Skip to content

Incident Response in an OT Context

Exercice 1 : A fictive OT company under attack

Cybersecurity Scenario: “2clever4u”

You are one of the managers of Oil Transport AG, a company active in the oil business. Your company has received credible intelligence that a sophisticated and determined threat actor, codenamed “2clever4u,” is currently a large-scale cyberattacking your organization’s operational technology (OT) infrastructure.

Objectives:

The goal of this initial exercice is to get to know what your knowledge related to Incident Response is. Thus, after assessing the information below and discuss with your team partners, state what

  1. you would have done before the incident
  2. you would do during the incident
  3. you would do after the incident
  4. any other comment you believe it is of relevance

In groups of 4 you have 15 minutes to discuss your approach and present your findings to the Oil Transport AG executive board. Good luck!

Company description

  • Company Name: Oil Transport AG
  • Industry: Oil and Gas, with a strong focus on renewable energy transition.
  • Headquarters: Geneva, Switzerland
  • Size: Mid-sized, employing around 500 personnel across various locations in Switzerland and abroad.

  • Operations:

    1. Upstream: Oil Transport operates several oil and gas fields in the North Sea (UK sector) and the Mediterranean Sea (Egyptian waters). They also have exploration licenses for potentials prospects in Switzerland.

    2. Midstream: The company owns and operates a significant portion of the Swiss pipeline network, transporting crude oil, refined products, and natural gas from production sites to refineries and distribution centers across the country.

    3. Downstream: Oil Transport AG operates two state-of-the-art refineries in Basel and Schaffhausen, with a combined processing capacity of 200,000 barrels per day (bpd). These refineries supply fuel to local markets and export refined products to neighboring countries.

    4. Renewable Energy: Recognizing the need for energy transition, Oil Transport has invested in renewable energy projects. They operate several hydropower plants in the Swiss Alps and have plans to develop wind farms along the Swiss coasts of Lake Geneva and Lake Constance. Additionally, they are exploring opportunities in biofuels and solar power.

  • Organizational Structure:

    Oil Transport AG is organized into the following departments:

    • Exploration & Production
    • Midstream Operations
    • Refining & Marketing
    • Renewable Energy
    • Corporate Functions (Finance, HR, Legal, etc.)
Time (CET) Event Description
7:30 Incident ticket opened with helpdesk reporting ransom demand; immediate callback requested.
8:00 Further staff member receives email from hacker, computer screen freezes; calls helpdesk for assistance.
8:10 Another staff member reports receiving ransom demand via email to helpdesk. The person is the 25th to report such problems by now
8:30 Crisis cell formed (Director + IT, HR, Finance, Communication reps).
9:00 Hacker calls CEO’s mobile; demands 500k CHF in BTC within 24h. Threatens data leak, server encryption - including refinery control systems.
9:30 Journalists call seeking information, claim to be informed by hackers.
9:40 Industry partner calls expressing concern about potential data leaks; threatens legal action if not informed.
9:50 Staff member calls IT manager for guidance on working/teleworking status. Complains about lack of communication from management.
10:00 Staff member visits manager’s office seeking information on work/telework status. Complains about lack of communication.
10:20 Hacker contacts director, reiterates threats, reminds of 24h deadline; announces sample data to be sent as proof.
10:30 Hacker contacts director again after sending proof.
If 24h deadline is deemed too short, hacker extends it to 48h and doubles ransom demand to 1 million CHF.

Exercice 2 : BIA study cases

Given the following papers :

  1. Developing Data Protection and Recovery Plan for Healthcare IoT Domain, page 210 of The Journal of Computing Sciences in Colleges
    Teams:

  2. Calculating Business Impact Assessment of Cyber-Threats
    Team: https://github.com/SecIndOpT/case_study_bia_the_laughing_llamas

  3. Business impact analysis of AMM data: a case study
    Teams:

  4. Cybersecurity Challenges for Manufacturing Systems 4.0: Assessment of the Business Impact Level
    Team: https://github.com/SecIndOpT/case_study_bia_team_tater_tots

Write a 1-page summary containing :

  • a short summary
  • whether the prioritization has been realized using BIA (Business Impact Assessment)
  • what methodology has been used and how
  • whether it was an OT or an IT contextual environment
  • conclusion of the lessons learned or any other pertinent take away

Exercice 3 : Creation of an incident response plan for a small pharmaceutical production plant

Contextual information

In the highly regulated and competitive pharmaceutical industry, ensuring the continuous and safe production of high-quality medications is paramount. Small pharmaceutical production plants play a crucial role in the supply chain, often specializing in niche or innovative products. These plants rely on a combination of advanced operational technology (OT) and information technology (IT) systems to maintain efficiency, compliance, and product quality.

Operational disruptions, data breaches, or cyber-attacks can have severe consequences, including production downtime, compromised product quality, regulatory non-compliance, and reputational damage. Therefore, it is essential to have a robust Incident Response Plan tailored to the specific needs and risks of a small pharmaceutical production plant.

This exercise focuses on developing such an Incident Response Plan, emphasizing the importance of service continuity and the protection of critical assets. Based on a Business Impact Assessment (BIA) and outlining an incident response plan, this gives you a practical experience in managing cybersecurity incidents in a real-world industrial setting.

Assets and Services

  1. List of Assets

    1. Operational Technology (OT) Assets:

      • Supervisory Control and Data Acquisition (SCADA) System: monitors and controls the production process.
      • Programmable Logic Controllers (PLCs): control specific machinery and processes.
      • Human-Machine Interfaces (HMIs): allow operators to interact with the control systems.
      • Sensors and Actuators: monitor environmental conditions and control equipment.
      • Industrial Network Switches and Routers: facilitate communication between OT devices.

    2. Information Technology (IT) Assets:

      • Enterprise Resource Planning (ERP) System: manages business processes and data.
      • Manufacturing Execution System (MES): tracks and documents the production process.
      • Database Servers: store production data, recipes, and batch records.
      • File Servers: store documents, SOPs, and other critical files.
      • Workstations and Laptops: used by employees for various tasks.
      • Email and Communication Servers: facilitate internal and external communication.
      • Network Switches and Routers: facilitate communication between IT devices.

    3. Physical Assets:

      • Production Equipment: reactors, mixers, filling machines, etc.
      • Utilities: power supply, Heating, Ventilation, and Air Conditioning (HVAC) systems, water treatment.
      • Facility Infrastructure: buildings, laboratories, storage areas.

  2. Services and Associated Assets

    1. Production Service:

      • Description: responsible for the manufacturing of pharmaceutical products.
      • Assets:
        • SCADA System
        • PLCs
        • HMIs
        • Sensors and Actuators
        • Production Equipment
        • Utilities
        • Industrial Network Switches and Routers

    2. Quality Control Service:

      • Description: ensures that products meet quality standards and regulatory requirements.
      • Assets:
        • MES
        • Database Servers
        • Laboratory Equipment
        • Sensors and Actuators

    3. Supply Chain Management Service:

      • Description: manages the procurement of raw materials and distribution of finished products.
      • Assets:
        • ERP System
        • Database Servers
        • Workstations and Laptops
        • Email and Communication Servers
        • Network Switches and Routers

    4. Facility Management Service:

      • Description: maintains the infrastructure and utilities of the plant.
      • Assets:
        • Utilities
        • Facility Infrastructure
        • All Network Switches and Routers

    5. Information Technology Service:

      • Description: provides IT support and maintains IT infrastructure.
      • Assets:
        • ERP System
        • MES
        • Database Servers
        • File Servers
        • Workstations and Laptops
        • Email and Communication Servers
        • Network Switches and Routers

Business Impact Assessment

Service Operational Impact (1-5) Financial Impact (1-5) Reputational Impact(1-5) Total Score
Production Service 5 5 5 15
Quality Control Service 4 4 4 12
Supply Chain Management 4 5 3 12
Facility Management Service 4 4 3 11
Information Technology Service 3 3 3 9

Rationale

  1. Production Service:

    • Operational Impact (5): the production service is the core of the plant’s operations. Any disruption directly halts the manufacturing of pharmaceutical products, leading to immediate operational standstill.
    • Financial Impact (5): production downtime results in significant financial losses due to halted revenue generation and potential contractual penalties.
    • Reputational Impact (5): failure to deliver products on time can damage relationships with customers and regulatory bodies, severely impacting the plant’s reputation.

  2. Quality Control Service:

    • Operational Impact (4): quality control ensures that products meet regulatory standards. Disruptions can lead to production delays and potential non-compliance issues.
    • Financial Impact (4): non-compliance can result in fines and the cost of reworking or discarding non-compliant batches.
    • Reputational Impact (4): quality issues can lead to product recalls and loss of customer trust, affecting the plant’s market standing.

  3. Supply Chain Management Service:

    • Operational Impact (4): efficient supply chain management is crucial for timely procurement of raw materials and distribution of finished products. Disruptions can lead to production delays.
    • Financial Impact (5): Delays in procurement or distribution can result in increased costs and lost sales opportunities.
    • Reputational Impact (3): while important, supply chain issues may have a slightly lower reputational impact compared to production and quality control.

  4. Facility Management Service:

    • Operational Impact (4): Facility Management ensures the smooth operation of utilities and infrastructure. Disruptions can affect production but are often mitigated by backup systems.However, Facility Management, including OT networking, is critical for maintaining production environments.
    • Financial Impact (4): disruptions can lead to increased maintenance costs and potential production delays.
    • Reputational Impact (3): facility issues are less visible to customers and regulatory bodies, resulting in a lower reputational impact.

  5. Information Technology Service:

    • Operational Impact (3): IT services support various functions, including production, quality control, and supply chain management. Disruptions can affect multiple areas but are often mitigated by redundancy.
    • Financial Impact (3): IT outages can lead to productivity losses and increased support costs.
    • Reputational Impact (3): IT issues can affect internal operations and communication, but the reputational impact is generally moderate.

Note

The above assessment could obviously be holding different results, depending one assesses the different services and the related assets. However, as in a real situation, one should not question (too much at least šŸ˜‰) the BIA and assume the work has been done professionally. As a result, you should use those results as they were “correct”. In a real situation, obviously, it would help if you could ask for clarifications in case of doubts.

Your task

Based on the information above, define a Incident Response Plan for this small pharmaceutical production plant whose Incident Response Planning Team you are leading.

Note

Make the plan thorough but not too long - surely below 6 pages (ideally 4-5).

Example

In case you were looking for inspiration, you may look at the plan template called Coordinated Healthcare Incident Response Plan : https://healthsectorcouncil.org/wp-content/uploads/2023/07/HIC-CHIRP-FINAL_1.pdf

Exercice 4 : (Optional) Check the options of monitoring and alerting in your favourite tool(s)

This is an optional exercice though interesting an useful: checking whether your favourite monitoring, network analysis and threat detection tools do have support for Operational Technology protocols/flows/behaviour/…

As an example, one may take ntopng (https://www.ntop.org/products/traffic-analysis/ntop/) and see that it does support certain OT protocols like OPC UA, IEC 60870, Modbus, …

For instance, if one takes the OPC UA Server / Client we used a few weeks back (see Implement your own OPC UA), the person would see that there is a specific IoT-Scada in the application filter and that, assuming there is OPC UA traffic on localhost, the OPC UA traffic would be recognized and qualified. Here

  1. Flow recognition
  2. Flow qualification

Warning

Normally, the installation of the tool is trivial for as long as one follows https://www.ntop.org/guides/ntopng/installation.html. However, for native MacOS native installation, the package available is not compatible with the latest version of the OS. As a result, one needs a workaround…

You can get the installation running through brew with brew install ntopng redis && brew services start redis followed by sudo ntopng --disable-login 1 --httpdocs-dir /opt/homebrew/Cellar/ntopng/6.2_2/share/ntopng/httpdocs -i lo0 (feel free to adapt the -i for adding / modifying the relavant interfaces to monitor).

Note: this will only get you the community edition with limited features - but enough to run the above example. Obviously, one can use docker instead of a native installation.