Integrating OT/IT Cyber Incident Response Capabilities

A four-step approach to building an OT threat detection and response program involves creating a strategy, expanding visibility in the networks (including gaining an understanding of what normal looks like in your environment), enabling continuous detection and response functions, and facilitating effective response operations. 

• Form a shared governance body with representation from both enterprise IT and manufacturing. 
• Plan the journey to integrate individual CFC capabilities (cyber threat intelligence, threat defense operations, detect and response, attack surface reduction, and metrics and reporting) into an existing SOC, all the while taking into consideration OT priorities for safety and uptime. A well-thought-out strategy contains an initial list of targeted use cases, a rollout plan containing a proof-of-concept phase, skill sets needed to perform the work, staff required to enable the work, and a basic timeline. 

• Implement OT passive monitoring: Deploy monitoring tools to capture and analyze network traffic from OT environments. These tools should be capable of handling proprietary protocols and systems used in OT. 
• Implement a network-segmentation strategy: Segregate OT networks from IT network to minimize online exposure and to compartmentalize the network traffic analyzed by the OT passive-monitoring sensor. 

• Integrate OT alerts into the security information and event management (SIEM) and security orchestration, automation, and response (SOAR): Configure the SIEM to ingest and correlate logs and alerts from OT devices. This integration allows for centralized monitoring and correlation of security events across IT and OT environments. The SOAR playbook automates repetitive tasks. 
• Develop OT threat-detection use cases: Create use cases and detection rules that focus on identifying OT-specific threats and anomalies. These use cases should focus on behaviors, protocols, and communication patterns of systems in OT environments. 

• Strengthen ties with site stakeholders: Build a strong partnership with site staff and ensure each site’s single point of contact for information security (SPOC) understands the OT threat detection and response program and their role in the event of an OT cyber incident. 
• Train staff for their role in incident response: Provide introductory training showing how SOC analysts and site staff will work together to remediate an incident to put site staff at ease in their roles. 
• Enable a dedicated role or function in the CFC to maintain familiarity with manufacturing site operational context and associated cyber alerts.