A Step-by-Step Cyberattack Response Checklist

Today’s rapidly evolving industrial environment and the rise of Connected Worker have led to the integration of legacy operational technology (OT) systems with modern information technology (IT) systems. Advanced machines are now connecting with network sensors to produce large amounts of real-time data, which is then analyzed by cutting-edge analytics software to generate key insights for business growth. This OT-IT convergence is also driving digital transformation in the manufacturing sector, thereby facilitating the transition to Industry 4.0 and 5.0.    
 
Download the SPECIAL REPORT: Addressing the Systemic Vulnerabilities of North America’s Industrial Sector to Cyber Attacks
 
However, despite its many benefits, this convergence has radically altered the cybersecurity threat landscape. Many OT systems were designed at a time when cybersecurity threats were not as advanced or prevalent as they are now, and therefore cybersecurity was not a primary concern. Moreover, security considerations for OT and IT differ significantly. While IT security focuses on data confidentiality, OT security is primarily concerned with the safety and availability of physical processes and equipment.   
 
Given the evolving landscape, having a comprehensive cyberattack response plan is crucial. This article provides a step-by-step approach to help organizations effectively respond to cyberattacks, ensuring minimal disruption and swift recovery. 
 
There are two types of OT cyberattacks:  

Direct attacks: 

• On OT systems: These are local or remote attacks where hacking software or manual actions directly impact OT automation systems and networks.
• Inadequate segmentation: This occurs when an organization fails to clearly separate its OT and IT networks, opting instead for a flat network. In this scenario, any attack on IT systems also compromises OT systems.
• IT pivot: In this type of attack, IT systems are first compromised, and then the attack is moved or "pivoted" to the OT assets.  
• Supply chain: This occurs when the hacker secretly inserts malware or vulnerabilities into the organization’s software or firmware related to the OT environment.
• Malicious insider: An inside job where an employee uses their credentials or role within the organization to attack the OT systems 

Indirect attacks: 

• Cautionary: In this scenario, an attack compromises IT systems, prompting the business to preemptively shut down OT systems to reduce the spread of risk and preserve forensic evidence. According to a study by cybersecurity company Waterfall, the best way to combat this is to fortify OT security programs, particularly at the IT/OT interface, making it difficult for hackers to pivot from IT to OT networks. 
• IT dependency: This type of indirect attack cripples the IT networks and servers that are intrinsically connected to the functioning of the OT systems. Waterfall recommends deploying network engineering and incident response measures to reduce or eliminate shutdowns of this type, minimizing downtimes for reliability-critical IT components. 
• Third party: In this case, the cyberattack targets a closely connected supplier rather than the organization itself, which can lead to a loss of production or trust in the supplier. 

The Cyberattack Response Checklist 

1. Mobilize the Internal Data Forensics Team or Hire an External Agency: This will help the organization determine the size, scope, and source of the attack. The forensics team will gather and analyze evidence and provide immediate remedial measures.
2. Notify Authorities: Inform local police or the FBI immediately so they can be involved in the response process from the early stages.
3. Contain Damage: Contain the threat and prevent further damage. Cordoning off areas potentially related to the attack and restricting access is crucial, especially if the breach might be internal. Resume normal activities only after receiving clearance from forensics and law enforcement teams.
4. Prevent Data Loss: Do not shut down internal IT systems unless required by the forensics team. Ask users with access to compromised systems to reset their passwords to prevent additional data loss due to stolen login credentials.
5. Keep Evidence Intact: Minimize employee interference during the investigation and remediation phase to avoid compromising evidence.
6. Adhere to Legal Requirements: Notify required stakeholders as per state regulations and comply with other federal or state compliance requirements.
7. Notify Affected Businesses and Individuals: Inform any businesses or individuals affected by the breach so they can take appropriate remedial measures.
8. Transparent Communication: Communicate all responses regarding the cyber-attack through appropriate channels to all concerned parties, including the general public if necessary.
9. Restoring Systems: Resume normal operations only after all systems have been restored to their pre-incident state. This includes identifying and addressing vulnerabilities and updating systems to prevent future breaches. 

Download the SPECIAL REPORT: Addressing the Systemic Vulnerabilities of North America’s Industrial Sector to Cyber Attacks

Learn how to bridge the gap between IT/OT teams to enhance collaboration and strengthen overall cybersecurity in a converged environment at our upcoming event: 
 
OT Cyber Security Summit
October 28-29 | Houston, TX