The U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) released a study on cyber incident response and recovery best practices for electric utilities.
The report is based on information shared by experts at eight U.S. electric utilities. The idea behind the study is to improve the incident response and incident recovery plans ensuring the reliability of the electric system in case of a cybersecurity incident.
A cyber attack could have a severe impact on the operations of the utilities and consequent economical losses. The incident response and recovery (IRR) plan describes the way the staff at the utility will responds to a incident.
“Establishing clear procedures for handling incidents is a complex undertaking and, though individualized to an organization’s mission, size, structure, and functions, generally contain common elements: (1) they define their scope (to whom they apply, what do they cover, and under what circumstances); and (2) they define computer security events and incidents, staff roles and responsibilities, levels of authority for response (e.g., authority to disconnect equipment), reporting requirements, requirements and guidelines for external communications and information sharing, and procedures to evaluate performance.” reads the study.
While incident response and recovery (IRR) plans provided by the utilities that contributed to the study present many similarities, such as the compliance NIST framework (SP 800-61), there isn’t an optimal model.
Each utility has developed separate plans for responding to the cyber incident depending on the impact on their operational and business networks.
The goal of the NERC and FERC teams were to identify and consolidate a set of practices that could be adopted by electric utilities as best practices for the development of an IRR plan.
In the preparation phase, an effective IRR plan has to include a clear definition of personnel roles, promote accountability, and, where appropriate, empower personnel to take action without unnecessary delays.
An effective IRR plan leverages technology and automated tools along with well-trained personnel.
In the detection and analysis phase, the study recommends the use of baselining to detect potential cyber incidents, and the adoption of a decision tree or flowchart to quickly assess if a specific risk threshold is reached and if certain circumstances qualify as an event.
In the containment and eradication phase, the IRR plan should analyze the impact of the decision taken in the previous phases. The organization should have a deep knowledge of the potential threats, their potential impact, and the countermeasures to deploy to mitigate them.
The IRR plans should consider the resource implications of incident responses of indeterminate length.
In the post-incident activity an effective IRR plans implement lessons-learned from previous incidents and simulated activities identifying clear shortfalls in the IRR plan.
(SecurityAffairs – hacking, Cyber Incident Response)