Call outs are common in Operations. If this happens, contact this person, take this action, watch this reading, order this maintenance, … Your task this week is to create OT detection call outs, the beginning of response. These call outs are actions assigned to roles.
Operators
Most ICS in OT will have Operators who are monitoring and controlling a physical process, often on a 24 x 7 basis. Can you leverage this resource as part of your response strategy? They are not security experts. You shouldn’t expect them to perform analysis. They also have a job to do, so you shouldn’t assign them anything that is time consuming.
They can watch rarely triggered security alarms and follow a call out decision tree. For example, they could monitor endpoint detection alerts. Certain alerts on certain cyber assets could lead them to isolate the cyber asset, shut down a subsystem, or contact an on-call OT security resource.
Engineers and Technicians
These are the roles that are often called when the ICS or process is not working properly. The call out triggers for Engineers and Technicians may be less specific than Operators. For example, an unexplained and repeated instance where directly measured process data does not match what’s in the ICS.
Engineers and Technicians should have OT security related call outs. When and under what circumstances should they involve OT security? Incident response? Who and how should they contact these people?
OT Security
The OT Security team is likely involved in the monitoring of OT detection information sources as defined in earlier weeks. They are trained and tasked with analyzing this detection information. Under what circumstances should they contact leadership in Operations? When should they contact Operators? Engineers? The OT Incident Response Team?
Are there specific and immediate actions OT Security should take when detection has identified a specific attack? Actions that Operations has already signed off on.
IT Security
Almost all OT cyber incidents through 2024 have accessed OT through IT. IT Security should have a call out to notify OT Security and/or Operations when there is malicious activity on IT that could endanger OT. There may also be call outs associated with response escalation.
For example, ransomware on IT could trigger a call out to the on call OT Security professional and the VP Operations. It also could trigger a change to OT electronic perimeter security such as disconnecting interfaces on the firewall or disabling certain firewall rules.
_________
Use the format below, or create your own format, to document your call outs and escalation tasks. Then add this to your OT Security training requirements for the applicable roles. If you can begin the OT detection call out process this week, it’s a successful week. Perhaps begin by creating one call out for each OT detection information source that you identified for monitoring in Week 44.
Event | Identifying Role | Call Out