Incident Response –RS.RP Incident Response – RS.

RP (continued)

The steps to investigate suspicious activity and respond to a Example IR Table Top Scenarios (TTX) for
compromise support the recovery process. Understanding IT/InfoSec/OT/Physical Security team members:
your organization's level of Incident Response (IR) maturity
requires a review of the preparation measures already in • Ransomware – An operator logs into the asset
place. management server and sees a ransomware note on the
desktop background and that all project files appear to
• Roles and Responsibilities – Who is in charge and be encrypted.
which team members are responsible for information • Maintenance or Compromise – An administrator
technology (IT), information security (InfoSec), and
operational technology (OT) actions?
account was observed logging into all Windows servers Security Program Maturity
and workstations across the control network.
• Key Team Member Contact List – Is a call list • Strange HMI Activity - Operators notice mouse Quick Start Guide v0.1
maintained and does it include multiple contact methods moving and clicking on different portions of HMI that is
and identify secondary points of contact? not consistent with normal operations. SANS ICS By Dean Parsons & Don C. Weber
• War Room/Conference Line – Is there a standard • Living off the Industrial Control Security (ICS) Land – ics.sans.org [email protected] | [email protected]
location and / or conference call setup for organizing the Operators troubleshooting network issues notice excessive
response team? ICS protocol traffic (OPC, IEC104, Modbus/TCP) from This guide covers the basics of using the National
• Vendor/Integrator/MSP Assistance – Are there several systems. Institute of Standards and Technology (NIST) Cyber
agreements with these parties to assist with the response • Unauthorized Physical Access – Physical security team Security Framework (CSF)
efforts? notices a hole cut into the fence around the facility. The (https://www.nist.gov/cyberframework) in order to
• Third-Party Assistance – Have teams (forensics, OT teams investigate and determine the physical access is a understand the maturity of a security program
IR experts) that provide staff augmentation during IR two-part attack. Physical access was gained to then access implemented to protect control environments from any
events been identified, and are agreements in place? the facility where a cyber containment was introduced into industrial control sector.
• Jump Bag – Is the set of systems and tools (hardware, the control network.
software, storage) necessary to interact with the different This guide concentrates on seven NIST CSF categories
technologies in control network in place? to help leadership, engineers, and administrators
Security Awareness – PR.AT gauge the maturity of the current program and
• IR Triage Team – Is there a dedicated team familiar
with the control network and the tools and training prioritize risk reduction.
Corporate security awareness programs cover the
needed to conduct information gathering and forensic expectations of individuals accessing corporate assets.
analysis, and to provide actionable intelligence to IR How to Use This Sheet
Control network security awareness programs are typically
team?
• Table Top Scenarios (TTX) - Have IR scenarios that
limited to covering safety training and requirements. In This guide will use the following NIST CSF Domains and
include IT/InfoSec/OT/Physical Security team members some control networks OT personnel do not have corporate Categories to model and improve an organization's current
been run to understand their reactions? accounts and, therefore, may not receive corporate security program.
awareness training. IT, InfoSec, OT, and physical security
CRITICAL NOTE: Due to plant and public safety personnel who have control network responsibilities • Policies – ID.GV
requirements, compromised control networks may stay should receive additional training to distribute knowledge • Network Segmentation and Isolation – PR.AC
operational for weeks or months, posing an ongoing threat in about control network policies and their responsibilities. • Access Control – PR.AC
a contained and controlled state. Full eradication may occur That training should also provide them with knowledge of • Logging and Monitoring – DE.AE
only during the next scheduled plant maintenance window. how to identify suspicious activity and encourage them to • Asset Inventory Management – ID.AM
report the activity as a part of their normal response and • Incident Response – RS.RP
OT-specific IR plans and procedures are necessary to help • Security Awareness – PR.AT
recovery steps.
organize and guide IT, InfoSec, and OT teams to success
during these stressful events.
 How to Evaluate Security Program Maturity Network Segmentation and Isolation – PR.AC Logging and Monitoring – DE.AE
• Network Boundaries – Network segmentation and Organizing logging and monitoring within the control
Consider the following steps to get started: network is most effective when prioritized to address
isolation begin with network boundaries between the
corporate network and the control network. network events, then system events, and finally the
• Obtain executive leadership buy-in to conduct an consolidation, correlation, and evaluation of these events.
• Remote Access – Remote access for operators,
internal security program maturity review.
engineers, integrators, vendors, managed service
• Identify key personnel from the information technology providers (MSP), and others cross these boundaries. The following are several starting points for this discussion:
(IT), information security (InfoSec), and operational
• Internet Access – There is always a path to the
technology (OT) teams to conduct the maturity review. • Network Events
Internet, so understanding the restrictions applied to
• Review each section and the important topics outlined this path is critical. o IP Flow Information Export (IPFIX)
in each. o Network Boundary Activity
• Cloud Access – Vendors and integrators are leveraging
• Provide an honest grade for how well these topics are o Network Device Monitoring Configurations
cloud access for maintenance and management.
managed within the organization and control network. (Span port and physical taps)
• Use the grading to prioritize recommendations for o Network Security Monitoring
Access Control – PR.AC
executive leadership. • System Events
• Brief executive leadership and obtain guidance. Access control manages authorization to assets within the o Windows Active Directory Events
• Brief IT, InfoSec, and OT teams. control network. Control networks have unique o DNS Events
requirements for management by company personnel and o Windows Event Logs
third-party partners. o Syslog Events (*nix systems, PLCs, Field
Policies – ID.GV • Control Network Credentials – Should be unique to Devices)
Standards, guidelines, and procedures built from corporate the control environment. The control network Active • Managed Logging and Monitoring
policies are not implementable within the control network. Directory (AD) should not have a trust relationship or o Central Logging Windows
For example, the corporate approach to password sync with corporate domains. o Central Logging Syslog
management is too restrictive for the control network and is • Multi-Factor Authentication – MFA, like Windows o Security Operations Center Monitoring and
ignored. Other requirements, such as IR plans, will AD, should not be shared with the corporate Alerting
negatively impact safety. For example, removing systems environment.
from the network without warning due to malware infection • Vendors and Integrators – Third-party accounts Asset Inventory Management – ID.AM
will have unintended impacts on the process. should be restricted to specific roles, responsibilities,
Asset Inventory Management is one of the most important
and assets. MFA should be required. No direct access
and challenging categories for all organizations. Asset
Organizations can develop control network policies by should be allowed from the Internet.
identification is accomplished using four methodologies:
starting with and adapting current corporate policies. • Managed Service Providers – Many organizations
Physical, Passive Monitoring, Active Monitoring, and
Control-network-specific policies will help the team share MSP services between the corporate and control
Configuration Analysis. Device categories include (but are
understand the organization's business and operation networks. MFA should be required. No direct access
not limited to):
requirements and allow them to build sound standards, should be allowed from the Internet.
guidelines, and procedures to ensure the availability, • Service Accounts – Service accounts are used for
resiliency, and safety of the process. • Control Hardware (PLCs, Field Devices)
many applications and should not share credentials
• Network Devices
between the corporate and control networks.
Providing guidance for each of the NIST CSF functions and • Servers and workstations
categories is a good beginning. The control network team CRITICAL NOTE: Monitoring the use of credentials and • Process Control Software
can use this guidance to identify the standards, guidelines, MFA is the most important step to ensure that access • Other Software
and procedures for each area. More granular control is an effective security control. • Transient Devices
implementations will pull from other industry standards • Removable Media
such as IEC 62443, ISO 27001, and NIST 800-82r2.