you should include:

Information technology (IT) professionals: IT professionals will often times have an incident response plan in place for the enterprise and they will have experience with system administration. These experiences will need to be leveraged in your OT Incident response plan.

OT specialists: These specialists, who have an in-depth knowledge of the nuances and intricacies of OT systems, can provide more details about the damage and the solution.

Executive representation:  Since cyberattacks can have far-reaching impacts for many parts of the business, it is important to include executives in the response process. This way, they are kept in the loop during an incident, streamlining the communication requirements across the organization.

Legal representation: A legal representative ensures appropriate guidance for evidence collection. This is important when working with authorities to possibly pursue charges against the attacker or file claims for insurance.

3. Create an All-Inclusive Plan with Objectives and Targets

To serve its purpose effectively, a response team needs a clear-cut plan. A plan helps your team respond swiftly, effectively, and in a predetermined manner to a cyber threat. It improves coordination and ensures that your team's recovery efforts are not haphazard or in vain.

To be effective, your plan should include:

●     Acceptable roles for defined parties

●     Effective communication

●     Backup procedures

●     Assessment of the risk and recovery process

●     A recovery plan

●     Thorough documentation

4. Get Consensus from Members of Your Team

Is everyone on the same page, or are there potential disparities in your plan? Is your incident response plan safe and ethical for each member of the team? Before finalizing your response plan, ensure consensus by running the procedure by your cyber response team. Ask for genuine opinions, suggestions, and criticisms, and make changes to the plan as necessary.

Every member of the response team is key during a cyber crisis. Getting consensus ensures that every member of your response team is accustomed to the intricacies of the plan and agrees that it is the best possible response for your company. If your team feels that they have helped to construct the plan, they are more likely to take ownership and follow it carefully.

5. Fully Document the Process

Appropriate documentation is an essential part of your OT network cyber-recovery process. The importance of proper documentation cannot be overemphasized. It:

●     Helps test the viability of your organization's cybersecurity plan

●     Paves the way for updated guidelines and planning for future occurrences

●     Provides adequate information in case a legal process begins

●     Helps provide proof for insurance purposes

To carefully take note of any information you may need after the fact, the documentation lead in your response team should take detailed notes of the following:

●     The timeline of the attack

●     Team activities and rate of response

●     Investigations and discoveries

●     Recovery procedures

6. Run Periodic Mock Drills

Brick-and-mortar companies are used to conducting fire drills, but what about cyberattack drills? Yes, you should drill your team on the response procedures needed to mitigate a cyberattack from time to time. This doesn't have to involve a working system if you want to avoid downtime; instead, your team can simply go through the steps together.

Putting your response team through regular practice helps provide a deep knowledge of the content of the OT cyber-response plan, improves confidence, and smooths any rough edges. In other words, when a real cyber-emergency occurs, your team will know exactly what to do. 

Sharpening Your OT Incident Response Plan

It is a scary fact that cyberattacks on OT networks are on the rise. These attacks lead to the loss of critical systems, funds, and the safety of employees. No organization should rest on its laurels; even if it has never been attacked, it's very likely an incident will occur in the future.

The best solution? Build an effective cyber-defense structure and create an effective response team/plan that will protect you or mitigate attacks within the shortest time possible. With such a plan in place, even if an attack occurs, you can restore operations safely and quickly.