CIP-003-8: Incident Response

CIP-003
Written By Jim Sheldon

(Originally posted on September 7, 2020)

Responding to Incidents

Today's post is the 4th section of Attachment 1 in CIP-003-8.  

As we've progressed through CIP-003 we've covered security awareness, physical security, electronic access, and now incident response. 

Incident Response (IR) is one of the longest sections in CIP-003-8, but definitely not the most complicated.

 Let's see if you agree. 

ATT 1, Section 4. Cyber Security Incident Response: Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include: 

An incident response plan is required. Each asset can have their own plan, or one plan can cover multiple assets or even all of your assets. 

Be sure and mention which assets are covered under your incident response plan in the plan! 

4.1 Identification, classification, and response to Cyber Security Incidents; 

Identification - How will you identify an incident? What is your process? 

There are many ways to identify an incident. Analyze the alerts and notifications you receive from your security tools; this information will help you decide your incident identification process. 

·         Consider all alerts from an antivirus system or SIEM (Security Information and Event Monitoring) tool as incidents?

·         Have a team of SMEs (Subject Matter Experts) review each alert and notification to determine a positive, or false positive, incident?

·         Wait until your systems are infected with ransomware rendering your operations useless? 

Classification - What type of incident is it? Red alert? Defcon 1?  

An alert for ransomware will warrant a different response than an alert for a 5-year old trojan malware strain. It also depends upon the system affected, skills of your team, and the risk tolerance of senior management. Classifications could include: 

·         Green, Yellow, Red.

·         Low or High.

·         Positive Incident: all incidents receive the same response. 

Response - How will you and your team respond to incidents? Will a high incident require all systems to be powered down and replaced immediately? Will a low incident require mobilizing a 3rd party incident response team? In any event, the response should be appropriate to the incident classification, such as: 

·         Low incident: Malware on a single PC is scanned and removed by antivirus tool.

·         Medium incident: Single PC is powered down immediately and replaced. The original system is destroyed.

·         High incident: All machines on a system are powered down and disconnected from the network. A 3rd party incident response team is mobilized. All machines are replaced and the original systems are analyzed for malicious software.

Let's keep moving along…

4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Information Sharing and Analysis Center (E-ISAC), unless prohibited by law; 

A Reportable Cyber Security incident is a NERC defined term and can be found in their glossary. Determining if the incident is reportable should be the next step after the response. 

4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals; 

This subsection is where you identify your incident response team leaders, members, system owners, SMEs, etc… Each role should have one or more responsibilities. For example: 

·         System Owners - Will report any abnormal computing activity to the help desk.

·         Incident Response Members - Will assist the Incident Response Team Leaders with incident classification.

·         Operational Technology (OT) SMEs - Will analyze any OT antivirus alerts to determine if the alert is positive or false positive.

4.4 Incident handling for Cyber Security Incidents; 

How will your incident response be handled? This goes hand-in-hand with response and may be performed by one of the roles listed in the IR plan. 

4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and 

This subsection is self-explanatory. If you have an actual incident, drill, or operational exercise be sure and follow your IR plan. Don't forget to document everything to be used as evidence. Be sure to do this every 36 months. 

4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident. 

Update your IR plan with 180 days of testing. For example: 

·         The IR plan test evidence states that the IR team couldn't get in touch with the plant manager due to an old phone number; update the phone number in the plan.

·         The OT SME couldn't take down the turbine control system because she didn't have sufficient privileges. Update the IR plan role to include an OT SME that has sufficient privileges. 

Don't forget, ff you have medium or high impact classification assets you can use the same IR plan for the low impact assets.

Finally, try and keep your IR plan simple, repeatable, and document it in your plan and with evidence. 

That's it for incident response. Give yourself a pat on the back if you read all of this and made it to the end!

 

Jim Sheldon
Previous

CIP-003-8: Transient Cyber Assets and Friends
Next

CIP-003-8: Electronic Access Controls are Cool!