Incident Response: Learning as you go is Expensive

Most Industrial Control System (ICS) networks require Incident Response (IR) procedures. Generally, these procedures fulfill regulatory requirements and do little to actually prepare the organization for handling an incident. Additionally, too many IR procedures relay on government programs (CERTS, committees, investigative boards). These programs may not provide the resource required and should not be considered a single point of response. This lecture will concentrate on concepts organizations should implement that decrease required resources for IR, arm responders, work with 3rd parties, and facilitate a return to operations.

This lecture will not cover general IR planning but rather focus on IR considerations within ICS. Network topologies, workflows, and approved actions differ from regular IT networks. Without understanding these differences, rash decisions during IR can have more negative impacts than the actual incident caused.

Key takeaways include action items an organization should consider when creating cybersecurity policies, IR procedures, and contract negotiations with 3rd party security vendors.

Learning Objectives

This session will arm participants with knowledge of common IR procedural shortfalls through case studies and examples from the field. This session will provide attendees with specific checklists for consideration when drafting IR procedures. This session will give attendees action items for enhancing existing IR procedures.

Business Impact

Planning around internal resources for incident handling is required within ICS environments and is especially important as the consequences of poor decisions can result in loss safety and even loss of life.