Does your detection work?
Will it identify aspects of a cyber attack as designed? Will it present the events / alerts / information to the appropriate role? Does that role understand their Call Outs?
This week you will test each detection source and each Call Out identified the previous week. This is not a penetration test. It is a basic test of the technology, and a training exercise for the Call Out roles.
The detection testing will require a benign, it won’t damage the ICS or process, trigger. This could be test malware, someone in OT or IT security running probes, or using the ICS itself to cause the event.
For example, if you generate a detection alert any time an application or logic in a PLC is changed, then you can use the EWS or PLC programming software to make a non-impacting change to the logic. Does the detection tool generate the expected alert? Do the applicable roles know what to do with any proscribed Call Out?
Document and keep the process and tools you use for this task as you should repeat this periodically. Follow-up actions should be created for any detection or Call Out failures.
Detection Event
Call Out
Method of Testing
Pass/Fail
Detection Event
Call Out
Method of Testing
Pass/Fail
Detection Event
Call Out
Method of Testing
Pass/Fail