Incident Command System For Industrial Control Systems

A major hurricane hits Florida and takes out the power. Utilities from around the company sends linemen, substation engineers and other team members to help recover. A fire is raging in California. Fire companies from around the country send firemen and equipment to help fight the fire and protect property. Why can’t something similar be created to assist companies and industries whose critical ICS is under attack and compromised?

The ICS4ICS idea originated in a session Megan Samford gave at S4x20. After getting encouragement from the S4 tribe, Megan decided to make this happen. The ICS Global Cybersecurity Alliance (ISAGCA) has taken it on as a project. An initial group of asset owners, vendors and government talent has taken the first step of defining roles for the Command Structure, as shown in the diagram below. 


Two of the roles are ICS specific:

ICS Systems Analyst

  1. The primary expert in the type of OT environment in which the incident occurred. This includes the sector, vendor, and process involved at the site.
  2. Familiar with ICS centric systems, software, and architecture to include HMIs, Engineering workstations, DCS, SCADA systems.

ICS Communications Analyst

  1. Familiar with common ICS protocols and their relationship to HMIs, engineering workstations, and the physical process involved at the victim site.

Roles are a key element of an Incident Command System as it allows someone from the outside the organization to be inserted into the incident because a skill set and task list is consistently applied to the role. The ICS4ICS team is looking for feedback on these roles.

ICS4ICS is one of the S4 Projects selected from S4x20. Our role in this project is primarily creating and spreading content to gain awareness of the effort and encourage progress.