Cybersecurity incident response – best practices from the US


Cybersecurity incident response best practices in US utilities have been identified by FERC and NERC.

For most organizations the possibility of a cyber attack is not ‘if’ but ‘when’. And when an attack occurs, the response and recovery is crucial to protecting systems and maintaining operations.

How should utilities prepare for their response and recovery? To identify common practices, the US Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) and its regional entities have investigated the plans of eight utilities of varying size and function.

Related articles:
A new pandemic threat – remote working’s impact on cybersecurity
Southern Company joins US-wide cybersecurity alliance
Webinar recording: The Protected Plant: Assessing cybersecurity risk and building your roadmap

They find that an incident response and recovery plan is an important resource for addressing cyber threats. An effective plan can mitigate the natural advantages that cyber attackers possess. Because attackers operate covertly to gain footholds across networks, an effective plan should be in place and response teams should be prepared to detect, contain and eradicate the cyber threat before it can impact the utility’s operations.

Best practices identified in the four phases of the incident response process are as follows:

Preparation: Effective incident response and recovery plans contain well-defined personnel roles, promote accountability and empower personnel to take action without unnecessary delays. They leverage technology and automated tools while also recognizing the importance of human performance.

Effective implementation of plans requires well-trained personnel who are
constantly updating their skills. Effective plans also incorporate lessons learned from past cyber events and simulation of real-world events identifying shortfalls in the plan.

Detection and analysis: Baselining is an effective resource utilization tool that allows personnel to detect deviations from normal operations. Flow-charts or decision trees also are useful tools to determine quickly when a predefined risk threshold is reached and a suspicious set of circumstances qualifies as an event.

Containment and eradication: If a plan containment strategy includes islanding operational networks, there should be a thorough understanding of the potential impact of such a decision. Plans should consider the possibility that a containment strategy may trigger predefined destructive actions by the malware. They also should consider the resource implications of incident responses of indeterminate length.

Evidence collection and continued analysis are important to determine whether an event is an indicator of a larger compromise.

Post-incident activity: Effective plans implement lessons learned from previous incidents or training exercises.

The report also notes that using a single or similar plan between business units may provide a better understanding of the response and recovery process across the utility.

The Cyber Planning for Response and Recovery Study may be viewed here.