Continuing with the issues raised in the previous article 'Good practices for the recovery of industrial systems (I)', we know that the evolution of cyber-attacks is a very present concern in the day-to-day life of companies. For this reason, the need to create response plans for the prevention of and action against possible cyber attacks has also been on the rise.
In the following, the different possibilities for the creation and implementation of the response plans described above will be explained from different approaches. For this purpose, the different alternatives, legal frameworks and regulations in force, which can serve as a reference for the protection and restoration of industrial systems, will be analyzed.
Types of response plans
There are several types of response plans that organizations can develop to respond to various types of incidents. Some examples of common types of response plans are listed below:
- Disaster Recovery Plan (DRP): a formal document created by an organization that contains detailed instructions on how to respond to unplanned incidents such as, natural disasters, power outages, cyber-attacks, and any other disruptive events. The plan contains strategies on how to minimize the effects of a disaster, so that an organization remains operational or can quickly resume its major operations.
- Business Continuity Plan (BCP): describes the steps an organization should take to ensure continuity of operations in the event of any type of incident. It includes procedures for restoring critical systems and data, and for maintaining essential business functions.
- Incident Response Plan (IRP): details the procedures to be followed when responding to a specific type of incident, such as a cyber-attack or natural disaster. The plan typically includes procedures for identifying and containing the incident, as well as for conducting forensic investigations and restoring normal operations.
- Cyber Incident Response Plan (CIRP): like IRPs, a CIRP is a document that describes the procedures to be followed when responding to a specific type of incident, in the case of CIRPs, they are cyber in nature as compared to IRPs.
Once these points have been established and the criticality of these systems has been analyzed, as indicated in the previous article, the place where we will store the information with which to restore the systems themselves must be studied, analyzing which is most beneficial and optimal for the defined infrastructure. Among the different types we find the following:
- Cloud: all the company's IT assets are stored in the cloud, as backups, it can be done internally, as part of the IT team's tasks, or hire an external BaaS (Backup As A Service) service.
- Virtualized: this type of disaster recovery plan is based on the implementation of a virtualized environment (such as that offered by DRaaS), so that machines, OS, software and databases are replicated virtually and come into operation when the plan is activated, allowing the company's activity to continue in a short period of time.
- Network: this is a disaster recovery plan focused on rescuing the operation of the company's internal network, in case it has been affected and prevents the normal operation of the company.
- Data Center: this disaster recovery plan focuses on the facilities and infrastructure of the data center, that is, on the physical part, such as: the building, physical security measures, power supply, etc. It also evaluates the consequences that a disaster would have on it, as well as the actions, measures and resources needed to minimize the impact and return to normal as soon as possible.
Cybersecurity metrics and standards for response plans
Currently, there are different regulations that include different guidelines to improve the resilience of an organization, which to a greater or lesser extent can be used to create action plans for cybersecurity incidents.
These regulations are included in the 'European Network and Information Security Agency' (ENISA), where we find seventeen detailed methodologies.
- Regulations. Source -
A widely recognized standard is the 'National Institute of Standards and Technology Cybersecurity Framework' (NIST). The framework provides a set of guidelines for managing cybersecurity risks and includes a section on incident response that organizations can use as a basis for creating a response plan of their own.
Another benchmark incident response standard and protocol is ISO/IEC 27035 for information security incident management. This standard provides a framework that includes guidelines for incident preparedness, detection and analysis, containment, eradication, recovery and lessons learned.
Within the European framework we also find the current NIS directive, this was published in 2016, but at the end of 2022 it was updated to its second version NIS2. The latter, presents new requirements applicable to smaller companies. Also, a number of points within incident management and business continuity have been updated, which improve the standard in terms of resilience for most European companies.
As for Spanish laws and regulations, there are different measures established from existing European decrees or directives. One example is the PIC law (Critical Infrastructure Protection), which includes several specific regulations within the critical systems environment. One point to take into account in this law is its focus on the protection and restoration of critical infrastructures against possible attacks. Therefore, it prioritizes a higher level of resilience, given the importance of the systems themselves and the risk involved in a possible incident that makes the continuity of their operation impossible.
When developing a response plan, organizations should consider the specific needs and regulations that apply to their industry, as well as the types of data and systems they possess. Each sector may have specific regulations that establish requirements and expectations for information protection and cybersecurity incident management.
Therefore, a prior study of the different applications of the existing regulations is recommended, as well as the analysis of the criticality of the systems themselves in order to apply the concepts in a clear way. In this way, it is possible to have a recovery plan with the needs imposed by the organizations.