Digitalisation, including cybersecurity

In this section
Cybersecurity incident response planning

Cybersecurity incident response planning

Introduction 

The nature of cyber threats is continually evolving, and even best-in-class protections may not stop a cybersecurity incident. Such events can be highly disruptive and create significant reputational damage if they are not managed well. For the process industries, production, assets and process safety could be significantly compromised by a cyber attack. Every organisation, regardless of size, should have an incident response plan that documents the process for managing a cybersecurity incident. This fact sheet provides an overview of cybersecurity incident response management plus links to online resources with further information on this topic. 

Cyber incident response plans

An incident response plan is a playbook to use in the event of a security incident. This plan contains key contacts, roles and responsibilities, and processes to follow for managing the incident. The overview below is largely based on the NIST Computer Security Incident Handling Guide which contains multiple phases: 

1. Preparation 

An effective response methodology contains both preventative measures and response processes to follow if a breach occurs. A robust Defence in Depth (DID) strategy is essential for protecting an organisation’s digital systems and data to minimise the likelihood of an incident occurring. Further information on this is presented in the Data Protection Strategies and Defence in Depth fact sheet. 

A cyber incident response plan contains important information that is required to effectively manage a breach after it occurs. Typical content includes: 

  • contact information for response team members and other key resources, such as external experts and relevant government organisations 
  • roles and responsibilities, plus delegated authority details 
  • criteria and procedures for initiating an incident response event 
  • incident notification and communication plans for stakeholders, including contingencies in case standard communications channels are compromised
  • procedures for managing an incident response through to full recovery and close out 
  • a register of critical assets and services for the organisation, including details of business owners who can liaise with users, technical teams, and vendors of these systems 
  • public disclosure obligations, including any mandatory updates to government agencies, industry bodies, or financial markets.

It is also worth developing a business continuity plan for the organisation to continue operating in a diminished capacity whilst containing and recovering from a cyber attack. Another important aspect of preparation is ensuring adequate training of the personnel who are responsible for executing the plan. 

2. Detection and analysis 

It is challenging to identify anomalous behaviour among all routine digital activity occurring in an organisation. Suspicious behaviour may be identified by an automated system monitoring network traffic and system logs, by an observant individual, or in response to a vulnerability alert published by a vendor or agency. Regardless of the source, an incident should be declared and the response plan activated as soon as a breach is suspected or known to have occurred. It is important to establish the response team, brief key stakeholders, and ascertain the nature and extent of the incident as quickly as possible. 

3. Containment

The high degree of interconnection between modern computer systems means cyber attacks can rapidly propagate across an organisation. Ideally the threat can be contained by isolating or shutting down the compromised systems. However, this may not be appropriate or possible depending on the function of the system, particularly with regards to the safe operation and shutdown of operation technology (OT) systems. In addition, the extent of the breach is sometimes unclear, in which case it may be more effective to isolate and protect the critical assets and systems to minimise the risk to safety, environment and business continuity. For example, the network connections between corporate and factory systems may be proactively severed to protect operational assets. These impactful decisions often have to be made with limited time and information. The roles and responsibilities and delegated authorities documented in the incident response plan should be formulated to expedite decision making. 

4. Eradication  

Systematically removing the threat from a digital ecosystem can be a complex task. It may be necessary to engage specialist external expertise for this work. The contact list in the response plan should include details of groups who have been pre-approved to assist with threat eradication. Private service providers should be selected and onboarded during the Preparation phase, including signing non-disclosure agreements, provisioning remote access, etc., to minimise delays in their mobilisation in the event of a cyber attack. 

5. Recovery 

It may take some time to fully restore services following a major attack. Recovery and verification of critical systems should be prioritised to ensure process safety and minimise business disruption. Non-critical systems can be progressively reinstated once the situation has stabilised and the organisation has its core business processes running reliably again. The integrity of backups must be confirmed prior to restoration to avoid reintroducing viruses and ransomware into the organisation. All system and user passwords, including multifactor authentication, should be reset as part of this recovery process. 

It is important to understand the access and propagation methods of the original attack and remediate vulnerabilities during the recovery process to ensure a reoccurrence does not happen. Changes made to resolve vulnerabilities should be fully tested and documented to ensure they are effective. 

6. Post-incident review 

All members of the response team should meet and hold a ‘lessons learned’ session after the incident. Consideration should also be given to the involvement of other staff including managers and technical staff who are not directly involved in the response, but who may benefit from awareness of the situation, as the attack or response likely impacts their systems and role. Each step of the incident management process should be assessed to determine what worked well and what didn’t. Any gaps in policies, procedures or capabilities should be captured and follow-up actions tracked to completion, including re-training.  

General comments

A cyber incident response plan should align with the requirements set by the government, industry bodies, board of directors, and insurers. Organisations need to fully understand government requirements in their regions of operation, particularly if they operate critical infrastructure assets. In Australia for example, health care and medical, higher education and research, food and grocery, and transport sectors are now considered to have critical infrastructure assets 

It is important to ensure that cyber incident response plans can be accessed even if core IT systems are compromised or unavailable due to a cyber attack or subsequent response. Consider storing copies in separate cloud-based repositories, and on the mobile phones or other independent devices of response team members and senior leaders. The plan itself needs to include contingencies to ensure response processes can be executed even if remote access capabilities or communications channels have been compromised. 

Training and practice are critical. Event simulations should be run periodically to ensure people are familiar with the processes and types of decisions involved in managing a cyber incident response. For technical teams, it is valuable to practise collating data feeds, reconciling ambiguity, and recommending actions in a time-pressured environment. For leaders, it is important to be familiar with the critical systems, business impacts, and the type of decisions required in the event of a cyber attack. A debrief session at the completion of each training exercise is valuable for capturing feedback and learnings to improve business resilience. 

Consider pre-approving elevated levels of delegated authority for response team members to use during an incident. Shutting down systems, isolating assets, and mobilising resources may all be necessary at short notice to ensure process safety and protect business continuity. 

For further location-specific information, please visit the links below. 

Government information on cybersecurity incident responses 

Please follow the links below to access regional information on cybersecurity incident responses:

Return to list