Sports teams have been using playbooks to win games with great success. IT incident response playbooks are already an invaluable tool to “win” (prevent or minimize impact) in the case of a cybersecurity incident or foe. Critical infrastructure and industrial processes ALREADY have incident response playbooks to guide actions to minimize impact for their plant, their employees, and even the public. I will show you the power of adding OT security response plays in your playbook to help your team redefine the game to win. https://www.youtube.com/watch?v=mYgKo5fg0og&ab_channel=BSidesAugusta

1. The Power of the
OT Security Playbook
Chris Sistrunk, PE
Technical Manager, ICS/OT
Mandiant

2. Chris Sistrunk, PE
Mandiant (8+ years)
▪ Technical Manager
▪ Mandiant ICS/OT ConsultingTeam
Entergy (11+ years)
▪ Power Engineer
▪ SCADA & SubstationAutomation
▪ Substation SecurityTeam
BSidesJackson, BEER-ISAC, #NAPCON, #DJaaS

3. Wisdom
“Everyone has a plan until they get punched in the mouth.”
MikeTyson
“It's how you react to that adversity that defines you, not the
adversity itself.”
Mike Berardino, South Florida Sun-Sentinel
“Safety rules are written in blood.”
R.L. Grubbs, Senior Safety Specialist, Entergy

4. Response Plans & Playbooks Aren’t New

5. Where there’s an incident…
There should be a plan….right?
▪ Incident Response Plans & Playbooks
– NIST SP800-61 Revision 2 Computer Security
Incident HandlingGuide
– CISA Federal Gov. Cybersecurity Incident &
Vulnerability Response Playbooks
▪ Incident Command System structure
– https://www.fema.gov/incident-command-
system-resources

6. Hurricane Ian
(Image
credit:
RAMMB/CIRA/CSU)

7. Hurricane Ian
https://www.facebook.com/Linejunk/photos/a.254076281414434/2378855028936538/

9. ICS4ICS
Adding control system cybersecurity
incident response to the FEMA / NIMS ICS
framework
▪ https://gca.isa.org/ics4ics

10. Know your role

11. Know your role
Who do we call and when?
Engineers
Network Admins
PR, Safety
Legal, HR,Vendors
IR Retainer

12. OT Incident Response
IT/OT Differences
• When/Where/How is the ICS affected?
Assess the situation
• Return the ICS to normal quickly and safely
Define objectives
• ICS devices have RTOS and ICS protocols
Collect evidence
• Analysis must be done to verify anomalies
Perform analysis
• Regularly report status to management
Communicate
• How/When to regain control of the ICS
Develop remediation plan
• Write a report of what exactly happened
Document findings
Similar
Physical Processes
Must be collected
manually
No ICS-specific
DFIR tools
Similar
ICS devices have
constraints
Similar
!
!
!
!

13. IR Plan Objectives
Determine a course of action (triage then act)
– Return the system to normal quickly and safely
– Safety is #1, Availability is #2
– There’s no best way
Incident Response Plan
– Playbooks / Use Cases
13

15. Use Cases & Playbooks
Breaks down the Incident Response Plan
▪ Use Cases
– Scenarios that drive the development of playbooks
▪ Playbook / Runbook
– Step-by-step instructions that the IRTeam uses to remediate the incident
– Manual
– Automatic
– Hybrid

16. Example Use Cases
1. Commodity Malware
– Conficker, Ramnit, Kegotip
2. Credential Compromise
– Ukraine 2015 attack, PLC ladder logic change (INLAurora)
3. Destructive Attack
– KillDisk, overwriting firmware (Ukraine 2015)
– “Wiper malware (NotPetya) or ransomware spreading
4. ICS ProtocolAttack
– Stuxnet, Industroyer1 (Ukraine 2016),Triton, Industroyer2 (Ukraine 2022)
– Incontroller (no victims but worth studying)

17. Remediations
Remediation for each play
Examples:
▪ Restore backups
▪ Reset passwords
▪ Sever/Isolate the OT network
▪ Utilize critical spares
“RUN IT!”

18. Practice & Review the Tape
Tabletop exercises
Lessons Learned / Past AAR
Threat modeling
Reviewing threat intelligence
Use / design real-world scenarios
to drive preparation & response

19. Resource: Public Power Playbook
This FREE playbook fromAPPA helps small
power utilities
▪ prepare a cyber incident response plan
▪ prioritize actions and engage the right
people during cyber incident response
▪ coordinate messaging
https://www.publicpower.org/system/files/
documents/Public-Power-Cyber-Incident-
Response-Playbook.pdf

20. Alright Stop
Collaborate with ICS vendors
They may already have steps
documented that you can use in
response playbooks
They will likely need to be involved
if the incident directly impacts their
equipment > they know it best

21. Don’t over-complicate things
More wisdom from football:
▪ https://joedanielfootball.com/overcomplicate-defensive-playbook/
“The best defense against any offense, is your defensive playbook. No
one else’s. What do you do best?”
“You don’t need every coverage… Every coverage has a weakness so
choose a complimentary coverage that takes away that weakness.”
“A complicated playbook won’t win football games for you if the
players can’t execute.You should strive to keep your playbook as simple
as you can”

22. Run it!
You have designed plays for each phase
▪ Use your players’ strengths
▪ Exploit attacker weaknesses
Remember what you practiced, and react
to that adversity
Finish strong!

23. Knowledge & preparation are powerful
Create an OT Incident Response Plan
 Review what you already have
 Reference IT IRP and OT DRP
 Leverage your security and engineering pros
Define use cases for different scenarios
 Start small & don’t overcomplicate (4 OT use cases)
 Use them to create simple, solid playbooks
Practice!
 UseTTX to hone the IR team skills
 Provide feedback to IRP and Playbooks to improve

24. REDEFINE THE WIN!
Minimize incident impact with
preparation, early detection, &
response.
Halting the attacker anywhere in
the cycle stops them from
achieving their objective!
Transparency and information
sharing will help other targeted
orgs or potential victims.

25. E T N T E
C W C
M S
FS
WR WR
w w
Q
RB
Questions?

26. Thank you!
@chrissistrunk
chris.Sistrunk@mandiant.com