Strengthening incident response efforts in operational technology environments
Abstract
This master thesis examines the main challenges tied to incident response within opera-tional technology environments, as well as the practices organizations involved in essentialoperations are implementing to secure a successful approach to incident response in suchenvironments. This is based on our research questions: RQ1: What are the main challengesof Incident Response (IR) within Operational Technology (OT) environments? And RQ2:What practices can organizations engaged in essential operations implement for a successfulapproach towards IR in OT environments? Based on our findings, we intend to present somepractices we think are important to ensure a successful approach to IR in OT environments.
Methodologically, this study has an exploratory qualitative approach. This selection is basedon the need to examine incident management in OT environments in their natural context.By gathering data through interviews and previous research and applying an inductive an-alytical approach, this study gives insight into subjective perceptions and opinions amongactors in the OT environment. Through our work, we have focused on the emerging meaningand an evolutionary design where we look for understanding the central principles that arewithin the field. Our findings from the study show that organizations are facing multiplechallenges considering their IR within OT environments, including the handling of legacysystems, the need for continuous operation, the implementation of security updates, andthe dependency on third-party vendor support and maintenance. Competence and culturewithin the organization also play a pivotal role in securing effective IR. Respondents high-light the importance of having robust detection mechanisms and conducting regular exercisesand training to improve preparedness.
The implications show that although our findings support existing theory considering theimportance of having a solid plan for IR, do they also contribute to new insights that wereexplicitly not noticed in our systematic literature review. Our study highlights the necessityof dynamic and flexible frameworks for responsibility during incidents, as well as the needfor integrated cooperation between IT and OT departments. Other practical implicationsinclude recommendations considering the implementation of immutable backups for dataintegrity, the use of sandboxing, and the development of clear procedures and roles dur-ing the IR. The study also underscores the importance of defense-in-depth strategies anddiversifying the use of third-party vendors to reduce their vulnerability. To ensure thatorganizations can have a successful approach to IR within OT environments, they shouldimplement clear procedures for role delegations and decisions, develop risk assessments, se-cure continuous revision of security procedures, and promote a culture of security awarenessand skill development.