Propositions For Effective Cyber Incident Handling
Propositions For Effective Cyber Incident Handling
Propositions For Effective Cyber Incident Handling
net/publication/332977234
CITATIONS READS
0 141
4 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Jung-Woon Lee on 10 May 2019.
Jung-Woon Lee*, Jae-Gu Song, Jun Young Son, and Jong-Gyun Choi
Nuclear ICT Research Division, Korea Atomic Energy Research Institute, Daejeon, Republic of Korea
*
Corresponding author: leejw@kaeri.re.kr
list of potential cyber attacks against ICS will help the [6] Cyber Incident Analysis Process Guide, Korea Internet
development of criteria. and Security Agency (KISA), 2010.
Hardware and software configuration baselines [7] Cichonski, P., Millar, T., Grance, T., & Scarfone, K., SP
800-61 Rev. 2. Computer Security Incident Handling Guide.
should be prepared. The baselines will be used to
Tech. rep., National Institute of Standards & Technology
identify any changes made in systems and assets during (NIST), Gaithersburg, MD, United States, 2012.
the detection and diagnosis phase. [8] Kent, K., Chevalier, S., Grance, T., & Dang, H., SP 800-
Device and system integrity checking methods and 86. Guide to integrating forensic techniques into incident
tools need to be developed also for detection and response. National Institute of Standards & Technology
diagnosis purposes. (NIST), Gaithersburg, MD, United States, 2006.
Mitigation strategies for critical digital assets should [9] U.S. Department of Defense, Chairman of the Joint Chiefs
be developed by considering the configurations of of Staff Manual, Cyber Incident Handling Program: CJCSM
systems under the circumstances incurred by an 6510.01B, 10 July 2012 (Directive Current as of December 18,
2014)
acceptable list of potential cyber attacks. The strategies
[10] Department of Homeland Security, Recommended
should be incorporated into mitigation procedures practice: Developing an Industrial Control Systems
3) Development of forensic and incident analysis Cybersecurity Incident Response Capability. Technical report,
technology Department of Homeland security, 2009.
ICS processes a large amount of data in real time. [11] Mark Fabro and Eric Cornelius, Recommended
Data collection and analysis technologies in ICS practice: Creating cyber forensics plans for control systems.
environments need to be developed, especially for field Department of Homeland Security, 2008.
devices and other assets having characteristics different [12] Pauna, A., Moulinos, K., Lakka, M., May, J., &
from those in IT environments. The methods and tools Tryfonas, T., Can we learn from SCADA security incidents.
White Paper, European Union Agency for Network and
should be fitted into the type of digital assets. Volatile
Information Security (ENISA), Heraklion, Crete, Greece,
data collection and live incident analysis should be 2013.
considered in the development. [13] Spyridopoulos, T., Tryfonas, T., & May, J. H. R.,
4) Development of Incident Response Training Incident Analysis & Digital Forensics in SCADA and
Training tools and contents should be developed Industrial Control Systems. In System Safety Conference
based on incident response procedures for relevant incorporating the Cyber Security Conference 2013, 8 th IET
personnel to practice the incident response process. International (pp. 1-6). Institution of Engineering and
Technology (IET), 2013. DOI: 10.1049/cp.2013.1720
3. Conclusions [14] Folkerth, Lew, Forensic Analysis of Industrial Control
Systems, SANS Institute InfoSec Reading Room, September
2015. Accessed on July 6. 2018.
Establishing and maintaining cyber incident response https://www.sans.org/reading-
capabilities is important in nuclear facilities. Based on room/whitepapers/forensics/forensic-analysis-industrial-
the survey of cyber incident handling processes, a model control-systems-36277
consisted of monitoring, incident response, and [15] Wu, T., Disso, J. F. P., Jones, K., & Campos, A.,
forensics stages is proposed. R&D activities to establish Towards a SCADA forensics architecture. In Proceedings of
effective monitoring, incident response, and forensics the 1st International Symposium for ICS & SCADA Cyber
capabilities in nuclear facilities are suggested. Security Research (Vol. 12), September 2013.
[16] Betts, M., Stirland, J., Olajide, F., Jones, K., & Janicke,
H., Developing a state of the art methodology & toolkit for
REFERENCES
ICS SCADA forensics. Int. J. Ind. Control Syst.
Secur.(IJICSS), 1(2), 44-56, 2016.
[1] Regulatory Guide 5.71, Cyber Security Programs for
[17] Eden, P., Blyth, A., Jones, K., Soulsby, H., Burnap, P.,
Nuclear Facilities, U.S. Nuclear Regulatory Commission,
Cherdantseva, Y., & Stoddart, K., SCADA System Forensic
2010.
Analysis Within IIoT. In Cybersecurity for Industry 4.0 (pp.
[2] KINAC/RS-015, Technical standard for the security of
73-101). Springer, Cham, 2017.
computer and information systems in nuclear facilities, Rev. 1,
[18] International Atomic Energy Agency, Computer
KINAC, 2014.
Security Incident Response Planning at Nuclear Facilities,
[3] Keith Stouffer, Victoria Pillitteri, Suzanne Lightman,
IAEA, Vienna, 2016.
Marshall Abrams, and Adam Hahn, SP 800-82, Rev. 2, Guide
[19] Johnson, C. W., Harkness, R., & Evangelopoulou, M.,
to Industrial Control System (ICS) Security, National Institute
Forensic Attacks Analysis and the Cyber Security of Safety-
of Standards and Technology (NIST), Gaithersburg, MD,
Critical Industrial Control Systems, In Proceeding of the 34th
United States, May 2015
International System Safety Conference, Orlando, USA 8-12
[4] Barak Perelman, The Rise of ICS Malware: How
August 2016, International System Safety Society, Unionville,
Industrial Security Threats Are Becoming More Surgical,
Virginia, USA, 2016.
February 21, 2018. Accessed on July 30, 2018.
[20] Takano, M., ICS cybersecurity incident response and
https://www.securityweek.com/rise-ics-malware-how-
the troubleshooting process. In 2014 Proceeding of the SICE
industrial-security-threats-are-becoming-more-surgical
Annual Conference (SICE), Sapporo, 2014, pp. 827-832.
[5] Derbyshire, R., Green, B., Prince, D., Mauthe, A., &
Hutchison, D. An Analysis of Cyber Security Attack
Taxonomies. In 2018 IEEE European Symposium on Security
and Privacy Workshops (EuroS&PW). IEEE, April, 2018.