- Term Papers, Book Reports, Research Papers and College Essays

Ics Cyber Security Incident Response and the Troubleshooting Process

Essay by   •  May 25, 2018  •  Essay  •  2,905 Words (12 Pages)  •  847 Views

Essay Preview: Ics Cyber Security Incident Response and the Troubleshooting Process

Report this essay
Page 1 of 12

ICS Cybersecurity Incident Response and the Troubleshooting Process

Masatoshi TAKANO1†

1Technical Committee on Instrument and Control Networks, Industrial Applications Division, SICE, Japan

(E-mail: masatoshi_takano @ m

Abstract: An awareness of the potential for cyber security incidents along with ordinal troubleshooting procedures

contributes to improved handling of these incidents in industrial control system (ICS). Organizations that use ICS will

benefit by adding cyber-oriented incident handling to existing ICS troubleshooting trees. Case studies of both non-cyber

and cyber incidents show the advantages of using ordinal troubleshooting flows and efficient configuration of layered

security defense with minimum services for buying time against unknown vulnerability exploitation.

Keywords: Industrial control system, Cyber security, Cyber incident response, Incident handling, Troubleshooting,

Human behavior, Defense in Depth


Consideration of industrial control system (ICS)

operators’ perspective and today’s security defense

results in a practical twofold approach to ensure

cybersecurity: improving incident response and building

an efficient configuration to buy time.

We determine an ordinal plant-floor operation and

troubleshooting capabilities that serve as a suitable

starting point or front end for cybersecurity incident

handling for ICS. Having a cybersecurity

incident-handling installation that is separate from the

ordinal troubleshooting flow makes the operations and

troubleshooting capabilities more complex. Case studies

show that when cyber-oriented incident handling is

added to existing ICS troubleshooting flows, the

improved troubleshooting process is an efficient way to

realize the cause of the non-cyber or cyber issue.

In addition, multilayered defense, so called “Defense

in Depth” with minimum services, has the effect of

buying time to retard the exploitation of zero-day

attacks, which are difficult to measure because they are

unknown to us.



Figure 1 illustrates a typical layered-defense

architecture that contains an IT system level, ICS

network level, and field controller level. In general, ICS

controls and monitors plant facilities automatically,

while an operator manually controls the facilities via

man-machine interface (MMI) in the case of a startup or

abnormalities of a plant. Monitoring data or alarm

messages from ICS appear on MMI to alert the operator.

By contrast, cyber-incident exploitation initiates no

alerts because all messages or alerts are located at plant

data trends or at system diagnosis. With general

consideration to Fig. 1, an attacker on the Internet has

roots to intrude through the three-layered defense of ICS

or to connect via cellular or wireless networks for

remote maintenance [1] [2] [3].

This section focuses on the operator’s perspective and

today’s security defense to identify the priorities of ICS

cybersecurity approaches.

2.1 Consideration of operator’s perspective

For many plant-floor operators and organizations, the

most challenging part of a cyber-related

incident-handling process is the detection of possible

cyber-incidents during the procedures involved in daily

troubleshooting. However, phenomena or damages of

the cyber-incident would appear the same as a

non-cyber case at the equipment level of a plant.

Let us first consider the procedure of incident

handling. Most ICS troubleshooting is for

non-cyber-related issues, as shown in Table 1. This is in

contrast to IT security incidents, which frequently occur

and always require an awareness of cyber-related issues;

moreover, ICS cyber-related incidents may be less

recognized than IT cases. The incident handling in IT

cases is based on cyber-intrusion detection; however,

ICS platforms may not run such cybersecurity software

to detect intrusion or cyber viruses [3]. Thus, many

types of general cybersecurity policies for IT system

protection are not applicable to ICS cyber-related

incident responses. Operator experience may be one of

the best sources for detecting deviations from normal

operation status. Experienced operators can



Download as:   txt (24.5 Kb)   pdf (77.6 Kb)   docx (30.9 Kb)  
Continue for 11 more pages »
Only available on