Safety and Security Division

 View Only

Considerations for Incident Response for Critical Infrastructure

By Durgesh Kalya posted 04 Dec, 2023 01:25 PM


Incident response is an integral facet of cybersecurity, which encompasses the meticulous process of identifying, containing, and recovering from security incidents. While this practice is imperative for all organizations, its significance is magnified for entities classified as critical infrastructure organizations.
Critical infrastructure organizations are the lifeblood of society, providing essential services such as power generation, water supply, transportation systems, and telecommunications networks. The repercussions of a cyberattack on such entities can be catastrophic, affecting the well-being of countless individuals and businesses reliant on these indispensable services .

The Role of Process Control Systems

Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLC), Distributed Control Systems (DCS), and other process control systems play pivotal roles within various critical infrastructure sectors. These technologies are the backbone of operations, ensuring essential services' reliability, safety, and efficiency. Here's how they are integral components in these sectors:

Energy Sector:

SCADA systems are extensively employed in power generation and distribution. They monitor and control power plants, substations, and the electrical grid. PLCs are utilized in machinery control, while DCS manages complex processes within power plants.

Water and Wastewater Management:

SCADA systems enable the remote monitoring and control of water treatment plants, reservoirs, and distribution networks. PLCs and DCS facilitate precise control of pumps, valves, and chemical dosing systems.


SCADA systems oversee traffic management, railway signaling, and airport operations. PLCs control conveyor belts in baggage handling systems and provide automation in manufacturing vehicles and equipment.

Oil and Gas Industry:

SCADA systems monitor pipelines, drilling operations, and refineries. PLCs are used for automation in drilling rigs and processing facilities, while DCS manages complex processes in petrochemical plants.


PLCs are the backbone of manufacturing automation, controlling machinery and production
lines. DCS systems optimize industrial processes, ensuring product quality and efficiency.

Chemical and Pharmaceutical Industries:

DCS is crucial for precise control of chemical processes. At the same time, SCADA systems monitor safety and environmental parameters. PLCs manage mixing, packaging, and labeling in pharmaceutical production.


SCADA systems monitor and manage communication networks, ensuring uninterrupted services. PLCs control backup power systems in data centers.


SCADA systems are employed in hospital infrastructure management, monitoring HVAC, security, and energy systems. PLCs control medical equipment and laboratory processes.

Public Safety:

SCADA systems are vital for emergency services, managing communication networks, and ensuring reliable operations during critical situations.

In simple terms, SCADA, PLCs, DCS, and other control systems are essential gears that make critical infrastructure work smoothly. They help monitor things from afar, make quick decisions, and automatically handle problems to ensure crucial services run without interruptions. These systems are also called Industrial Access Control Systems (IACS). Because of this, it's vital to make sure these systems are solid and secure to protect critical infrastructure

Increasing threat of ransomware industrial control systems

The increasing threat of ransomware and the evolving landscape of networked process control systems or industrial control systems (ICS) pose significant challenges to critical infrastructure and incident response efforts.

Here is a highlight of these crucial aspects:

Escalating Frequency: Ransomware attacks have surged in frequency and sophistication over recent years, with critical infrastructure entities becoming prime targets. These attacks involve encrypting an organization's data and demanding a ransom for decryption.

High Impact:

Ransomware attacks on critical infrastructure can have severe consequences, leading to service disruptions, data loss, and financial losses. In some cases, lives and public safety can be at risk.


Cybercriminals have increasingly specialized in targeting critical infrastructure sectors, recognizing the potential for substantial ransoms and the critical nature of the services provided.

Rapid Evolution:

Ransomware tactics continue to evolve, with threat actors using advanced techniques such as double extortion (threatening to leak stolen data), supply chain attacks, and highly tailored spear-phishing campaigns.

Nation-State Involvement:

Some ransomware attacks are suspected to have nation-state involvement, blurring the lines between cybercriminals and state-sponsored actors. This complicates attribution and response efforts.

Limitations of traditional incident response: 

While well-established and effective in many situations, traditional incident response approaches can face several limitations when applied to critical manufacturing, oil, and gas facilities in today's digital age. These limitations arise due to increasingly integrating digital technologies, automation, and IT infrastructure within operational technology (OT) environments.

Operational technology (OT) is a set of hardware, software, and communication systems that monitor, control, and automate industrial processes. OT systems are typically used in critical infrastructure industries such as manufacturing, energy, and transportation, etc., These can include IACS and Control System Components, Information Technology components that are part of the control systems etc., but are defined by the organization to apply the necessary security measures and controls appropriately.

In modern Operational Technology (OT) environments, traditional incident response faces several significant challenges. These challenges stem from the increasing complexity of these environments, the heightened cybersecurity threats they confront, and a range of specific issues:

Integration of IT and OT:

Modern critical infrastructure facilities heavily rely on integrating IT and OT systems. The interconnectivity of these systems can make it challenging to accurately identify a fire's source or its impact.

Legacy Systems:

Many critical manufacturing, oil, and gas facilities still operate with legacy systems that lack modern cybersecurity features, making them vulnerable to cyberattacks that could lead to fires or other incidents.

Increased Cyber Risks:

As critical infrastructure adopts digital technologies, it becomes more susceptible to cyber threats, including ransomware attacks that disable safety and fire prevention systems, leading to increased fire risks.

Cyber-Physical Attacks:

Malicious actors can launch cyber-physical attacks that manipulate digital and physical systems, potentially causing fires or explosions.

Data Silos:

Traditional incident response approaches may struggle to integrate real-time data from diverse OT systems, hindering the ability to quickly detect and respond to fire-related incidents.

Delay in Response:

Traditional incident response procedures may need to account for the speed at which digital incidents, including cyberattacks, can escalate or spread within critical infrastructure systems. Delays in response can lead to more severe consequences.

Shortage of Cybersecurity Experts:

The need for more skilled cybersecurity personnel in critical infrastructure sectors can limit the ability to respond effectively to cyber threats that could lead to fires.

Budget Constraints:

Adequate investments in modernizing and securing OT environments can be limited by budget constraints, leaving facilities vulnerable.

Regulatory Challenges: 

Regulations and standards in critical infrastructure sectors may need to be more comprehensive or agile to address rapidly evolving digital threats and vulnerabilities effectively.


Traditional approaches may need help to scale up to address large-scale incidents that can affect extensive networks of interconnected facilities and systems.

Silos between IT and OT:

The separation between IT and OT teams can hinder effective collaboration during incident response efforts, as both teams need to work closely to address digital and physical threats.

Data Privacy Concerns:

Privacy regulations can complicate sharing incident-related data, which is critical for effective response and recovery efforts.

Compliance Challenges:

Meeting regulatory compliance requirements, especially when incidents involve data breaches, can be challenging within a rapidly evolving digital landscape.


Critical manufacturing, oil, and gas facilities must adapt their incident response strategies to the realities of today's digital age to address these limitations. This may involve implementing specialized cybersecurity incident response plans, conducting regular cybersecurity drills, investing in modernized and secure OT systems, and fostering collaboration between IT and OT teams. Additionally, regulatory bodies should continually update and adapt regulations to reflect the evolving threat landscape and promote cybersecurity best practices within critical infrastructure sectors.