OT Tabletop Cyber Crisis Management

Cyber "Fire" drill for OT environments

Cyber-attacks can seriously impact the processes of Operational Technology (OT) and Industrial Control systems (ICS). Being well prepared is essential. A Tabletop Cyber Crisis Management Workshop helps you prepare your response to a cyber-attack. It can also help you perfect your OT Disaster Recovery Plan and Crisis Management Plan.

Are you prepared?

Is your organization prepared for a cyberattack or a large-scale security incident on your OT systems? Ask yourself these questions:

• Does your team know what to do and how to recover when all Operator Interfaces (HMIs) are unavailable?
• What is the impact on production or safety?
• What are everyone's responsibilities?
• Is external support from the industrial control system (ICS) vendor required?
• Who are the first points of contact?

You don't want to look for the answer to these questions during an incident. Secura can help you prepare with the OT Tabletop Cyber Crisis Management Workshop. It is a cyber "Fire" drill for OT environments.

Challenges in OT

As a long established and leading expert in cybersecurity, Secura is aware of the challenges within OT environments. Often the responsibilities are less well defined than in IT departments.

Most organizations lack dedicated OT security specialists. Engineers don’t always have the necessary expertise to deal with complex security issues. This increases the importance of a solid and verified plan.

Especially because cyber incidents in your industrial control systems can directly impact primary business processes and safety of your staff. That's why we advice you to do an OT Tabletop Cyber Crisis Management Workshop to raise cyber resilience of your organization.

Practicing for disaster

During the OT Tabletop Cyber Crisis Management Workshop, you will practice operational procedures for dealing with high impact cyber incidents, for example a ransomware scenario. Think of this as the cyber equivalent to the annual fire drill.

The goal of the Tabletop is to help you to:

• Verify and improve your plans for Disaster Recovery and/or Crisis Management.
• Identify gaps in policies for backup, restoring, security monitoring and disaster recovery.
• Gain insight into different roles during a crisis.

The scenarios and our approach are based on NIST standard SP 800-84 to effectively prepare and execute cyber incident exercises.

How does the Tabletop session work?

Over the course of the exercise, the participants will receive information, simulated reports and challenges that contribute to the scenario. We will take the time to evaluate the steps taken during the simulation.

The participants learn how to act effectively as a team during an incident. This means the exercise also contributes to team building and developing mutual respect.

Preparation

During preparation, we jointly determine the scope of the exercise. We will collect the documents about the OT environment, such as OT system diagrams, the OT disaster recovery plans and the crisis infrastructure within the organization.

The scenario will be tailored to the specific OT network and organizational structure in scope. Based on the defined goals and content of the exercise we can determine the required participants, like OT, IT, Management, or vendors.

Crisis training

The tabletop begins with an introduction of high impact OT cyber security incidents. Secura gives a presentation about ransomware and the threat it can pose to your organization. The second part of the training focuses on the crisis process and disaster recovery in your organization. We engage participants in an interactive discussion about the current processes within your organization and whether they are up-to- date.

Cyber crisis exercise

The main part of the tabletop is built around a simulated incident in which the participants conduct a crisis consultation. The simulated incident covers everything from initial detection of a small security issue to the full-scale escalation, crisis management and disaster recovery.

Evaluation

You will receive a report with observations, lessons learned and recommendations for adjusting the Disaster Recovery and Crisis Management plans.

Disaster Recovery Plan and Crisis Management Plan

The exercise works best if you have a Disaster Recovery Plan (DRP) or a Crisis Management Plan (CMP) in place.

OT Disaster Recovery Plan (DRP)

A Disaster Recovery Plan, or DRP, is a comprehensive plan that covers full recovery of the OT network, including the industrial controllers, SCADA systems and other vital components. Recovery order, system dependencies, required resources and tools, reliable backups, tested procedures and validation processes are all required for a successful and fast recovery.

During the preparation of the OT Tabletop, we check whether this plan exists and is successfully implemented. If you do not have a Disaster Recovery Plan, Secura can provide support to review or create one, based on relevant controls specified in NIST CSF and IEC 62443-2-1 and matched to the current infrastructure.

OT Crisis Management Plan (CMP)

A Crisis Management Plan, or CMP, is all about managing the crisis on a company level, including decision-making and communication. Most organizations have a general plan, but they don’t always cover disasters caused by cyber and/or cyber incidents in OT.

During the Tabletop we will review the existing Crisis Management Plan. If needed, Secura can help you improve or create this plan.