Your manufacturing line is down. How fast do you need to have it back in operation to avoid a high or catastrophic consequence that you identified in Weeks 11 – 12? The same “how fast do you need it back in operation to avoid a high or catastrophic consequence” question is asked about the ability to deliver potable (drinkable) water to customers of a water treatment plant. Or a power plant delivering generated power to the grid.
This week you are not concerned about how to recover or what OT cyber assets need to be recovered. It’s not a cyber issue. It’s a business issue.
Begin by asking Operations if they have an RTO for the delivery of the product or service they produce in the cyber / physical process. You likely will find this does not exist, or you will be provided with a time period that a server or database could be restored.
The RTO you are looking for isn’t a cyber RTO. It’s not an OT RTO. It is an all cause RTO to get back to providing the minimal required product or service to your customers.
With this initial RTO estimate from Operations in hand, cross check the answer with formal or informal conversations with Finance, Risk Management, Customer Service and other organizations.
If you provide multiple products and services, you may have different RTOs. For example, a manufacturing company may have three different types of factories, each with its own RTO. The manufacturing company may accept operating manually at a lower yield at one factory.
An electric utility may have an RTO for tier 1 customers, such as police and hospitals, and a different RTO for residential customers.
Like last week’s task, use past outages as a sanity check for the RTO. If power outages or weather issues have caused multiple 24 – 36 hour outages each year, then a 2 hour RTO doesn’t make sense. Cyber attacks are one of many causes of an outage. The RTO is independent of the cause of outage.
Note: The RTO can also be tied back to the risk matrix. An outage greater than the RTO should result in a high or catastrophic consequence. You now know the cost and impact of outages from previous weeks’ tasks. There should be pain in outages less than the RTO. The RTO isn’t set to a level that the company won’t have a negative impact. Most RTOs are set too low in the first pass.
What is your RTO for producing your company’s products or services?