You established a Recovery Time Objective (RTO) in Week 21. After recent weeks’ tasks on response and recovery, it’s time to take a second look at your ability to recover and meet the RTO. We can’t guarantee that any of our cyber security controls will prevent all attacks. Managing the impact of an attack that succeeds is the only way to place a cap on accepted cyber risk.
There are two parts to this second pass. First, review the results from the first pass. Have you learned anything that would:
- Cause you to recommend changing the RTO? This would typically be a better understanding of the business, ICS, or physical process being monitored and controlled.
- Raise doubts about earlier conclusions on meeting the RTO.
Note: Asset owners often base the RTO on what is possible rather than on the consequences of an outage. If you can recover in 6 hours, but the impact does not become a high consequence event until day 4 of the outage, the RTO should be set at 4 days. This doesn’t mean Operations can’t strive to recover in 6 hours or better.
Second, look at outage and incident scenarios that were not considered in the first pass.
- Identify any cyber incident scenarios where you would not be able to confidently meet the RTO. These often are scenarios where cyber assets are bricked and must be returned to manufacturer for repair or where a large number of sites are simultaneously compromised.
- Identify the cost and resources to meet the RTO for each scenario.
- Prepare and schedule a presentation to executives with risk acceptance authority the scenario and cost to meet the RTO for a risk management decision. Executives may choose to accept the risk of a scenario that would not meet the RTO. They can do this. You can’t (unless you have risk acceptance authority). Accepting risk because you believe the solution is too expensive can be a career limiting mistake.
Are there any changes needed to the OT RTO(s)? If yes, list the changes that you will recommend and seek approval for.
Are there any cyber incident scenarios where the RTO will not be met with the current plan? If yes, describe the scenario and the cost to be able to meet the RTO for the scenario.