The first time you think about incident response and cybersecurity foundations should not be the day your company gets hit with a massive ransomware attack or is the victim of a supply chain incident. Unfortunately, that’s too often the case. Getting prepared for a cyberattack and coming up with an incident response plan can be the difference between a company continuing operations or closing up shop. And it’s important to do this for both the information technology (IT) and operational technology (OT) sides?
ICS Pulse recently talked to Lesley Carhart, director of industrial control system security incident response at Dragos, about the dangers of supply chain compromise, how to get started with an incident response plan and why preparation is key. Listen to the full podcast here.
The following has been edited for clarity.
ICS Pulse: What is the message you are trying to get out about incident response?
Lesley Carhart: Do the basics. Do the basic foundations. You might think you’re very mature in terms of your IT (information technology) enterprise cybersecurity, and you might be very mature in that space, but doing OT (operational technology) cybersecurity and OT incident response is totally different. I promise you I’m not trying to sell you something. It’s just really different. You’re dealing with legacy systems. You’re dealing with process consequences. People can die. The power can go out. Water can be contaminated. All those things can really happen in those environments, so it’s a very different space to work in. You don’t have XDR, you don’t have EDR, so you really need to start from the ground up.
Even if you’re really mature on the other side of things, you need to start building a security program from the beginning. That means things like basic security monitoring, asset inventories, vulnerability management, and having an incident response plan and having some idea what you’re going to do in those spaces if you actually have a cybersecurity incident. They really do happen. You can’t count on your enterprise plan to be enough there, or your enterprise technologies to be enough there. You have to look at it discreetly.
ICSP: We’re asking you to prognosticate a little bit here, but what do you think the big stories in cybersecurity and industrial cybersecurity will be in the coming year? What are the things that you’re watching right now that you think will be the bigger trends?
Carhart: Supply chain compromise. I agree with people on that. That’s very, very worrying. We’ve seen some, over the last several years, but even recently, some very scary supply chain compromises. Adversaries, for the most part, especially criminal adversaries, have gotten more and more efficient as time has gone on. They are maybe attacking less, but they’re being more effective in their attacks because they have limited resources, as well. The economy affects them, as well, and detection affects them. So they have to be good at what they do, and they have to choose their targets intelligently. So things like compromising a big supply chain vendor and getting into a bunch of organizations, it’s a lot of effort and there’s a lot of expense and work that goes into that, but the payoff can be very, very good. It can be very efficient.
So we’re going to see more supply chain compromises. People know that that works now, and that can come in a lot of flavors. That can come in ]simply compromising software, or it can come from compromising the bits and pieces that people use in software, so there we get into SBOM (software bill of materials). A lot of the topics that are the flavor of the year right now really are quite relevant. They are things we have to explore more because they are becoming more of a problem and for good, sensible reasons.
ICSP: With incident response plans, if companies don’t really have one in place, where’s a good place for them to start?
Carhart: You have a couple different options for frameworks for life cycles for incident response. You’ve got SANS PICERL. That’s a great model for the flow of incident response. And you can also look at NIST framework, as well, or the DODs. But basically the framework for how you respond to an emergency is the same in medicine as it is in cybersecurity or in fire response or all those emergency response fields. You kind of have to understand what’s going on. You have to prepare first. You have to understand what’s going on. Then, you have to make decisions about containing the problem and then eventually finding a way to get back to where you were again. That’s the nature of responding to a pandemic. It’s the nature of responding to a hurricane. Those things exist across all types of disaster response. So choose a model, a life cycle that encapsulates that that works for you, and think about what you do to make the decisions at each one of those stages.
But before you do any of that, again, you have to have those fundamental foundations in place. I can’t magically go into an environment and do incident response when people don’t know what computers they have or what network connections they have or what operating systems they’re using. If I get called into that, I have to go do that at however many hundreds of dollars an hour. I feel really badly about it. Just as an individual, as Lesley, I feel really badly about that because I’m going and doing foundational work that could have been done five years before, and I have to do that to be able to do an investigation. I have to know what computers are out there. I have to know how they’re connected to each other. All that basic stuff, if you don’t have it in place, you’re going to have to do it. In an emergency, you’re going to have to pay somebody a lot of money to do it for you during an emergency.
So really — this is just me as an individual here, not speaking for my employer — save yourself some money. I mean, my employer wants to do this, as well. We really do care about people being secure. Our mission is safeguarding civilization, but, like, save yourself some money here. Do these basics in advance, and that includes understanding things like basic architecture and having a plan for responding to an incident.
ICSP: You don’t want the first time you think about all of this stuff to be the day that your systems have been hit with a cyberattack or ransomware or something.
Carhart: It’s just so, so sad and disheartening for us when we come into those cases. I mean, it’s horrible. It’s the worst day in these companies lives sometimes. When you’re talking about industrial incidents, there might be a life and safety issue. They might not know if they can continue operations. And stopping production, stopping processes can be massively expensive. This isn’t the same as like, “Oh, our web service compromised. Our website has to go down for a while.” This is like, “Will we be in business if we shut down for 24 hours? Will we be able to remain as a company?” So, yeah, we feel really bad. When people haven’t done any preparation, we do our best. We come in and we do everything we can to get them to a place where they need to be. But if some of those things had been done in advance, it would’ve saved them so much stress and so much grief and so much money.