Published: Oct 31, 2017
Author: David Reith

If you’ve read the 2017 Data Breach Digest, you’ll be familiar with a breach scenario known as “The Fiddling Nero”. This involved a manufacturer who engaged the Verizon Incident Response (IR) team to conduct a due-diligence health check, and found the operational technology (OT) systems were replete with malware infections.

In this scenario the OT systems were relatively easy to access. But one of the challenges for cybersecurity in the ICS world is that additional safety issues need to be considered, including physical and environmental hazards.

Safety considerations must occur during all IR phases, and the containment and isolation phase is no exception. While it’s common practice to take a compromised device offline or remove it from the network, this isn’t always appropriate in an ICS environment.

The compromised device may be critical to daily operations, and taking it offline without warning can lead to safety issues or a loss of control. To make things worse, it may not be a single device that is compromised. In an ICS environment, you are often reliant on a network consisting of multiple devices or systems.

For these reasons it’s essential that data breach response teams coordinate closely with OT personnel prior to conducting any activity in an ICS environment.

More work-related injuries happen in an ICS environment than an IT environment, and the dangers associated with malfunctioning devices present greater threats. This means OT and IR teams must work together to make physical safety a top priority.

ICS environments can present many dangers: slippery surfaces, overhead cranes, high voltages, high-pressure steam and intense heat, to name just a few. Third-party responders need to be aware of these dangers and take appropriate safety precautions.

By following the safety program, communicating with the escort, and understanding the dangers inherent in ICS environments, IR personnel can avoid unnecessary risks, including serious bodily injury.

Below are a few safety precautions that IR teams should follow on-site.

• Wear the right things. Personal protective equipment (PPE) should be worn by IR personnel at all times. At minimum, this should include ear protection, flame resistant clothing, protective shoes, eye protection, and a hard hat. Be sure your PPE meets or exceeds the requirements of the situation you face.
• Don’t wear the wrong things. Certain materials — such as polyester or rayon — may melt and stick to your skin, diminishing the safety of fire resistant clothing. Remove all jewellery, as metal is a conductor in high-voltage areas. Watches, bracelets and necklaces can also be a "snag" hazard. Don’t forget about your pockets — remove keys, cell phones, and any other metal objects.
• Be careful. The stairs in ICS environments are often steep, with extremely narrow treads. These factors increase the risk of falling; be wary and always use the handrail when climbing or descending stairs.
• Be alert. You're not in an office environment; you may encounter tripping hazards, slippery walkways, low overheads, and moving equipment. Don't assume crane operators or equipment drivers can see you, especially those that are automated.

In order to maintain a safe workplace for all employees, it’s a good idea for third parties to participate in safety training, drug and alcohol screening, background checks, and training in the use of gear and equipment.

It’s crucial that safety remains a high priority when responding to data breaches in an ICS environment. Your team’s lives may depend on it.

Want to learn more about ICS related data breaches? Check out the Fiddling Nero (ICS onslaught) scenario in the 2017 Data Breach Digest (DBD).

The Data Breach Digest is the story of Verizon’s most intriguing cybercrime investigations. Learn about the attacker’s tactics, the victim’s mistakes and the scramble to limit the damage.

http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/

David Reith is a contributor to Verizon’s Data Breach Digest and leads Operational Technology Assessments for Verizon’s Operational Technology and Critical Systems (OTACS) Team. David has over 24 years of experience in IT and OT, network/cyber security, to include performing security/vulnerability audits and assessments. Over the past 12 years, David has developed a specialization in securing OT assets and networks. In addition to performing assessments, David has developed mitigation strategies, including; policy and procedures, architectural design, and incident response planning specifically for OT environments. David has performed NERC CIP, NEI 08-09 and RG 5.71 gap analysis and assessments in the energy and nuclear sectors, and security assessments for organizations in consumer goods, steel, and semi-conductor manufacturing, oil and gas, building automation, rail transportation, and water utilities.