OT Incident Response for the Cybersecurity Lifecycle

Lowering cybersecurity risks in OT and Critical Infrastructure sectors requires a proactive approach. Operators must focus on implementing appropriate security policies, procedures, and controls that address all parts of the cybersecurity incident lifecycle – before, during, and after. This approach will better protect industrial operations.

Recent Rockwell Automation OT Research Findings

Rockwell Automation recently commissioned the Cyentia Institute to analyze cybersecurity events involving compromised OT/ICS. In total, 122 events from 1982 to 2022 formed a representative sampling of OT/ICS compromise events examined in this study.

Key findings included that the Energy sector recorded three times as many incidents as the next closest vertical industry. In addition, nearly 60% of attackers were from nation-state affiliated groups. In other research, the Cyentia Institute has found just over 1% of cyberattack events were attributed to nation-state actors. While the higher percentage found in this study was surprising, it’s not illogical given that nation-state attackers most often want to impact Critical Infrastructure, supply chains, exfiltrate data from critical systems, or simply take OT systems offline.

With more systems, networks and devices being connected in OT/ICS environments, and the legacy equipment housed in most industrial environments, many organizations are exposing new vulnerabilities to sophisticated adversaries. Having a strong, modern OT cybersecurity program in place must be a part of every industrial organization’s responsibility to maintain safe, secure operations and ongoing availability.

Preparedness limits damage and speeds recovery

If an ICS/OT cybersecurity incident occurs within your facility, you can minimize its impact on downtime and speed recovery with proper cybersecurity incident response planning. Developing an action plan using a proven incident response framework helps you quickly investigate incidents, triage and quarantine problems, and restore operations.

Along with OT incident response planning, deploying modern cybersecurity controls can help mitigate risks at each stage of an attack, providing visibility into system operations, networks and any changes made to them. For example:

Before an event. Critical Infrastructure sector operators should perform frequent asset inventories covering all IT and OT systems in their facilities. Each asset should be categorized according to whether and how it’s network-connected. This makes it possible to assess multiple types of security risks within the environment.
During an event. Implementing continuous threat detection and log monitoring technology provides early warning on cyberattacks, picking up deviations from baseline or normal operational behavior.
After an event. A robust cybersecurity incident response and recovery plan will include backup and disaster recovery processes for applications and data. Organizations should develop a comprehensive plan for responding to anomalous events, and should practice the plan regularly so it can be executed quickly in times of need.

Applying modern OT incident response techniques and proactive security capabilities will better protect essential systems and services. Rapid, well-orchestrated OT incident response capabilities are a must-have for strengthening resilience amidst rising threats

What’s more, it can help organizations achieve compliance with cybersecurity incident reporting regulatory requirements.

Growing regulatory requirements require modern ICS/OT cybersecurity practices

Regulators are strengthening Critical Infrastructure cyber incident reporting requirements in the U.S., and around the globe amid growing concerns about high-impact events.

The 2021 Colonial Pipeline ransomware attack, for example, took the nation by surprise and resulted in a days-long shutdown of a key pipeline used to transport over 100 million gallons of fuel daily across the eastern U.S. This incident led President Biden to declare a state of emergency¹ and spurred the passage of bipartisan legislation, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).²

CIRCIA mandates that organizations in Critical Infrastructure sectors disclose significant cyber incidents that impact their operations within a specified time frame. And it also provides legal protections for organizations that report on incidents and ransom payments.

After CIRCIA’s passage, the U.S. published its National Cyber Security Strategy,³ calling for software developers and industrial organizations to take more responsibility for making their systems resilient against cyberattacks. This new policy encourages public-private collaboration and advocates that the Federal Bureau of Investigation (FBI) and Department of Defense (DoD) speed efforts to disrupt cybercriminal groups and nation-state threat actors. This strategy also proposes expanding minimum cybersecurity requirements for Critical Infrastructure operators, noting that previous voluntary approaches produced inconsistent outcomes.

While the new National Cyber Security Strategy stopped short of imposing new mandates on Critical Infrastructure operators, it does exemplify the global trend toward rising regulatory scrutiny, stricter reporting requirements, and higher expectations of operators and their vendors to get proactive about cybersecurity.

Fortunately, organizations that implement controls across the cybersecurity incident response lifecycle will have a much easier time achieving compliance mandates, as they are largely based on NIST Cybersecurity Framework (CSF) principles and modern security practices. Capabilities such as asset inventorying, continuous threat detection, network security, and incident response plans are all aligned with the NIST Cybersecurity Framework, which can be deployed to provide outputs suitable for compliance reporting.

A robust security incident response framework

For OT and Critical Infrastructure operators, Rockwell Automation provides cybersecurity incident response services and solutions to cover everything from individual platform security to full-lifecycle cybersecurity incident response. Many ICS/OT operators implement modern cybersecurity practices that follow the primary NIST CSF categories of Identify, Protect, Detect, Respond, and Recover – by starting with a cybersecurity incident response service. Deploying such a service helps protect those embarking on larger cybersecurity programs, as they can prepare for near-term attacks while other program components such as network security, threat detection, secure remote access and more, are phased in.

Contact Rockwell Automation for immediate support

To get help with ICS/OT cybersecurity, please reach out to talk to an expert today. You can also:

Watch a webinar to learn more about our recent OT research study
Download your own copy of Rockwell Automation’s OT research study
Take an online assessment to see how your organization stacks up.

¹https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/11/fact-sheet-the-biden-harris-administration-has-launched-an-all-of-government-effort-to-address-colonial-pipeline-incident/

² https://www.congress.gov/bill/117th-congress/house-bill/2471/text

³ https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

Published October 24, 2023

Brian Deken

North America Commercial Manager, Rockwell Automation

Brian Deken, the North America Commercial Manager for Rockwell’s Networks and Cybersecurity Services Business has worked in the Automation Industry for over 20 years in roles involving Sales, Development, Strategy and Services. He is a passionate customer advocate, focused on tangible results.

Connect: