Coordinated Response
Services and tools for incident response management

Insight from Incident Response for Industrial Control Systems

ENISA examined Industrial Control Systems (ICS) cybersecurity incidents  to identify lessons learned. Many of these lessons apply to any high-value system.

ENISA – the EU Network and Information Security Agency – examined cybersecurity incidents associated with Industrial Control Systems (ICS) and System Control and Data Acquisition (SCADA) systems. The findings were published in a white paper: Can We Learn from Industrial Control System Security Incidents?, ENISA web site, October 2013. The link references a press release that provides the background and a summary of the paper, as well as access to the white paper itself.

ENISA’s Key Findings from ICS Incidents

ENISA’s key findings apply to many high-value information systems:

  • Coordinate cyber and physical security response processes.
  • Understand the overlap between cyber and physical critical incident response teams.
  • Increase awareness of the location of digital evidence and the appropriate actions to collect and preserve it.
  • Design and configure systems to enable digital evidence retention.
  • Complement existing skills base with ex post analysis expertise.
  • Increase inter-organizational, public/private, and cross country collaboration efforts.

All of these practices should be addressed in your incident response plan if you are dealing with a high-value system.

Coordinated Response

Let us help you with a response plan review that (1) includes physical security as an extension of your incident response team; (2) addresses evidence collection and control; (3) identifies ex post analysis expertise for more effective incident review; and (4) recognizes inter-organizational communications requirements and opportunities.

A Data Breach and Insider Threats

Insiders pose a unique threat. A Data breach involves legal issues. Does your incident response plan reflect the required actions?

The Verizon 2013 Data Breach Investigations Report provides insight into the role of insiders when data is breached.

Profit-driven organized crime groups were tied to over half of all breaches.

Attackers targeted mostly finance, retail, and food service industries. Attackers profit from selling payment data or personal information. Almost all states and the District of Columbia have data breach laws governing this type of incident.

State-affiliated Actors were linked to 21% of all breaches.

Here the attackers were seeking intellectual property – trade secrets, sensitive internal data, or systems information. The targeted industries were Manufacturing, Professional Services and Transportation. This raises issues of liability or economic loss.

There are two important statistics associated with cyber-espionage campaigns.

  • First, over 95% started with a phishing attack. Companies need to take their anti-phishing controls seriously.
  • Second, smaller companies, those with less than 10,000 employees, were attacked 4 times more than larger companies. Small professional services or law firms were often targets due to the sensitive information they held for their clients.

Malicious Insiders account for 14% of data breaches.

But, Verizon also states that External Actors are involved in over 90% of all data breaches. So, often an external actor recruits or coerces an insider.

Risk Awareness is the first step.

Include insider threats and the potential impact of a data breach in your risk assessment.

An Incident Response Plan is the second step.

When dealing with insider threats, consider the legal and human resource issues. Managing employees or contractors involves legal and regulatory issues. When dealing with a data breach, appropriate legal steps need to be followed.

Coordinated Response

Coordinated Response can help you develop a plan that anticipates the unique actions needed to address a data breach or an insider threat.