Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Addressing the Downstream Effect of a Cyber Attack

Building community-wide resilience through scenario exercises and cyber incident command training

The recent attacks on the Colonial Pipeline Company and a Florida water treatment facility were targeted attacks against a specific entity. The DarkSide group behind the Colonial Pipeline cyberattack used ransomware to threaten the company. Colonial responded by shutting down the pipeline, and a wave of gas shortages cascaded across multiple states.

In the Florida incident, a hacker gained access to the water system and tried to poison the water supply. A worker at the water treatment facility noticed the influx in chemicals and restored balance before it could cause major problems.

These two events are not the first time a real-time system has been impacted or targeted, and they certainly won’t be the last. They provide another round of eye-opening reminders that critical infrastructure is becoming a target of choice by adversaries who recognize the value and advantage of disrupting technology that can threaten or cause downstream kinetic impacts.

By targeting the vulnerabilities that exist with IT/OT convergence points, adversaries achieve a force multiplier effect. When it comes to critical infrastructure, the effects spill out into the community. The resilience of the target, therefore, determines the downstream impact on other community members. If those community members are not properly prepared, then the effects continue spreading.

When you take a step back and notice the full ripple effect of a cyberattack, it becomes more evident that increasing overall resilience requires a whole of community approach. This means that interdependencies are well understood and there is a common language for incident response. This also means that information sharing, reporting, and cross-sector communication is already in place and not scenario-induced.

Two tools that municipality, county, state, federal, and private sector entities can use to strengthen whole of community resilience are the Jack Voltaic Automated Tools for scenario exercises and the Incident Command System for Industrial Control Systems (ICS4ICS) framework for creating a common language. These two resources can help address the cascading effects of a cyberattack across multisector and multidomain environments by identifying and addressing gaps in incident response.

Jack Voltaic Automated Tools

Jack Voltaic is a research experiment series developed by the Army Cyber Institute (ACI) to investigate how cyberattacks can impact multiple critical infrastructure sectors and the corresponding response from both public and private partners. The Jack Voltaic research series was launched in 2016 with the goal of developing a repeatable and adaptable framework that could be used by major cities as part of their cyber incident response standards.

One of the key findings and conclusions from the Jack Voltaic 3.0 event in September 2020 was that a one-size fits all framework does not make sense because that incident response resources and capabilities are not the same from city to city. Therefore, ACI partnered with an academic institution and software development company to develop automated tools to help planners in cities of any size quickly design and execute a Jack Voltaic-like exercise. Using the tools, planners can shorten the design and development phase of a cyber exercise to a few weeks.

The Jack Voltaic Automated Tools scale the benefit an organization gains by conducting a cyber exercise by supporting participation of public and private stakeholders in the same exercise. The tools provide the capability to stress participants with relevant injects that escalate to a comprehensive multi-sector attack to identify interdependencies, strengths, and weaknesses. The exercise helps identify gaps in capabilities, response plans, and cross-sector communication that can be integrated into a strategy for improving whole of community resilience.

Incident Command System for Industrial Control Systems (ICS4ICS)

The second resource available to help organizations improve cyber resiliency is ICS4ICS, which is a public-private partnership based on the FEMA Incident Command System. Megan Samford, the current chair of the ISA Global Cybersecurity Alliance, created the concept based on firsthand experience managing an incident command system to deal with natural disasters. She realized that the ICS community would benefit from a similar structure to respond to cyber incidents.

ICS4ICS introduces a set of integrated roles to support a synchronized incident command structure that can be further adapted by stakeholders to best fit their environments. ICS4ICS is now an initiative of the ISA Global Cybersecurity Alliance, and FEMA, DHS and INL are serving as government partners and collaborators. The ICS4ICS working group is currently developing response plan templates and finalizing a cyber-first responder credentialing program.

See also: Megan Samford will be giving a talk on ICS4ICS on May 21 at 12pm ET. For more details and to register click here.

By taking a whole of community approach to adopt a cyber incident command structure using a framework like ICS4ICS, organizations enable streamlined communication and information sharing that raises the overall resiliency bar.

Conclusion

Cyberattacks will continue to pose a risk to critical infrastructure, but a whole of community approach to improve resilience can greatly mitigate that risk. The Jack Voltaic Automation Tools provide public and private sector stakeholders with the ability to design and implement cyber exercises that promote continued communication and collaboration for preparedness. ICS4ICS provides a framework for a cyber incident command structure, providing public and private sector stakeholders with a common language and role-based training. Taken together, these tools can decrease the downstream effect of a cyberattack.

Katherine Hutton
Katherine Hutton
Katherine Hutton is a Senior Strategy Consultant for StealthPath, Inc. As an executive with over 15 years of experience in client-facing roles working across the federal government, private sector, and nonprofit sector, she has supported initiatives in cybersecurity, product security, law enforcement, fuel cell technology, nuclear energy, economic development, and transportation, distribution, and logistics. Prior to her current role, she served as a Research Scientist at the Army Cyber Institute (ACI) at West Point where she authored two publications and served as an invited guest speaker at the United States Military Academy. She has also served as a Special Advisor for the Director of the United States Secret Service tasked with evaluating operations and functions across the agency for the purpose of improving efficiency, effectiveness, and management practices. Katherine holds an MBA from Duke University’s Fuqua School of Business and a Bachelor of Science in Biology, Minor in Chemistry from Duke University. She also holds a Master’s of Cybersecurity Strategy and Information Management from George Washington University. Katherine is a proud mother of three and honored to be a military spouse.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM