Good practices for the recovery of industrial systems(I)

Posted date 13/07/2023

Autor

INCIBE (INCIBE)

Good practices for the recovery of industrial systems(I) decorative image

The evolution of cyber-attacks in recent years has been very significant, attackers are now more prepared and focus on very specific targets and with a great impact on companies or organizations in industrial environments. As technology has advanced, so have the methods used by attackers to gain unauthorized access to sensitive information and systems.

Currently, there is a growing trend in the sophistication of attacks. For example, attackers are using more advanced malware such as ransomware and APT (Advanced Persistent Threat) attacks to evade detection of the attack and remain active on the victim's system for extended periods of time. In addition, attackers are using tactics focused on the worker, rather than on the devices, among these techniques we find a large number of attacks based on social engineering, such as phishing, seeking to obtain credentials or access permissions to different computers.

Attacks can result in the loss or disclosure of confidential data, financial losses, damage to the organization's reputation and disruption of industrial operations. In some cases, the consequences can be severe enough to force a company to shut down.

In light of these trends, organizations must be proactive in their cybersecurity efforts. This means implementing strong security measures, such as firewalls, intrusion detection systems and encryption, as well as training employees on how to identify and avoid common attacks such as phishing. In addition, organizations should have an incident response plan in place in the event of a security breach to minimize damage and resume normal operations as soon as possible.

Recovery plans

This procedure is the one to be followed by the company in the event of a serious incident affecting its infrastructure. In other words, it is a protocol that includes the actions to be taken and the resources required to restore the company's systems and data, so that it can return to normal operations as soon as possible after suffering a disaster, whether natural, due to human error or as a result of a cyber-attack.

Image Components or actions of a recovery plan
- Components or actions of a recovery plan -

The main components of a disaster response plan typically include:

Preparedness: This determines what tools or procedures should be performed before the incident is detected to minimize its potential impact. It may include monitoring and auditing of production systems, remote connections and published services.
Detection and analysis: Covers all measures to be taken immediately after a cyber-attack occurs. These may include detection of the scope of the incident itself, response actions, and associated responsible personnel.
Containment, resolution and recovery: Includes a series of actions and protocols to be executed to return to normality after the incident. It may include the repair or replacement of the affected devices, installation of backup copies and restarting of the affected programs. It also includes actions to be taken to contain the attack while measures are being put in place to restore normality and resolve the incident.
Mitigation or actions after incident closure: This defines the various proposals to be made to minimize the impact of future incidents by reducing vulnerabilities and improving resilience. These can be improvements in security measures, updates in the software used and better quality of backup copies, among other solutions.
Incident reporting and closure: This is the definition of protocols for the management of reports and results, either during or after the incident. In addition, the policy for storage and disposal of the information is used for possible legal matters, such as complaints and claims by the client or a future investigation of the incident itself. These reports are also used by the company itself to have a history of the steps taken before, during and after the incident.

General guidelines for a recovery plan

Prior to the creation of any response/recovery plan, several key factors must be taken into account to identify the objective, scope, initial premises, predetermined strategies and actions for the recovery of services after a cybersecurity incident. The most relevant points to be taken into account are defined below:

Identify critical assets: Identify the criticality of systems and data of the industrial process in order to prioritize their protection. This will allow focusing response efforts on the most important areas and protecting the most sensitive data. In the industrial environment, an asset inventory is of vital importance together with a risk analysis for the categorization of the criticality of all industrial assets of the organization.
Development of response procedures: In this step it is necessary to clearly define the steps to be taken when a cyber-attack occurs. This may include procedures for communicating with stakeholders, actions to contain the attack and conduct forensic investigations, and also customized plans depending on the asset and its criticality.
Establish roles and responsibilities: Define the assignment of specific roles and responsibilities to team members or organization members related to cyber incidents.
Periodic testing and updates: Create a schedule for periodic updates and testing to ensure the effectiveness of the response plan. This may involve conducting practical exercises or simulated attacks to identify any potential improvements or vulnerabilities in the plan.
Maintain an appropriate communication strategy: Having a clear communication strategy during incident response is crucial. It should include a list of stakeholders and the type of information they should receive, as well as how to communicate with each other. If the incident is critical, communications should be confidential.
Have an incident command center: Establish an incident command center (ICC) as a central location for incident response activities and decision making.
Regular cybersecurity awareness training for employees: Employees need to be aware of the risks and know how to respond to potential attacks and security incidents.
Cybersecurity incident response practices: It is important to have agreements and protocols for incident response coordination with other organizations and government agencies in the event of critical attacks, so tests or rehearsals simulating potential cybersecurity incidents should be conducted.
Disaster recovery plan: Implementation of a disaster recovery plan to ensure that critical systems can be quickly restored in the event of a cyber-attack.

Conclusions

Security incidents are situations that can cause serious damage to the target organization and that is why recovery plans are one of the most relevant aspects to ensure rapid incident management. Moreover, not only is the use of the plan vital, but its development and content must be analyzed and developed according to the characteristics of the organization and its assets.

Currently, cybersecurity incidents occur in ICSs, which is why, throughout this article, we have sought to highlight the need for all organizations, whether they are in the industrial sector or not, to have different plans for recovery from cybersecurity incidents.

Content produced in the framework of the Spanish Government's Recovery, Transformation and Resilience Plan financed by the European Union (Next Generation).

Etiquetas