Building A Manufacturing Blueprint For Cybersecurity Incident Response

We now live in a world in which it might be more likely for businesses to experience a data breach than to avoid one.

We now live in a world in which it might be more likely for businesses to experience a data breach than to avoid one.

In AT&T’s latest Cybersecurity Insights Report, “The CEO’s Guide to Cyberbreach Response,” it reports that a staggering 62 percent of organizations surveyed acknowledged they experienced a breach in 2015. That means a majority of companies have to deal with the financial fallout including lawsuits, regulatory penalties and damaged reputations.

That’s why so many are investing in prevention. A recent study from IHS Technology estimated that the total market for industrial cybersecurity products could grow nearly 20 percent each year until 2020.

What many manufacturers don’t realize is how easily and often breaches can occur, even when using the latest and greatest security tools and technology. Despite what the movies show, today’s hackers don’t normally have to navigate their way through hundreds of lines of code to find vulnerabilities. All it can take is one lost notebook computer, one unlocked screen, or one wrong thumb drive and production lines could be paralyzed.

That’s why manufacturers should prepare themselves as if a cyberbreach is inevitable. It’s too easy to be a victim. As a result, mitigating the consequences should be prioritized alongside prevention. Ideally, this process begins even before the breach occurs.

It starts with building an Incident Response Plan. An effective Incident Response Plan can help control the outcome following the attack and minimize the impact to the organization’s financials and operations. With manufacturers committing more resources to cyberbreaches, building an Incident Response Plan should be a no-brainer. However, 66 percent of these companies claim they do not have an effective plan in place to address a breach.

Every effective plan outlines three key points: Incident Response Team members, a response playbook and a strategy for regular testing.

An Incident Response Team should include more than technical and security experts. Yes, they’re a key cog in the machine. They will diagnose the root of the issue and determine the damage done, and it’s their job to effectively interpret the technical details to other members of the team.

But incident response is about more than addressing the issue itself. The team should also include the CEO and senior leadership, corporate communications, legal counsel and even third parties if appropriate. Bring them in early — slow response time to these incidents can have rapid, significant impacts on a brand’s reputation. Keeping the CEO involved can empower the people who are tasked with keeping the organization safe. Sustaining this line of thinking not only helps experts address pressing issues, but also instills an ongoing culture of a focus on security.

A communications professional is needed to draft statements for the press as well as internal audiences, and act as the primary contact for media inquiries. Legal representation is essential to help address potential legal and regulatory issues.

Depending on organizational structure, it may make sense to engage other groups not mentioned. It is important to assess each situation with that in mind.

Once the team is in place, it’s time to start building the response playbook. The playbook should outline processes and individual roles for different, possible scenarios. An organization's response to stolen intellectual property data will be different from its response to a breach that results in compromises in control to heavy machinery. The playbook should reflect that.

When creating your organization’s security playbook, you should include information regarding when to engage each member of the response team, when and how to notify employees and customers and procedures to help mitigate active breaches, for example.

Further, none of the above will be effective without eliminating as much guesswork and uncertainty as possible prior to the actual event. Conducting regular testing and simulations is a great way to accomplish that, and tabletop exercises are increasingly becoming the test of choice. There’s good reason for that.

Tabletop exercises provide all Incident Response Team members the opportunity to run through their roles and practice with other members of the team. These “dress rehearsals” do more than provide familiarity with procedures. Going through the procedure of handling a piece of equipment that goes rogue during a cyberattack, or planning for a breach in proprietary manufacturing plans and technology,  can help identify possible issues and allow the team to discuss and address those issues before they can manifest in an actual breach situation. 

If organizations conduct these exercises regularly, it would take a significant amount of guesswork out of a real-time situation. Alarmingly, fewer than 10 percent of organizations do this now.

Even with all of these protocols in place, organizations still can’t afford to get lazy. They need to re-evaluate every aspect of an Incident Response Plan regularly. Changes in technology, operations and staffing can affect procedures, so it’s important to approach every situation with a security lens.

A detailed Incident Response Plan is not a substitute for education and proper defenses, but it absolutely should not be a decision of either/or. Manufacturing facilities are investing more and more into security, and proper breach response planning should be on every organization’s checklist. Establishing this plan ahead of time is infinitely more desirable than rallying the troops following an actual breach, and can help provide for a measured, organized response to what will be, no doubt, a demanding situation.

Todd Waskelis is VP of Security Consulting Services at AT&T Consulting.

More in Software