See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332977234

Propositions for Effective Cyber Incident Handling

Conference Paper · October 2018

CITATIONS READS

0 141

4 authors, including:

Jung-Woon Lee Jong-Gyun Choi

Korea Atomic Energy Research Institute (KAERI) Korea Atomic Energy Research Institute (KAERI)
27 PUBLICATIONS   299 CITATIONS    16 PUBLICATIONS   101 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

biomechanics - human finger View project

cyber security R&D projects in Korean nuclear facilities View project

All content following this page was uploaded by Jung-Woon Lee on 10 May 2019.

The user has requested enhancement of the downloaded file.

 Transactions of the Korean Nuclear Society Autumn Meeting
Yeosu, Korea, October 25-26, 2018

Propositions for Effective Cyber Incident Handling

Jung-Woon Lee*, Jae-Gu Song, Jun Young Son, and Jong-Gyun Choi
Nuclear ICT Research Division, Korea Atomic Energy Research Institute, Daejeon, Republic of Korea
*
Corresponding author: leejw@kaeri.re.kr

1. Introduction phases and tasks in the models are analyzed in

consideration of their application in Korean nuclear
Digital technologies have been applied expansively to facilities.
nuclear instrumentation and control (I&C) systems. This
application has raised cyber security issues. U. S. NRC 2.1 Models in IT Environments
published the regulatory guide 5.71 (RG 5.71) in 2010
[1]. Korea Institute of Nuclear Nonproliferation and The cyber incident analysis process guide by Korea
Control (KINAC) has prepared the regulatory standard Internet and Security Agency (KISA) [6] is a guidance
RS-015 [2] based on RG 5.71. Korean nuclear facilities for incident response in the domestic IT environments.
submitted their cyber security plan (CSP) and have It describes the seven steps of cyber incident response
implemented the elements of CSP. process including 1) preparation, 2) detection, 3) initial
According to regulatory documents [1] & [2], the response, 4) response strategy development, 5) incident
cyber security plan must include incident response and investigation, 6) reporting, 7) recovery & resolution, as
recovery measures by describing how to: illustrated in Fig. 1.
- maintain the capability for timely detection and
response to cyber attacks,
- mitigate the consequences of cyber attacks,
- correct exploited vulnerabilities, and
- restore affected systems, networks, and
equipment affected by cyber attacks.
Nuclear I&C systems have a form of industrial
control systems (ICS). ICS is a general term that
Fig. 1. Seven steps of cyber incident response [6]
encompasses several types of control systems, including
supervisory control and data acquisition (SCADA)
systems, distributed control systems (DCS), and other NIST SP 800-61 [7] depicts the incident response
control system configurations such as Programmable process consisted of phases: 1) preparation; 2) detection
Logic Controllers (PLC) often found in the industrial & analysis; 3) containment, eradication & recovery; 4)
sectors and critical infrastructures [3]. Typically, ICS post-incident activity. NIST SP 800-86 [8] provides a
consists of field devices, such as Remote Terminal Units guide to integrate forensic technologies with incident
(RTU), PLCs, and Intelligent Electronic Devices (IED), response. The forensic process in this report includes
control servers, engineering workstations, data historian, data collection, examination, analysis, and reporting.
human-machine interface (HMI), and network The cyber incident handling program by U.S.
communication devices [3]. These are the components Department of Defense [9] describes cyber incident
that also can be found in nuclear I&C systems. handling process grouped into the following phases: 1)
Stuxnet in 2010 was the first malware to specifically detection of events; 2) preliminary analysis and
target SCADA systems and PLCs [4]. There have been identification of incidents; 3) preliminary response
many other prominent cyber attacks against ICS [5]. actions; 4) incident analysis; 5) response and recovery;
From these incidents, it can be known that well- and 6) post-incident analysis. Fig. 2 shows these phases.
prepared cyber incident response capability is important
to detect and respond to cyber incidents in a timely
manner.
In this paper, models of cyber incident handling
process are surveyed. Based on this survey, a model of Fig. 2. Cyber incident handling process [9]
cyber incident handling process is proposed and
research and development (R&D) activities to establish 2.2 Models in ICS Environments
effective incident handling capabilities are suggested.
According to [10], planning, incident prevention,
2. Models of Cyber Incident Handling Process and post-incident analysis/forensics (top three ones in
Fig. 3) are the elements for cyber incident response
In this section models of cyber incident handling capability that are proactive in nature to prevent an
process in both Information Technology (IT) incident or better allow the organization to respond
environments and ICS environments are reviewed. The when one occurs. Detection, containment, remediation,
 Transactions of the Korean Nuclear Society Autumn Meeting
Yeosu, Korea, October 25-26, 2018

and recovery and restoration (bottom four ones in Fig.

3) are the elements for detecting and managing an
incident once it occurs.

Fig. 3. Incident response key elements [10]

In [11], the core components of cyber incident

response with an embedded forensics component are: 1) Fig. 5. SCADA Incident Response and Forensic Process [16]
detection; 2) response Initiation; 3) incident response
action/forensic collection, 4) incident recovery/forensic
analysis, and 5) incident closure/forensic reporting.
In [12] and [13], the post-incident (forensic) analysis
process includes 1) examination, 2) identification of
evidence, 3) collection of evidence, 4) analysis of
evidence, and 5) documentation of the process and
results. In [12], the cyber incident response process
quite similar to that in [11] is also described. The ICS
incident response process with a forensic approach in
[14] consists of 1) preparation of control system
baselines, network monitoring, logging, tools, incident
response team, incident response plan, and training, 2)
volatile and non-volatile evidence preservation, 3)
evidence analysis, 4) restoration, and 5) lessons learned. Fig. 6. SCADA forensic incident response model [17]
Other incident forensic processes can be found in [15],
[16], and [17]. These are illustrated in Figs. 4, 5, and 6, 3. Proposed Model and R&D Suggestions
respectively.
An IAEA document for nuclear facilities [18] also In this section, a model for cyber incident handling is
describes the phases of computer incident response with proposed and R&D activities are suggested to establish
a list of tasks and its assignment to incident response effective incident handling capabilities.
team members. The phases are 1) preparation, 2)
detection and analysis, 3) mitigation (containment, 3.1 Proposed Model of Incident Handling Process
eradication, and recovery), 4) post-incident activity, and
5) reporting. Most of the tasks described in this A model of three stages, which are monitoring,
document, however, are not specific to ICS environment. incident response, and forensics as shown in Fig. 7, is
proposed in consideration of incident handling
capability aspects.

Fig. 7. Proposed incident handling model

Detecting an incident early will help to limit or even

Fig. 4. Incident response forensic process [15] prevent possible damage and reduce the downstream
efforts to contain, eradicate, recover, and restore the
affected systems [10]. Two general approaches can
detect an ICS cyber security incident. The first is
 Transactions of the Korean Nuclear Society Autumn Meeting
Yeosu, Korea, October 25-26, 2018

through user observation of abnormal system or  Develop a mitigation strategy

component behavior. The second is through automated  Research and develop course of actions.
detection systems or sensors [6, 9, 10, 18]. Monitoring  Eradicate the incident
capability is important for effective detection, allowing  Identify and mitigate all vulnerabilities that were
to start the incident response process. It is difficult to exploited
determine whether or not abnormal symptoms are  Remove malware, inappropriate materials, and other
associated with a malicious attack or usual component components
malfunction [19, 20]. In this sense, the proposed model  Recover from Incident.
incorporates process monitoring as well as security 3) Post-Incident Analysis Phase
monitoring during the monitoring stage. Depending on  Develop lessons learned.
incident characteristics, in some cases of incidents,  Enhance security measures to prevent re-infection.
digital forensics technologies may need to be applied by
specialist trained forensic examiners during the incident Non-technical matters such as coordination, reporting,
response stage [15]. A link between the incident escalation, and documentation are not included in this
response stage and the forensics stage is placed in the list of actions. However, these should be considered in
model. the development of site-specific incident response
Based on the survey of the models in section 2, strategies and procedures.
actions to be performed in the three phases of incident
response stage are collected and described as follows: 3.2 Research and Development Suggestions
1) Detection & Diagnosis Phase
 Identify suspicious behavior or cyber events of Based on the three stages of the model, R&D activities
interest are suggested. Present nuclear I&C systems have many
 Prepare to handle the event different types of digital assets from many different
- collect all relevant information about the event, vendors. This means the results of development for a
such as design documents, network diagrams, plant or a type of asset cannot be effective or applicable
configuration baselines, change logs, and to other plants or other types of assets. Hence, the
authentication credentials development should be plant-specific and dependent on
- prepare incident analysis hardware and software the characteristics of assets.
 Analyze precursors and indicators 1) Development of cyber event monitoring system
 Look for correlating information For the enhancement of monitoring capability, a
 Determine if the event is a reportable cyber event or cyber event monitoring system should be implemented.
incident Cyber event monitoring technology for IT environments
 Determine potential infected areas is widely used, but applying this to ICS environments
 Compare the characteristics of digital assets needs adjustments or new developments. Automated
involved in the event to known baselines detection systems, such as network intrusion detection
 Check the integrity of digital assets involved in the systems, protocol-based intrusion detection systems,
event if possible host-based intrusion detection systems, and network and
 Perform preliminary impact assessment and device logging and analysis systems, should be
determine potential damage developed and installed.
 Categorize the event and Classify the security level 2) Development of incident response strategies and
 Determine if immediate actions are required to place procedures
the facility in a safe and secure condition For the enhancement of incident response capability,
 Perform immediate response actions procedures with if-then rule-based and step-by-step
- contain the incident description of actions are necessary, especially for the
- identify data sources based on the type of incident detection and diagnosis phase of the incident response
- safely acquire and preserve the integrity of all data stage.
to allow for further incident analysis Existing procedures addressing plant abnormal states,
2) Incident Analysis & Response Phase such as abnormal operation procedures and alarm
 Assess the impact of volatile data capture against the procedures, need to incorporate decision points to
safety and operation of the system. identify that abnormal events are cyber-related so that
 Collect and preserve information the diagnosis of events can be transferred to the incident
- collect volatile evidence response process.
- collect non-volatile evidence Criteria to determine whether detected suspicious
 Perform incident analysis symptoms or anomalies are a cyber incident or not
- develop a timeline of the incident should be developed based on the implemented
- determine delivery vector(s) monitoring capabilities in a specific plant. The criteria
- determine system weaknesses should be included in procedures for the detection &
- identify root cause(s) diagnosis phase. Experiments on a test-bed to explore
- expand previous impact assessment system changes that may be incurred by an acceptable
 Transactions of the Korean Nuclear Society Autumn Meeting
Yeosu, Korea, October 25-26, 2018

list of potential cyber attacks against ICS will help the [6] Cyber Incident Analysis Process Guide, Korea Internet
development of criteria. and Security Agency (KISA), 2010.
Hardware and software configuration baselines [7] Cichonski, P., Millar, T., Grance, T., & Scarfone, K., SP
800-61 Rev. 2. Computer Security Incident Handling Guide.
should be prepared. The baselines will be used to
Tech. rep., National Institute of Standards & Technology
identify any changes made in systems and assets during (NIST), Gaithersburg, MD, United States, 2012.
the detection and diagnosis phase. [8] Kent, K., Chevalier, S., Grance, T., & Dang, H., SP 800-
Device and system integrity checking methods and 86. Guide to integrating forensic techniques into incident
tools need to be developed also for detection and response. National Institute of Standards & Technology
diagnosis purposes. (NIST), Gaithersburg, MD, United States, 2006.
Mitigation strategies for critical digital assets should [9] U.S. Department of Defense, Chairman of the Joint Chiefs
be developed by considering the configurations of of Staff Manual, Cyber Incident Handling Program: CJCSM
systems under the circumstances incurred by an 6510.01B, 10 July 2012 (Directive Current as of December 18,
2014)
acceptable list of potential cyber attacks. The strategies
[10] Department of Homeland Security, Recommended
should be incorporated into mitigation procedures practice: Developing an Industrial Control Systems
3) Development of forensic and incident analysis Cybersecurity Incident Response Capability. Technical report,
technology Department of Homeland security, 2009.
ICS processes a large amount of data in real time. [11] Mark Fabro and Eric Cornelius, Recommended
Data collection and analysis technologies in ICS practice: Creating cyber forensics plans for control systems.
environments need to be developed, especially for field Department of Homeland Security, 2008.
devices and other assets having characteristics different [12] Pauna, A., Moulinos, K., Lakka, M., May, J., &
from those in IT environments. The methods and tools Tryfonas, T., Can we learn from SCADA security incidents.
White Paper, European Union Agency for Network and
should be fitted into the type of digital assets. Volatile
Information Security (ENISA), Heraklion, Crete, Greece,
data collection and live incident analysis should be 2013.
considered in the development. [13] Spyridopoulos, T., Tryfonas, T., & May, J. H. R.,
4) Development of Incident Response Training Incident Analysis & Digital Forensics in SCADA and
Training tools and contents should be developed Industrial Control Systems. In System Safety Conference
based on incident response procedures for relevant incorporating the Cyber Security Conference 2013, 8 th IET
personnel to practice the incident response process. International (pp. 1-6). Institution of Engineering and
Technology (IET), 2013. DOI: 10.1049/cp.2013.1720
3. Conclusions [14] Folkerth, Lew, Forensic Analysis of Industrial Control
Systems, SANS Institute InfoSec Reading Room, September
2015. Accessed on July 6. 2018.
Establishing and maintaining cyber incident response https://www.sans.org/reading-
capabilities is important in nuclear facilities. Based on room/whitepapers/forensics/forensic-analysis-industrial-
the survey of cyber incident handling processes, a model control-systems-36277
consisted of monitoring, incident response, and [15] Wu, T., Disso, J. F. P., Jones, K., & Campos, A.,
forensics stages is proposed. R&D activities to establish Towards a SCADA forensics architecture. In Proceedings of
effective monitoring, incident response, and forensics the 1st International Symposium for ICS & SCADA Cyber
capabilities in nuclear facilities are suggested. Security Research (Vol. 12), September 2013.
[16] Betts, M., Stirland, J., Olajide, F., Jones, K., & Janicke,
H., Developing a state of the art methodology & toolkit for
REFERENCES
ICS SCADA forensics. Int. J. Ind. Control Syst.
Secur.(IJICSS), 1(2), 44-56, 2016.
[1] Regulatory Guide 5.71, Cyber Security Programs for
[17] Eden, P., Blyth, A., Jones, K., Soulsby, H., Burnap, P.,
Nuclear Facilities, U.S. Nuclear Regulatory Commission,
Cherdantseva, Y., & Stoddart, K., SCADA System Forensic
2010.
Analysis Within IIoT. In Cybersecurity for Industry 4.0 (pp.
[2] KINAC/RS-015, Technical standard for the security of
73-101). Springer, Cham, 2017.
computer and information systems in nuclear facilities, Rev. 1,
[18] International Atomic Energy Agency, Computer
KINAC, 2014.
Security Incident Response Planning at Nuclear Facilities,
[3] Keith Stouffer, Victoria Pillitteri, Suzanne Lightman,
IAEA, Vienna, 2016.
Marshall Abrams, and Adam Hahn, SP 800-82, Rev. 2, Guide
[19] Johnson, C. W., Harkness, R., & Evangelopoulou, M.,
to Industrial Control System (ICS) Security, National Institute
Forensic Attacks Analysis and the Cyber Security of Safety-
of Standards and Technology (NIST), Gaithersburg, MD,
Critical Industrial Control Systems, In Proceeding of the 34th
United States, May 2015
International System Safety Conference, Orlando, USA 8-12
[4] Barak Perelman, The Rise of ICS Malware: How
August 2016, International System Safety Society, Unionville,
Industrial Security Threats Are Becoming More Surgical,
Virginia, USA, 2016.
February 21, 2018. Accessed on July 30, 2018.
[20] Takano, M., ICS cybersecurity incident response and
https://www.securityweek.com/rise-ics-malware-how-
the troubleshooting process. In 2014 Proceeding of the SICE
industrial-security-threats-are-becoming-more-surgical
Annual Conference (SICE), Sapporo, 2014, pp. 827-832.
[5] Derbyshire, R., Green, B., Prince, D., Mauthe, A., &
Hutchison, D. An Analysis of Cyber Security Attack
Taxonomies. In 2018 IEEE European Symposium on Security
and Privacy Workshops (EuroS&PW). IEEE, April, 2018.

View publication stats