Incident Response for Critical Industrial Organisations

Written By Paige Leach

Ryan McConechy

Chief Technology Officer

In the last few years, cyberattacks on industrial organisations have become mainstream.

Attacks on Oldsmar Water, JBS Foods and Colonial Pipeline have each demonstrated to the world the credible threat cyberattacks pose to industrial organisations, and the consequences that can happen when they occur.

As a result of this, many industrial organisations are actively working to strengthen the security of their networks and build out incident response plans to help them prepare for attacks and navigate them safely.

But what does this planning look like and what are the key areas industrial organisations must focus on to improve their response to future cyberattacks?


Understanding the unique nature of industrial plants

Industrial organisations are the pillars of a smooth-running society. They manufacture food, operate oil and gas supplies, or they run wind farms or nuclear plants to generate energy. Because of the critical processes they facilitate, cyberattacks on their systems can have devastating consequences on societies.

When it comes to building out incident response plans, industrial organisations therefore must prepare for attacks that disrupt their systems and work to minimise losses, with a focus on three key issues: employee and civilian safety, environmental consequences, and the availability of their services. 

Employee and civilian safety

With much of the machinery in industrial plants now being operated through automation, this means if security is not embedded properly, criminals can reach critical OT systems remotely using the IT network as a conduit. The impact of this could be switching off or tampering with processes, such as nuclear reactors or the levels of chlorine in water, which would directly impact the safety of employees and civilians.

 A safety-related incident occurred in the summer of 2022 at an Iranian steel manufacturer when the hacking collective Predatory Shadow launched an attack on its infrastructure, causing a fire to break out on the plant floor and endangering lives. This is a situation all industrial organisations want to avoid.

Furthermore, given that many of the functions industrial organisations operate impact the public, they also must ensure no cyberattacks could affect the safety of civilians. This was a situation Florida residents managed to avoid in 2021, when criminals breached the networks of Oldsmar Water and poisoned the water supply. Fortunately, the attack was spotted before the water supply reached civilians, but it did highlight the dangers that could very easily occur.

The environment

Because of the harsh chemicals and hazardous gasses within industrial plants, attacks on their systems could impact the environment.

If attackers were to alter systems, cause physical damage to plants, or cause a fire on a remote wind farm by changing the speed of wind turbine rotors, this has the potential to cause serious and very harmful impacts to the environment.

This is another situation organisations must strive to avoid.

The availability of services

When cyberattacks target enterprise IT networks, this can cause digital outages. But within industrial environments, outages can directly impact societies in the way of food, oil, gas, electricity or water shortages.

When industrial organisations modernise their plants through automation, they must ensure that no technical or digital outages would interrupt physical processes, because the unavailability of their services could have devastating impacts on civilians.

If food or gas supplies were suddenly halted, it wouldn’t be long before chaos erupted within societies.

Industrial incident response plans

When building out plans, industrial organisations need to assess their environments and identify the different safety, environmental and availability issues that can occur in their networks and then work to minimise disruptions.

Working to minimise disruptions should be a mix of digital and physical measures, such as cybersecurity solutions to prevent cybercriminals from reaching industrial networks, but also maintaining and auditing physical controls which allow organisations to manage and limit damage, even when attackers do get in. Segmentation of systems is key to a defence in depth solution that now incorporates the OT network.

For instance, what measures can be put in place protect the safety of employees or prevent environmental spillage if a system is compromised? This could be technical measures such as cyber defensive tools and network segmentation, but also ensuring that physical safety shutdown systems are segmented from the IT networks, so they cannot be accessed or compromised by unauthorised intruders.

 

Teams need to also take steps to assess risks that could impact the availability of their services. Are there technical measures in place to prevent attackers compromising systems? These technical measures should focus on layering all connected Operational Technology (OT) with cybersecurity defences and keeping them up to date with vulnerability patches. It is also essential to map the different routes attackers could take to reach OT and work to close these pathways. Ideally, IT and OT networks should be carved up into Purdue layers with limitations enforced to prevent, for example, direct traversal from internet edge systems directly to OT systems; all with an aim to prevent lateral movement attacks.

 

Once organisations have carried out these assessments and closed gaps to minimise losses, it is essential to rehearse their response to different incidents. These ‘fire drill’ learning and training exercises provide an opportunity for the organisation to test their awareness and readiness against different attack types, for instance ransomware, so they can understand exactly what they stand to lose, and they can then work to minimise those losses.

 

In this planning everyone should have pre-allocated roles and responsibilities so they can step into action straight away. This information must also be put into the physical incident response plan, along with incident response team member contact details, so that when real incidents do occur, everyone can be contacted immediately, and all team members know their roles and responsibilities. It is also essential that team members familiarise themselves with the incident response plan and know where to find a physical copy of the document, should their IT infrastructure ever become compromised.

Incident response planning is essential for all industrial organisations today and the key focuses must be to prioritise employee and civilian safety, minimise environmental damage and maintain availability.

Once industrial organisations have identified how threats can impact these three critical areas, they must work to identify weakness within their infrastructure and them address them to minimise damages.

By carrying out this planning, industrial organisations will be prepared for attacks and know how to respond to them, so they can minimise disruptions, while keeping employees, civilians and the environment safe.

Paige Leach
Previous

Cyber-Resilience within Critical National Infrastructure Enviroments
Next

Customer Success Story - Abbott Risk Consulting