WHAT IS INCIDENT MANAGEMENT?
Incident Management began as an IT term outlining a process to restore normal service operation after a disruption. It can be found in both ITIL, and ISO 20000. While incidents have been closely tied to IT and security breaches, there are many instances where errors, failures, disruptions, and network instability occur. Regardless of the root cause, it is important to have the following elements in place to ensure the organization gets back to business – as fast and as safe as possible.
WHY DOES IT MATTER?
Incident Management exists as a clear, repeatable process to restore service operation as quickly as possible, to minimize the impact of the incident. Incidents may occur that reduce the quality of your infrastructure, or could be as severe as halting your organization altogether. Having a plan to mitigate operational disruptions will keep your organization secure, and running at optimal performance.
MANAGING VULNERABILITIES IN THE OPS ENVIRONMENT
IT admins know all too well the importance of vulnerability management, but where does it sit in the priorities list for Operations? While IT is committed to the security of the business, Ops has a different focus: keep the business running efficiently, at a high performance. When both sides understand the value of Vulnerability Management, a valuable management strategy will be created that enforces security and reliability.
While IT is committed to the security of the business, Operations has a different focus: keep the business running efficiently, at a high performance.
Successful vulnerability management in Ops means striking a delicate balance between two very different and mutually important aspects of the business. The value to the business, which IT and Operations can both get behind, is that effective vulnerability management will continually identify vulnerabilities that can be remediated through patching and configuration settings BEFORE a cyber incident grinds production to a halt. Operations will continue to operate efficiently and reliably when IT has the ability to manage vulnerabilities in the following areas:
- Operating Systems (OS)
- Enterprise Applications/ERPs
- End User Applications
Working together with your IT team means vulnerability management will remain proactive; seeking to close security gaps in operations that exist before they are taken advantage of.
What if there was a translation chart? A snapshot to show how the transfer of knowledge from Ops, added to effective ongoing management within IT, would mean tremendous value to the boardroom and the business as a whole? IT knows the value of Vulnerability Management activities, but that value isn’t always communicated effectively to Operations or the C-suite. Download the Translation Guide for Vulnerability Management and create a shared value for the organization.
IS OPS REPRESENTED IN YOUR IRP?
Use an Inventory Checklist
Technology, by way of apps, devices, and infrastructure, are found in every function of the organization. Increasingly, these innovations are becoming the lifeline of production and operations. The IT department likely has an Incident Response Plan (IRP), and a Disaster Recovery (DR) plan to protect the information network and infrastructure. What about the growing list of Operations and Admin technology – are they adequately represented in your organization’s IRP? Here are some assets to consider:
- Industrial Process Control
- Computer-Based Tech Infrastructure
- Non-Connected OT Devices
- Apps and Software
In general, operational technology assets can be defined as any physical device or software used for controlling, monitoring, configuring, collecting information from, or supporting industrial control systems (source: Public Safety by Gov’t of Canada).
Use the Asset Inventory Checklist to ensure Ops is represented in your organization’s Incident Response Plan. Once the checklist is completed, it’s time to define who will be at the Ops helm should an incident occur. List the person(s) who oversee these four roles:
- Someone who oversees data infrastructure
- Someone who oversees industrial programming
- Someone who oversees engineering partners
- Someone who oversees vendor/supplier/customer access
Since industrial organizations typically run multiple shifts, its best practice for leads to be appointed for each shift.
It’s important to define how Ops will respond and liaise with IT and others in the Incident Response Team. The team must first triage to understand the type, scope, and behaviour of the threat. The Ops point person(s) will need to check PLCs, Microsoft Windows HMIs, and Remote Access Logs. It is best practice to isolate Operations as quickly and as completely as possible, to ensure there is reduced impact of potential threats to operational components, supplier access, and sensitive customer data. A breach can impact both IT and OT (Operational Technology) spaces, so the IRP must be able to work in isolation, and also work together with IT’s IRP where required.
HOW TO CREATE AN OPS IRP
There’s a fundamental between IT infrastructure and Operational Technology that, once established in your organization and reiterated in your IRP, will allow both sides of the organization to value the other: for IT, the priority is security and confidentiality; for Operations, the priority is performance and safety.
Operational technology assets typically have longer lifecycles, lasting 10 or even up to 15 years.
Operational technology assets typically have longer lifecycles, lasting 10 or even up to 15 years. This is why, incident response techniques that were built for the IT environment simply may not work in operations. Lifting from the NIST cybersecurity framework, the How to Build an Effective IRP for Operations Worksheet was created. Inside the worksheet are questions dedicated solely to Ops surrounding Prevent, Respond, and Recover. In total, there are 20 checklist items with qualifying questions dedicated for Operations.
Protecting Operations from a breach can be complex. Adding Operational assets and procedures to the organization’s IRP should be simple. Complete the worksheet and add it to your organization’s Incident Response Plan (IRP).
Roadmap to a Security-First Culture
WITH YOU ALONG THE JOURNEY
An effective Security-First Culture includes ongoing efforts to Prevent, Respond, and Recover from incidents. With that, comes a focus surrounding business continuity and disaster recovery.
This shift demands an ongoing adaptive approach in the face of a constantly evolving threat landscape. It needs to stay top of mind across the organization as everyone needs to be vigilant every day in everything they do, while the threat actor only needs to be right once.
The Next Dimension Cybersecurity Optimization process has three planning phases that lead to a practical implementation plan based on timing, resources, and budget priorities
The planning framework has three components followed by an implementation phase:
- Cybersecurity Readiness Assessment to determine the current state.
- Risk Assessment and Recommendations Report based on the findings of the assessment.
- IT Roadmap to address identified gaps and create a long term maintenance plan.