Rights statement: This is the author’s version of a work that was accepted for publication in International Journal of Critical Infrastructure Protection. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in International Journal of Critical Infrastructure Protection, 37, 2022 DOI: 10.1016/j.ijcip.2021.100505
Accepted author manuscript, 644 KB, PDF document
Available under license: CC BY-NC-ND: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License
Final published version
Research output: Contribution to Journal/Magazine › Journal article › peer-review
Research output: Contribution to Journal/Magazine › Journal article › peer-review
}
TY - JOUR
T1 - A Cyber Incident Response and Recovery Framework to Support Operators of Industrial Control Systems
AU - Staves, Alex
AU - Anderson, Tom
AU - Balderstone, Harry
AU - Green, Benjamin
AU - Gouglidis, Antonios
AU - Hutchison, David
N1 - This is the author’s version of a work that was accepted for publication in International Journal of Critical Infrastructure Protection. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in International Journal of Critical Infrastructure Protection, 37, 2022 DOI: 10.1016/j.ijcip.2021.100505
PY - 2022/7/31
Y1 - 2022/7/31
N2 - Over the last decade, we have seen a shift in the focus of cyber attacks, moving from traditional IT systems to include more specialised Industrial Control Systems (ICS), often found within Critical National Infrastructure (CNI). Despite a push from governments to introduce appropriate legislation and guidance for such systems, operators of ICS and CNI still face multiple challenges in their cyber incident response and recovery capabilities, a theme that is often viewed as a last line of defence in minimising the impact of cyber attacks. This paper provides the following contributions: Firstly, we analyse existing standards and guidelines within cyber incident response and recovery. This analysis provides a structure on key response and recovery phases, a foundational understanding of associated requirements for these, and identifies challenges that could affect the quality of in-practice response and recovery capabilities. Using this analysis as a baseline, we examine how response and recovery processes are currently undertaken in practice through engagement with UK-based CNI operators and regulators. Secondly, as a starting point towards improving identified challenges in existing standards and guidelines and their use in practice, we propose a framework, built using the outputs identified from the document analysis and the stakeholder engagement, for use by operators to support them in assessing and improving their response and recovery capabilities.
AB - Over the last decade, we have seen a shift in the focus of cyber attacks, moving from traditional IT systems to include more specialised Industrial Control Systems (ICS), often found within Critical National Infrastructure (CNI). Despite a push from governments to introduce appropriate legislation and guidance for such systems, operators of ICS and CNI still face multiple challenges in their cyber incident response and recovery capabilities, a theme that is often viewed as a last line of defence in minimising the impact of cyber attacks. This paper provides the following contributions: Firstly, we analyse existing standards and guidelines within cyber incident response and recovery. This analysis provides a structure on key response and recovery phases, a foundational understanding of associated requirements for these, and identifies challenges that could affect the quality of in-practice response and recovery capabilities. Using this analysis as a baseline, we examine how response and recovery processes are currently undertaken in practice through engagement with UK-based CNI operators and regulators. Secondly, as a starting point towards improving identified challenges in existing standards and guidelines and their use in practice, we propose a framework, built using the outputs identified from the document analysis and the stakeholder engagement, for use by operators to support them in assessing and improving their response and recovery capabilities.
KW - ICS
KW - CNI
KW - OT
KW - Cyber Security
KW - Cyber Incident
KW - Response and Recovery
U2 - 10.1016/j.ijcip.2021.100505
DO - 10.1016/j.ijcip.2021.100505
M3 - Journal article
VL - 37
JO - International Journal of Critical Infrastructure Protection
JF - International Journal of Critical Infrastructure Protection
SN - 1874-5482
M1 - 100505
ER -