incident response for industrial control systems

Developing Cyber Security Incident Response Plans for Industrial Control Systems

For many organizations, cyber security program and cyber security incident response plans (CSIRPs) also need to consider industrial control systems (ICS) when we look at the protection of critical services. Most often our discussions about Cyber Security Incident Response Plans (CSIRP) are focused on data security incidents. We know that across all industries, data contained in information systems are a target. Our traditional approach follows the mantra of protecting the confidentiality, integrity and availability (CIA) of data.

Considering that control systems are used in many of our nation’s critical infrastructure key resources (CIKR), the main concern in the event of an ICS security breach is resiliency and preservation or restoration of service.

What Are Critical Infrastructure Key Resources (CIKR)?

CIKRs include: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, and Water and Wastewater Systems.

Applying the fundamental structure of an IT CSIRP template to control systems is a good place to start when developing a plan. It will need to cover common content areas such as:

  • Plan Objectives
  • Incident Descriptions
  • Roles/Responsibilities
  • Detection/Discovery, Response
  • Notifications/Communications
  • Forensics
  • Incident Closure

However, there are distinct differences to consider when creating the core content. For starters, it is important to describe and define incidents that apply to the ICS environment. Incident classifications should be clearly cyber related and distinguished from other factors such as equipment failures or environmental issues.

Another area of the ICS CSIRP that will likely differ from the IT CSIRP is content related to notifications and communications.

Requirements for internal and external communications should be thoroughly documented and updated regularly as contacts may change. For example, external entities may include ICS-CERT/US-CERT contact numbers and information, relevant regulatory authorities, law enforcement, and third-party vendors specific to control systems technology and forensics.

As you work to develop your ICS CSIRP, you should plan for the specific nuances of ICS forensics and ensure team members are aware of best practices for evidence collection and handling. For detailed recommendations on this topic, check out the Department of Homeland Security (DHS) guide “Recommended Practice: Creating Cyber Forensics Plans for Control Systems.”


A written documented plan is only as good as the ink on the paper until you see it in action. As always, we highly recommend you practice incident response on a regular basis by conducting cyber security exercises. Exercising your plan will help team members improve muscle memory and build confidence to reduce cycle time. A plan always has room for improvement, as it is an ongoing work in progress.

In our white paper, “Can Your Security Team Handle a Breach?” we discuss the different types of exercises you can run to better prepare your team for scenarios specific to your business.