Course Description (2-Days)
The ICS Security Incident Response Fundamentals course is tailored for practitioners or equivalent roles, providing insights into current cyber incident response challenges in ICS environments. The course covers the definition of an incident and the unique approach required for ICS environments. It is also beneficial for those new to ICS Incident Response teams. This knowledge is essential for effectively managing daily security incident response operations.
Participants will learn how to protect and support their organization's cyber incident response process and gain an understanding of the stages of the IR process, including the information needed to create an effective IR plan based on ICS4ICS processes. Template plans will be provided for students to complete and take away.
Participants will learn how to protect and support their organization's cyber incident response process and gain an understanding of the stages of the IR process, including the information needed to create an effective IR plan based on ICS4ICS processes. Template plans will be provided for students to complete and take away.
Course Objectives
We aim for staff who may assist in resolving a cyber incident to understand the situation they are entering. This knowledge will help reduce panic and enable a quicker response, leading to a faster return to normal operations. Key objectives include:
- Articulating the difference between an Incident and an Event and identifying both
- Understanding the 6-stage Incident Response process
- Identifying key roles within a standard Incident Response Team
- Understanding the legal and regulatory aspects of cyber incident response
- Handling different types of incidents
Course Content
Session 1: Introduction to the Incident Handling Process
- Defining Incident and Event, and their differences
- Understanding Incident Response
- Challenges of ICS Incident Response
- The Incident Response (IR) lifecycle
- Securing Leadership support
- Developing ICS IR Plans
- Identifying involved personnel
- Composition of the CSIRT
- Assembling a Jump Kit and Grab Bag
- Classification Levels
- Managing Information Flow
- Handling Evidence
- Understanding Containment
- Short-term Containment strategies
- Long-term Containment strategies
- Conducting Investigations
- Main goals of eradication
- Deciding between removal or restoration
- Post-eradication improvements
- Establishing Recovery Objectives
- Validation processes
- Post-Incident Monitoring
- Preparing the Report
- Management Considerations
- Integrating all components together
Target Student
Anyone new to cybersecurity in an ICS Incident Response environment or non-ICS staff needing to understand ICS terminology and its differences from their current roles will benefit from this course. It is also suitable for professionals working in an ICS environment, including:
- Site/Asset Operators
- Procurement/Contract Staff
- Supply Chain Staff
- Site/Asset IT Support Engineers
- Site/Asset Physical Security/Facilities Management Staff
Prerequisites
There are no pre-requisites for this course and a laptop is not required. In addition, a course exercise handbook and ICS Continuity Plan template is provided.