How to Prepare an Industrial Cyber Incident Response Strategy

By the Radiflow Cybersecurity team

August 25, 2021

The increase in recent years in ICS cybersecurity incidents and system breaches has provided sufficient evidence as to the importance of preparing a reaction strategy to such attacks, as well as ensuring that the relevant cyber incident response tools are in place.

The enterprise cybersecurity sector has been aware of this for decades, but extrapolating the IT approach and apply it directly to industrial cybersecurity fails to take into account the unique requirements of the OT environment. An IT network is taken offline regularly for patching and security updates; the same cannot be said for OT systems which are almost always considered critical and must remain permanently online, creating a very different set of cybersecurity needs.

Planning ahead: It wasn’t raining when Noah built the ark.

The attempted cyber attack on the Oldsmar, FLA water facility in February 2021 highlighted the importance of being prepared and knowing how to respond when an industrial incident occurs. The operator who spotted the breach was able to regain control of the system, correct the issue and alert the necessary authorities.

Similarly, although the Colonial Pipeline attack could not be prevented, the damage was contained by following an industrial cyber incident response protocol, in this case taking key assets offline. This ensured both employee and customer safety and enabled Colonial to quickly get the system up and running.

Contingency planning can mitigate losses of different sorts, whether it be financial or physical; the correct measures can even save lives. This is why a key element of any cybersecurity scheme should be a comprehensive incident response plan.

Finding the right formula for an industrial cyber incident response

In order to be prepared for any industrial cyber incidents, the National Institute of Standards and Technology (NIST) recommends a 4-step plan tailored to ICS cybersecurity:

  1. Preparation

This includes compiling a list or database of all system components and assets, as well as knowing who is responsible for each of them. Industrial systems are usually a hybrid of many parts and can involve several different professional disciplines, so forming a committee with representatives from each field will ensure the best level of preparation.

The committee will investigate which types of incidents to prepare for and the best way to respond in each scenario. The level of detail will depend on the industry, and could include emergency response steps, provision of PPE (personal protective equipment) if needed, contact details for response teams and possibly the ability to isolate or even shut down the OT system.

  1. Detection and Analysis

When a breach or industrial cyber incident has been detected, the most essential tool for the response team will be information. This forensic analysis enables them to understand both how to close the breach and undo any harm, and also how to prevent any similar attacks from occurring.

  1. Containment, Eradication, and Recovery

At this point, it is up to the security team to close any breach and remove the threat from the system. In serious cases this can take months, either because it took too long to identify the attack giving the code time to spread from asset to asset, or because the tools available are insufficient to stop the spread.

  1. Post-incident Activity

Learning from any industrial cyber incident is the best possible outcome, as it can become part of your future toolbox for threat detection and incident prevention.

Step 4 cycles back to step 1 as it becomes part of the planning process for future incidents. Regularly regrouping and fine-tuning will ensure that even if you can never guarantee that there will not be an industrial automation cybersecurity incident or breach, you are at least as prepared as you can possibly be.

As an ICS specialist, Radiflow is best placed to assist you with planning your industrial cybersecurity solutions including an incident response plan. With an in-depth understanding of the specific OT security needs, Radiflow Solutions ensure you are aware of any network vulnerabilities and can suggest the best measures to increase security whilst maximizing ROI.

Radiflow’s CIARA employs a proprietary algorithm to perform breach and attack simulations (BAS), based on each device’s properties and vulnerabilities, helping you to plan and prepare for any security incident.

Contact our team for more information on how our risk assessment solutions can help you to protect your OT system, and to help prepare for security events.

If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.