Ok, maybe it takes a cybersecurity nerd to think cyber threat detection and incident response is fun. But be assured, if you aren’t monitoring and detecting cyber threats against your organization, it’ll be anything but fun trying to respond to an attack or other cyber incident. For this penultimate ‘15 Cybersecurity Fundamentals Awareness Month’ (15CFAM) series post, we bring you #10-Implement Threat Detection and Monitoring and #11-Plan for Incidents, Emergencies, and Disasters from WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. We think these two fundamentals complement each other as responding to or investigating a cyber incident relies heavily on being able to detect threats and attacks through monitoring capabilities.
Without the ability to detect threats within your OT or IT environment, adversaries will go unnoticed. Threat detection and monitoring encompass much more than logging. According to numerous findings by CISA during its cybersecurity assessments, while most organizations enable logging, many fail to aggregate relevant logs to a centralized log management system or SIEM (security information and event management) for correlation and analysis. Furthermore, even after collecting logs into SIEMs, many organizations neglect to regularly review logs for unusual and suspicious activity. In What is a SIEM and How Does it Enhance Threat Detection, IBM’s SecurityIntelligence reviews the benefits of a SIEM, and how it helps organizations detect both known and unknown threats and respond to incidents quickly and effectively. Additionally, Verve Industrial provides some specific considerations for organizations evaluating the need for an OT SIEM.
Once threat detection and monitoring are implemented, responding to cyber incidents becomes a lot more efficient. It’s difficult to investigate a cyber attack if there are no logs/records of activity, and nearly impossible to perform any sort of forensic review. Drinking water utilities are no strangers to Emergency Response Plans (ERPs), given America’s Water Infrastructure Act (AWIA) requirements which began this year. Part of those plans include cyber incident response. Unfortunately, incident response planning is often not given its due attention under the best of times. But as the “post” COVID-19 environment seems to be ushering in a new normal for most, it is prudent to consider how a cyber incident will be handled when physical access may be limited by multiple factors. ICS cybersecurity firm Dragos considers alternative ways to safely execute incident response during times of lockdown, including the need to consider if and how to do so remotely. Dragos some pros and cons of remote forensic data acquisition, remote analysis, and regulatory limitations on doing so.
Developing plans for how utilities will respond to cyber incidents is critical for quick recovery and restoration from such events. An effective cyber incident response plan (IRP) will limit damage and reduce recovery time and costs. Most importantly, the IRP needs to be in place and tested before a cyber incident occurs. The Verizon Incident Preparedness and Response Report (VIPR) – Taming the data beast (sic) breach edition is a valuable resource to help organizations create or improve cyber incident mitigation and response efforts. The VIPR includes Breach Simulation Kits (BSKs) to help facilitate tabletop exercises/workshops. Each kit is designed to enforce various steps of the IR process using common attack scenarios.
We’ll spare you the clichés and quotes like, you won’t find it if you’re not looking; it’s not if, but when...; and by failing to prepare, you’re preparing to fail… Suffice it to say, if you think It’s No FUN When Vulnerabilities Aren’t Managed, imagine how much fun it will be telling the boss/board of directors you have no idea how/when the incident occurred because there wasn’t any monitoring in place. And that’s after the FBI or other third-party called about suspicious activity – or worse, it was in the headlines. Then there’s the matter of actually responding to the incident. If you’re asking, “what would we do?” then now’s the time to start planning before it’s too late. To that end, we’ll leave you with this – “Preparedness, when properly pursued, is a way of life, not a sudden spectacular program.” -Spencer W. Kimball. Do Your Part. #BeCyberSmart. Cyber resilience/cybersecurity is a way of life and business…