Tuesday, March 11, 2008

Cyber Incident Reporting and Response Planning

Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems, we look at the seventh standard, Incident Reporting and Response Planning. The FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what might fit into chemical facility systems.


For previous blogs in this series see:


This standard requires that “a responsible entity to identify, classify, respond to, and report cyber security incidents related to critical cyber assets.” (para 653, page 7431) This closely parallels the requirements of Section 27.230(16) of the CFATS regulations to report ‘security incidents’. In both cases facilities are left with a lot of latitude as to what constitutes a reportable incident.


The key to an effective response to any type of incident is a well thought out plan established in advance of the incident. The response to a cyber security incident is no different. There are a number of things that must be included in the Cyber Incident Response Plan (IRP) for it to be effective.


Triggering the Cyber Incident Response Plan


First the plan must define the type of event that triggers the plan. Any attempt to gain unauthorized control or to destroy a critical cyber asset should certainly require initiation of the plan. Just as clearly one of the “ineffectual and untargeted attacks that proliferate on the internet” (para 660, page 7432) should probably not trigger the response plan. Defining the limits within those boundaries will be difficult.


Electrical utilities will ultimately have the Electric Reliability Organization develop those standards. Unfortunately the chemical industry has no such organization to turn to. DHS can probably not fulfill this role without running afoul of the Section 550 prohibition of prescribing security rules that must be included in site security plans.


With that in mind facilities will have to look at the vulnerabilities identified in their SVA to determine what types of actions could indicate the initial stages of a terrorist attack on their facility. Clearly, any alarm set up in the establishment of either the physical or electronic security boundary would be a trigger to the response plan.


Incident Response Teams


The IRP needs to outline who will respond to any incident. This incident response team (IRT) needs to be as clearly identified (CIP-008-1, para R1.2, page 1) in advance and trained in the incident response plan. A team commander, someone experienced in the operation and maintenance of the cyber controls involved, and probably someone experienced in programming the control system should be included on the team.


The priorities of the IRT needs to be clearly spelled out in advance. A normal response to a control systems problem is to restore service as quickly as possible. In a security incident that priority probably needs to slip to second or third place.


In a high-risk chemical facility the first priority is to prevent a hazardous material release or the theft/diversion of hazardous materials. The second priority would be to preserve evidence for successful identification and prosecution of the person(s) effecting the attack. Only then should restoring service be a priority.


Operational Exercises


Finally the IRP must include a requirement “…to exercise recovery plans at least annually, and that such exercise can range from a paper drill, to a full operational exercise, or to recovery from an actual incident.” (Para 711, page 7437) The whole point of conducting an operational exercise is to ensure that the plan is effective in dealing with the identified cyber security incidents.


Any operational exercise must include provisions for an after action review to take a detailed look at what went right and what went wrong during the exercise. The information developed in that review should then be used to update and revise the IRP. The point is to learn from mistakes in drills and exercises so that they do not have to be learned in an actual event.


A well thought out Incident Response Plan, implemented by a well trained Incident Response Team will go a long way towards preventing a successful cyber attack on a facility. If the attack cannot be prevented, then the effects can be mitigated.

No comments:

/* Use this with templates/template-twocol.html */