A Case Study for Cyber Incident Report in Industrial Control Systems

Ang, Kim Whatt Gary

Author(s)

Ang, Kim Whatt Gary

DownloadThesis PDF (4.165Mb)

Advisor

Madnick, Stuart

Terms of use

In Copyright - Educational Use Permitted Copyright retained by author(s) https://rightsstatements.org/page/InC-EDU/1.0/

Metadata

Show full item record

Abstract

In recent times, Cyber Incidents have increased in frequency and complexity. These incidents have come from a wide range of sources, from lone individuals to complex state-sponsored teams. In particular, these cyber-crime organizations have used a variety of tactics, techniques, and procedures (TTP) from exploiting well-known vulnerabilities to navigating highly sophisticated zero-day pathways in order to attack systems, sabotage critical services, commit financial crimes, and gather sensitive information for political gain. Industrial Control Systems (ICSs) have been used in critical infrastructure sectors such as nuclear reactors for power generation. These ICSs have evolved to connect with the enterprise systems for centralized management, opening up new risks. The risks of ICS Cyber Incidents have been increasing, some of which have brought severe consequences. Although governments have classified these risks as a matter of national security, the successful prevention and mitigation of such incidents will increasingly depend on the ability of organizations to share cyber threat information and use it to improve their security posture. New regulations, such as the Cyber Incident Reporting for Critical Infrastructure Act 2022 (CIRCIA), emphasize the need and urgency of reporting relevant details of a Cyber Incident. These reports will allow the relevant authorities (e.g. Cybersecurity and Infrastructure Security Agency (CISA)) to spot trends and quickly share critical information with network defenders to warn other potential victims. Can organizations that rely on ICSs improve their cybersecurity posture through Cyber Incident Reports? What are the necessary ingredients for Cyber Incident Reports to be effective? This research aims to answer these questions by studying the current state of Cyber Incident Reporting in terms of definition, purposes, regulations and more. This research also seeks to understand the current Cyber Incident Reports formats available to the public and map out their advantages and disadvantages based on National Institute of Standards and Technology (NIST) Cybersecurity recommendations on Cyber Incident Reporting. In addition, this research evaluates the use of the MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) Framework for ICS in a Cyber Incident report. This research could help ICS organizations improve their process of Cyber Incident reporting.

Date issued

2022-09

URI

https://hdl.handle.net/1721.1/147296

Department

System Design and Management Program.

Publisher

Massachusetts Institute of Technology

Collections

Graduate Theses