8 Recommendations for Utility Operators to Consider When Responding to a Cyber Attack

Nearly 20 utilities from countries within Europe and Eurasia recently participated in ETAG Cyber Resiliency Challenge exercises, a preparedness and response training activity that simulates a cyberattack on critical infrastructure.

The exercises were developed by U.S. industry experts, in accordance with best practices. They share 8 helpful recommendations for utility operators to consider in the event of a suspected cyberattack:

  1. Determine if an incident is an attack or a business-as-usual event. Build the internal capacity to identify, aggregate, and review—in real time—all appropriate log sources to enable swift identification of potentially problematic adversary behavior.
  2. Develop a roles and responsibilities matrix. Use the matrix to build organizational alignment and muscle memory of the sequences of steps and individuals’ responsibilities that will enable the organization to manage and recover from an attack.
  3. Prioritize response assets and actions. Ensure all stakeholders—including management—understand and agree on the systems and assets that are most critical to your organization and that will be restored first.
  4. Ensure network topology diagrams and asset inventories are accurate and up to date. If necessary, seek additional support to develop or update these diagrams, and seek out training on automated techniques to establish and maintain these records.
  5. Form an incident response team. Define team members’ roles and responsibilities, ensure one team member will lead all communication with non-technical and executive stakeholders. Encourage cross-training of team members (including between IT and operations technical teams) and conduct regular incident response drills.
  6. Account for lateral movement, segregate networks. Review architectures and processes to identify ways to more effectively segregate networks to prevent lateral movement, swiftly isolate critical systems, and contain compromised systems.
  7. Communicate securely. Implement and utilize secure communication alternatives in the event that primary methods of communication are compromised.
  8. Secure backups. Back up—do not merely replicate—key data in isolated locations, ideally with some offline retention. Backup systems should be hardened, require multi-factor authentication, and should be tested at least once a year.

The USEA Energy Technology and Governance Program’s Cyber Resiliency Challenge was implemented with support from the United States Agency for International Development.

Related Resource:
Project Profile: Cyber Resiliency Challenge
Critical Utilities In Europe and Eurasia Participate In ETAG Cyber Resiliency Challenge
USAID Press Release on the Cyber Resiliency Challenge