Safety and Security Division

 View Only

Considerations for Incident Response for Critical Infrastructure

By Durgesh Kalya posted 04 Dec, 2023 01:25 PM


Incident response is an important piece of the cybersecurity puzzle. It encompasses the meticulous process of identifying, containing, and recovering from security incidents. While this practice is imperative for all organizations, its significance is magnified for entities classified as critical infrastructure organizations.

Critical infrastructure organizations are part and parcel of our societies, providing essential services such as power generation, water supply, transportation systems, and telecommunications networks. The repercussions of a cyberattack on such entities can be catastrophic, affecting the well-being of countless individuals and businesses reliant on these indispensable services .

Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLC), Distributed Control Systems (DCS), and other process control systems play pivotal roles within various critical infrastructure sectors. These technologies are the backbone of operations, ensuring essential services' reliability, safety, and efficiency. In simple terms, SCADA, PLCs, DCS, and other control systems are essential gears that make critical infrastructure work smoothly. They help monitor things from afar, make quick decisions, and automatically handle problems to ensure crucial services run without interruptions. These systems are also called Industrial Access Control Systems (IACS). Because of this, it's vital to ensure these systems are solid and secure to protect critical infrastructure.

Increasing threat of ransomware industrial control systems

The increasing threat of ransomware and the evolving landscape of networked process control systems or industrial control systems (ICS) pose significant challenges to critical infrastructure and incident response efforts.

Over recent years, ransomware attacks have surged in frequency and sophistication, with critical infrastructure entities becoming prime targets. These attacks involve encrypting an organization's data and demanding a ransom for decryption. Ransomware attacks on critical infrastructure can have severe consequences, leading to service disruptions, data loss, and financial losses. In some cases, lives and public safety can be at risk. Cybercriminals have increasingly specialized in targeting critical infrastructure sectors, recognizing the potential for substantial ransoms and the critical nature of the services provided. Ransomware tactics continue to evolve, with threat actors using advanced techniques such as double extortion (threatening to leak stolen data), supply chain attacks, and highly tailored spear-phishing campaigns.

Nation-State Involvement:

Some ransomware attacks are suspected to have nation-state involvement, blurring the lines between cybercriminals and state-sponsored actors. This complicates attribution and response efforts.

Limitations of traditional incident response: 

While well-established and effective in many situations, traditional incident response approaches can face several limitations when applied to critical manufacturing, oil, and gas facilities in today's digital age. These limitations arise due to increasingly integrating digital technologies, automation, and IT infrastructure within operational technology (OT) environments.

Traditional incident response faces several significant challenges in modern Operational Technology (OT) environments. These challenges stem from the increasing complexity of these environments, the heightened cybersecurity threats they confront, and a range of specific issues.


Critical manufacturing, oil, and gas facilities must adapt their incident response strategies to the realities of today's digital age to address these limitations. This may involve implementing specialized cybersecurity incident response plans, conducting regular cybersecurity drills, investing in modernized and secure OT systems, and fostering collaboration between IT and OT teams. Additionally, regulatory bodies should continually update and adapt regulations to reflect the evolving threat landscape and promote cybersecurity best practices within critical infrastructure sectors.