A Cyber Incident Response and Recovery Framework to Support Operators of Industrial Control Systems

Over the last decade, we have seen a shift in the focus of cyber attacks, moving from traditional IT systems to include more specialised Industrial Control Systems (ICS), often found within Critical National Infrastructure (CNI). Despite a push from governments to introduce appropriate legislation and guidance for such systems, operators of ICS and CNI still face multiple challenges in their cyber incident response and recovery capabilities, a theme that is often viewed as a last line of defence in minimising the impact of cyber attacks. This paper provides the following contributions: Firstly, we analyse existing standards and guidelines within cyber incident response and recovery. This analysis provides a structure on key response and recovery phases, a foundational understanding of associated requirements for these, and identifies challenges that could affect the quality of in-practice response and recovery capabilities. Using this analysis as a baseline, we examine how response and recovery processes are currently undertaken in practice through engagement with UK-based CNI operators and regulators. Secondly, as a starting point towards improving identified challenges in existing standards and guidelines and their use in practice, we propose a framework, built using the outputs identified from the document analysis and the stakeholder engagement, for use by operators to support them in assessing and improving their response and recovery capabilities.