(CS)²AI Online™ Seminar: Under Fire - Lessons Learned in OT Incident Response
Operational technology (OT) systems are facing an increasing number of cyber security incidents. Some of the well-known OT incidents were targeted attacks, but more often than this are IT specific incidents that indirectly impact OT systems. Whether it's a targeted OT attack, an IT ransomware attack that indirectly shuts down operations, or some old Windows malware brought in by infected USB...they all can cause headaches for those that are unprepared.
This talk will discuss practical approaches to OT incident response, that will leverage the people, processes, tools, and relationships you most likely already have.
Such as:
- The Theory of 99: Almost All Threat Activity Happens in Windows and Linux Systems.
- There is significant overlap across TTPs utilized by threat actors targeting both IT and OT networks. While it is important to have OT experts involved, most of the IR collection and analysis in OT environments is like IR in IT environments.
- Most places already have existing disaster recovery and business continuity plans for OT environments… the win is to inject cybersecurity into this same process. ICS4ICS was developed exactly for those who already use FEMA / NIMS Incident Command System (Hurricane response, power outages, fires, pandemic response, etc).
- OT playbooks are an important part of the IR preparation phase.
- The Mandiant DFIR for OT framework is designed to help guide preparation for incidents that involve embedded systems. There's not a lot of available tools for OT device forensics like there are for Windows and Linux. So we have to leverage what PLC and RTU logs are available and what the vendor software can collect and analyze. Mandiant has released 2 embedded DFIR tools on our github, but most often, the OT vendor must help with the detailed forensics analysis for their proprietary PLCs.
- Oftentimes OT field SMEs do a lot of the preparation and collection steps on a regular basis for maintenance. Writing their steps, tools, and processes in a playbook will help IR to be much more effective.
- I'll cover the importance of having playbooks that follow these use cases:
- Commodity malware in OT
- Ransomware / wiper malware in OT
- OT credential compromise
- OT protocol attack
- Incident response training and conducting tabletop exercises is important
- You need to assess OT incident response capabilities across IT, OT, and even with OT vendors and if you have an incident response retainer from an outside provider.
Lessons learned: Mandiant has responded to several real-world OT incidents the last several years and I will discuss some of the lessons learned. No victim identifying information will be shared, only technical details of the OT incident response process.
## All past seminars and symposiums are available to paid CS2AI.ORG members. Check out the Resources area of our website in the Members Portal
## Becoming a paid member is quick and easy (and helps us keep offering these educational opportunities!). Join now!
## Certificates for Professional Development/Continuing Education Units (PDUs/CEUs) are available for all registered individuals who attend at least one hour of the event.
## If you're interested in speaking at a future (CS)2AI event, having your organization become a Strategic Alliance Partner, or engaging in any of the other ways available, please contact us on our https://www.cs2ai.org/get-involved
## Please note that (CS)2AI ONLINE events are provided free of charge as educational career development content through the support of our paid members and the generous contributions of our corporate Strategic Alliance Partners. Contact information used in registering for our directly supported seminars may be shared with sponsors funding those specific events. Unless noted on the Gotowebinar registration page, all events are open for direct funding support.
