Operational technology (OT) risks are on the rise, with more threat actors and incidents targeting manufacturers by the day. Even when organizations invest in preventative OT cybersecurity controls, cybersecurity incidents are an inevitability. Coupled with emerging policy and worldwide regulations calling for increased executive responsibility alongside more corporate transparency in reporting cybersecurity events, appropriate incident response has never been more crucial to industrial cyber resilience.
One of the most important considerations for pharmaceutical manufacturers to keep in mind is that OT cyber incident response is not a simple add-on to an existing IT incident response program. The unique nature of OT environments requires an incident response plan and program that are specifically tailored to OT risks, which are significantly different from IT risks. The stakes are so exceedingly high when cyber incidents strike industrial environments because OT systems are inextricably tied with physical world. Cyber incidents that impact these OT systems can have very real physical consequences, posing a threat to human and environmental safety. OT cyber incidents can also make a material impact on operational uptime. Consequently, every minute they remain ongoing can directly affect revenue. This means that the risk management goals of an OT incident response team are going to be vastly differentiated from those of an IT-focused team.
In addition to the goals and risk calculations being different for OT incident response, there are also important differences in the way that teams would assess and respond to an OT incident. Responders must be able to effectively:
- interact with systems from which forensic data must be collected differently to maintain stricter operational and uptime requirements
- triage systems without shutting them down or disconnecting them the way IT systems can be disabled during an ongoing incident
- examine activity for systems that use different protocols and technology into which typical IT forensic tools offer little to no visibility
- bring enough OT network expertise to the table to understand what abnormal activity looks like and when their actions may do more harm than good for system stability
Every organization’s OT IRP will look slightly different, but most plans should offer guidelines, documentation, and best practices for the organization in nine important areas:
- Roles and responsibilities
- Risk management, triage, and escalation decision making
- IR lifecycle model (NIST, SANS, PICERL, etc.)
- Categories of incidents and workflows
- Isolation plan
- Communication plan
- Regulatory and legal requirements
- Internal and external resources and contacts
- Supporting forms and documentation
The process of writing and continuously updating a consequence-driven OT IRP should be a highly collaborative affair. Because the execution of the plan will depend on a full roster of executive, IT, OT, and cybersecurity involvement, all these stakeholders need to be involved to lend their expertise and advice. Incident response experts covered this and more valuable advice in a recent Dragos report and webinar.