The Agile Incident Response for Industrial Control Systems (AIR4ICS) framework

Abstract

Cyber incident response within Industrial Control Systems (ICS) is characterised by high levels of uncertainty and unpredictability and requires a multi-disciplined team that encompasses personnel business operations, Operational Technology (OT), IT, security operations and media engagement to be effective. Such teams require a dynamic decision framework to allow ICS operators to maintain services during the recovery of full operating capability. There is empirical evidence that static incident response playbooks do not provide enough flexibility in their definition to support situations outside of the scope of their initial definition, and that they have been ignored when cyber incidents have occurred. A thematic analysis of semi-structured interviews with ICS incident response professional identified three main areas of concern: communication, information sharing between knowledge areas, and achieving external buy-in. The Agile Incident Response for Industrial Control Systems (AIR4ICS) framework has been developed to integrate Agile techniques into the Cyber Security domain of incident response. AIR4ICS provides a dynamic approach to improve situational awareness, information sharing, collective decision-making and response flexibility within the unique context of ICS. The techniques used in AIR4ICS were initially shaped by interviews with professionals with experience of protecting ICS, structured using the Scrum methodology, and refined through a series of Cyber Incident Response exercises with Incident Response professionals facing-off against specialist ICS Red Teams. AIR4ICS has resulted in a framework that provides a modular approach that can be adapted to fit the working practices, skillsets and priorities of individual organisations. The framework improves communication, promotes information sharing between knowledge areas, and increases external buy-in. Ultimately, AIR4ICS provides a dynamic decision framework that allows Incident Response Teams to manage uncertainty and unpredictability to reduce the time taken to restore normal operations.