Abstract:Cyber incident response within Industrial Control Systems (ICS) is characterised by high levels of uncertainty and unpredictability and requires a multi-disciplined team that encompasses personnel business operations, Operational Technology (OT), IT, security operations and media engagement to be effective. Such teams require a dynamic decision framework to allow ICS operators to maintain services during the recovery of full operating capability. There is empirical evidence that static incident response playbooks do not provide enough flexibility in their definition to support situations outside of the scope of their initial definition, and that they have been ignored when cyber incidents have occurred. A thematic analysis of semi-structured interviews with ICS incident response professional identified three main areas of concern: communication, information sharing between knowledge areas, and achieving external buy-in.The Agile Incident Response for Industrial Control Systems (AIR4ICS) framework has been developed to integrate Agile techniques into the Cyber Security domain of incident response. AIR4ICS provides a dynamic approach to improve situational awareness, information sharing, collective decision-making and response flexibility within the unique context of ICS. The techniques used in AIR4ICS were initially shaped by interviews with professionals with experience of protecting ICS, structured using the Scrum methodology, and refined through a series of Cyber Incident Response exercises with Incident Response professionals facing-off against specialist ICS Red Teams.AIR4ICS has resulted in a framework that provides a modular approach that can be adapted to fit the working practices, skillsets and priorities of individual organisations. The framework improves communication, promotes information sharing between knowledge areas, and increases external buy-in.Ultimately, AIR4ICS provides a dynamic decision framework that allows Incident Response Teams to manage uncertainty and unpredictability to reduce the time taken to restore normal operations.

The Agile Incident Response for Industrial Control Systems (AIR4ICS) Framework

Agile Incident Response (AIR): Improving the Incident Response Process in Healthcare

Insights on Cooperative Defense for Multiple Industrial Security Technologies

The industrial control system cyber defence triage process

Rethinking Security Incident Response: The Integration of Agile Principles

Real-Time Intrusion Detection Based on Decision Fusion in Industrial Control Systems

Industrial Control Systems Security Validation Based on MITRE Adversarial Tactics, Techniques, and Common Knowledge Framework

Understanding Indicators of Compromise against Cyber-Attacks in Industrial Control Systems: A Security Perspective

EMS, Incident Command System (ICS)

An Integrated Cyber-Physical Risk Assessment Framework for Worst-Case Attacks in Industrial Control Systems

Towards Incident Response Orchestration and Automation for the Advanced Metering Infrastructure

An evaluation framework for industrial control system cyber incidents

Alignment of Cybersecurity Incident Prioritisation with Incident Response Management Maturity Capabilities

A Unified Architectural Approach for Cyberattack-Resilient Industrial Control Systems

A Threat Hunting Framework for Industrial Control Systems

A Cooperative Incident Response System

ICSrange: A Simulation-based Cyber Range Platform for Industrial Control Systems

DSACR: A defense-based system with adaptive cyber resilience for industrial control systems

An Analytics Framework for Heuristic Inference Attacks against Industrial Control Systems

ICSSIM-A Framework for Building Industrial Control Systems Security Simulation Testbeds