top of page

Wed, May 01

|

Virtual Event

Under Fire - Lessons Learned in OT Incident Response

Registration is closed
See other events
Under Fire - Lessons Learned in OT Incident Response
Under Fire - Lessons Learned in OT Incident Response

DETAILS

May 01, 2024, 1:00 PM – 2:30 PM EDT

Virtual Event

ABOUT

Operational technology (OT) systems face rising numbers of cyber security incidents. Some well-known OT incidents were targeted attacks. More commonly IT specific incidents indirectly impact OT. Whether OT targeted, IT ransomware attacks indirectly shutting down operations, or old WIN malware on infected USB...they all cause headaches for the unprepared.

Discussing practical OT incident response approaches, leveraging existing people, processes, tools, & relationships, e.g.:

• Theory of 99: Almost All Threat Activity Happens in WIN & Linux Systems.

o There’s large overlap across bad actors’ TTPs targeting IT & OT networks. While involving OT experts is key, most IR collection & analysis in OT environments is like IR in IT environments.

o Most have existing DR & BusCon plans for OT; the win is in injecting cybersecurity. 

• OT playbooks are key in IR preparation.

o Mandiant’s DFIR for OT framework guides preparation for incidents involving embedded systems. Fewer tools for OT device forensics are available than  for WIN & Linux. So we use available PLC & RTU logs & what vendor software collects & analyzes.  We’ve released 2 embedded DFIR tools, but OT vendors must often help with forensics analysis for proprietary PLCs.

o Often OT field SMEs do most preparation & collection steps routinely for maintenance. Writing their steps, tools, & processes in a playbook will help IR be more effective.

o Pplaybooks following these use cases are crucial:

 Commodity malware in OT

 Ransomware / wiper malware in OT

 OT credential compromise

 OT protocol attack

• Incident response training & conducting tabletop exercises are key

o Assess OT IR capabilities across IT, OT, & with OT vendors. Do you have an IR retainer with an outside provider?

I will discuss lessons learned from several recent real-world OT incidents. No identifying information will be shared, only technical details of the OT IR process.

Speaker

Chris Sistrunk

Technical Leader at Mandiant

(CS)²AI Founding Fellow

Register Here: https://attendee.gotowebinar.com/register/113978013006272341?source=05012024Orgsite

Share This Event

bottom of page