Full Report
New proposal appears for better incident evaluation and reporting – without the inflation. In following the various ICS cyber incidents since 2010 I often asked myself: how significant is this incident for the sector of critical infrastructure in which it occurred? Was it an incident due to some unintentional accident, operator error, equipment fault or […]
Analysis Summary
# Best Practices: Industrial Control Systems (ICS) Incident Evaluation
## Overview
These practices address the critical need for accurate, non-inflated evaluation of Operational Technology (OT) and ICS cyber incidents. They aim to bridge the gap between sensationalized media reporting and the technical reality required for effective industrial defense, ensuring that incident response leads to actionable engineering lessons rather than public relations "noise."
## Key Recommendations
### Immediate Actions
1. **Differentiate between IT and OT impacts:** Immediately determine if the incident affected the process control layer (Physical) or just the business network (Administrative).
2. **Verify Initial Reports:** Treat all information gathered within the first 12 hours as "preliminary." Do not issue public technical attributions or impact scores until engineering teams confirm the "fog of war" has cleared.
3. **Engage Subject Matter Experts (SMEs):** Ensure that the personnel closest to the machinery (operators and engineers) are the primary sources for incident data, rather than relying solely on C-Suite or PR summaries.
### Short-term Improvements (1-3 months)
1. **Adopt a Standardized OT Impact Framework:** Implement the "OT Incident Impact Score" or a similar metric to categorize events by their actual effect on industrial processes.
2. **Implement Forensic Readiness:** Deploy specialized OT monitoring tools capable of capturing traffic and state changes in Safety Instrumented Systems (SIS) to avoid "false negatives" during initial diagnostics.
3. **Establish Intent Analysis Protocols:** Create a workflow to distinguish between unintentional accidents (equipment failure, operator error) and malicious cyber activity.
### Long-term Strategy (3+ months)
1. **Peer-to-Peer Knowledge Sharing:** Develop an anonymized information-sharing pipeline with industry partners to discuss "lessons learned" from incident reports (like the Polish power grid or Triton events) after the official findings are released.
2. **Integrate Engineering into Incident Response:** Move away from IT-centric incident response by embedding OT engineers into the formal cybersecurity incident team.
3. **Trend Monitoring:** Use retrospective analysis (multi-month reviews) to determine if incidents are "one-offs" or signify emerging trends in critical infrastructure targeting.
## Implementation Guidance
### For Small Organizations
- Focus on basic monitoring of Safety Instrumented Systems (SIS).
- Utilize external consultant reports (e.g., CERT-PL, Dragos) to benchmark your own risks without needing an in-house forensics team.
### For Medium Organizations
- Standardize the 12-hour reporting window to be internal-only to prevent public misinformation.
- Train operators to recognize the signs of cyber manipulation vs. mechanical failure.
### For Large Enterprises
- Establish a formal "Internal Incident Scoring" system that correlates financial/operational impact with the skill level and motive of the attacker.
- Lead industry working groups to standardize reporting formats that minimize media "inflation" while maximizing technical utility.
## Configuration Examples
*While primarily a policy/procedural article, the following technical focal points are identified:*
- **SIS Diagnostics:** Configure Safety Instrumented Systems to log all "Logic Changes" and "Force commands" to a write-once medium for forensic review.
- **Network Segmentation Logging:** Ensure that the gateway between the Polish Grid and Distributed Energy Resources (as cited in the Electrum report) has high-verbal logging enabled for unauthorized protocol attempts.
## Compliance Alignment
- **ISA/IEC 62443:** Specifically WG16 (Incident Management) and WG14 (Security profiles for substations).
- **NIST SP 800-61:** Revise for OT-specific incident handling timelines.
- **NERC CIP:** Alignment with briefing requirements for bulk power systems.
## Common Pitfalls to Avoid
- **The "12-Hour Rush":** Reporting definitive causes too early often leads to inaccurate attribution (e.g., the San Bruno pipeline example).
- **PR-Led Reporting:** Allowing non-engineers (salesmen, PR, C-suite) to lead the technical narrative of an OT incident.
- **Assuming "Green" Means Secure:** Relying on manufacturers' basic diagnostics after a shutdown without conducting independent forensic analysis (e.g., the Triton incident).
## Resources
- **OT Incident Impact Score Initiative:** [Proposed by industry leaders to de-inflate media reporting]
- **CERT Polska (CERT.pl):** Official incident reports for the energy sector.
- **ISA 62443 Standards:** hxxps://www[.]isa[.]org/isa62443
- **NERC Briefing Library:** Access official briefings on electrical system incidents.