port254

Incident Response Playbooks

Practical response procedures for critical OT/ICS attack scenarios

Lab Environment Only: All demonstrations run in isolated, sandboxed environments. No live malware, credential capture, or offensive activity. Educational purposes only.
Ransomware Critical
Supply Chain Critical
Lateral Movement High
PLC Manipulation Critical
Phishing High
๐Ÿ”’

Ransomware Impacting Engineering / OT Workstations

Why It Matters:
Ransomware can halt production by encrypting HMIs, historians, or PLC configuration hosts. Recent attacks like LockBit targeting critical infrastructure demonstrate real-world impact on industrial operations.
Target: Detection Triggers:
  • Suricata/Zeek detects mass file renames or SMB write bursts
  • EDR shows suspicious parent-child process chains
  • Historian service stops responding
  • Multiple .lockbit or .encrypted file extensions appear

Steps: Response Steps:

1
Detect
Correlate Sysmon and network telemetry; identify encryption patterns. Check for ransom notes in common directories.
2
Contain
Immediately isolate host from network; snapshot VMs if virtualized; preserve forensic evidence.
3
Eradicate
Reimage from verified builds; close RDP/VPN exposures that enabled initial access.
4
Recover
Restore PLC/HMI configs from offline backups; test offline before reconnecting.
5
Lessons Learned
Harden engineering hosts; restrict internet access; apply IEC 62443 network segmentation.

๐Ÿ“š References

Target: Key Indicators

  • File extensions: .lockbit, .encrypted
  • Ransom note: README.txt
  • Process: powershell.exe โ†’ cipher.exe
  • Network: C2 beaconing on ports 443, 8443

Timeline: Response Timeline

  • 0-15 min: Detection & Initial containment
  • 15-60 min: Full network isolation
  • 1-4 hours: Forensic analysis
  • 4-24 hours: Recovery initiation

๐Ÿงช Interactive Lab Demo: LockBit Ransomware Simulation

Simulate LockBit ransomware behavior in an isolated environment. Watch file encryption patterns, observe network indicators, and practice response procedures.

โšก

Supply-Chain or Firmware Compromise

Why It Matters:
Compromised vendor firmware can introduce persistent logic manipulation or backdoors that survive reboots and standard incident response procedures. Think SolarWinds-style attacks targeting OT vendors.
Target: Detection Triggers:
  • Firmware version change not logged in CMDB or change management system
  • Mismatch in signed artifact checksum vs vendor-published hashes
  • Unexpected outbound connections from PLC or RTU to unknown IPs
  • Asset inventory shows firmware version not approved for deployment

Steps: Response Steps:

1
Detect
Validate firmware signatures and hashes against known-good baselines; cross-check with vendor security advisories and CVE databases.
2
Contain
Quarantine affected devices; block update server if compromised; isolate network path to prevent lateral spread to other controllers.
3
Eradicate
Reinstall authentic vendor firmware from verified source; replace unverified hardware components if hardware tampering suspected.
4
Recover
Stage validation testing in offline environment; monitor I/O behavior and network traffic before returning to production operations.
5
Lessons Learned
Enforce supplier assurance per IEC 62443-4; maintain signed firmware repositories with cryptographic verification; implement secure boot where supported.

๐Ÿ“š References

Target: Key Indicators

  • Unsigned firmware detected
  • Hash mismatch with vendor baseline
  • Unexpected network beaconing
  • CMDB version discrepancy

Timeline: Response Timeline

  • 0-30 min: Firmware validation & quarantine
  • 30-120 min: Vendor notification
  • 2-8 hours: Firmware replacement
  • 8-24 hours: Offline testing & validation
๐Ÿ”„

Lateral Movement via Compromised Credentials

Why It Matters:
Adversaries often pivot from IT to OT through shared admin accounts, VPN gateways, or compromised engineering workstations. The Purdue Model segmentation fails when credentials are reused across zones.
Target: Detection Triggers:
  • Anomalous logins from unusual source IPs or geographic locations
  • SMB authentication attempts across Purdue security levels (IT โ†’ DMZ โ†’ OT)
  • Account login outside normal working hours or from unexpected systems
  • Pass-the-hash or pass-the-ticket detection in EDR/AD logs

Steps: Response Steps:

1
Detect
Analyze Active Directory, VPN, and authentication logs; correlate with Zeek network logs and Sysmon process telemetry to trace lateral movement path.
2
Contain
Disable suspected accounts immediately; block attacker source IPs at firewall/IDS; isolate compromised hosts from network segments.
3
Eradicate
Clean infected hosts; rotate ALL credentials system-wide (not just compromised accounts); remove persistence mechanisms like scheduled tasks, WMI subscriptions, or registry autoruns.
4
Recover
Validate remote access policies; enforce Multi-Factor Authentication (MFA) on all privileged accounts; rebuild trust relationships if domain compromise detected.
5
Lessons Learned
Apply principle of least privilege; monitor inter-zone conduits per IEC 62443-3-3; implement privileged access management (PAM) solution; use unique credentials per Purdue level.

๐Ÿ“š References

Target: Key Indicators

  • Cross-zone authentication attempts
  • Off-hours admin logins
  • Pass-the-hash detection
  • Unusual source IP addresses

Timeline: Response Timeline

  • 0-10 min: Disable compromised accounts
  • 10-30 min: Block attacker IPs
  • 30-120 min: System-wide credential rotation
  • 2-6 hours: Remove persistence mechanisms
โš ๏ธ

PLC / Logic Manipulation

Why It Matters:
Unauthorized logic changes can alter safety or control behavior, causing process upset, equipment damage, or safety incidents. Stuxnet demonstrated the devastating potential of PLC logic manipulation.
Target: Detection Triggers:
  • Mismatch in PLC logic checksum vs. baseline version control repository
  • Historian shows unexpected actuator commands or setpoint changes
  • Engineering station shows unauthorized program download/upload activity
  • Process behavior anomalies that don't correlate with operator commands

Steps: Response Steps:

1
Detect
Compare current control logic against baselined version in secured version control repository; analyze historian data for anomalous control sequences.
2
Contain
Place PLC in manual/hold state if safe to do so; alert engineering, operations, and safety teams; prevent further logic downloads by blocking network access to PLC.
3
Eradicate
Restore known-good control logic from version control; remove unauthorized network routes or backdoors; investigate how unauthorized access was obtained.
4
Recover
Validate system operation in offline/test environment before reconnecting to production; perform Factory Acceptance Test (FAT) procedures to verify correct behavior.
5
Lessons Learned
Maintain cryptographically signed logic versions; restrict engineering station privileges with application whitelisting; implement change detection monitoring per IEC 62443.

๐Ÿ“š References

Target: Key Indicators

  • Logic checksum mismatch
  • Unauthorized program uploads
  • Unexpected actuator commands
  • Process behavior anomalies

Timeline: Response Timeline

  • 0-15 min: Detect & place PLC in safe state
  • 15-60 min: Isolate & preserve evidence
  • 1-4 hours: Logic restoration
  • 4-12 hours: Offline validation & testing
๐Ÿ“ง

Social Engineering / Phishing Targeting OT Operators or Vendors

Why It Matters:
Phishing remains the most common entry path to OT networks through vendor or operator credentials. OT personnel are often less security-aware than IT staff, making them prime targets.
Target: Detection Triggers:
  • Suspicious email activity or automated mailbox rule creation
  • Alert from email security gateway (malicious link/attachment blocked)
  • User reports suspicious email claiming to be from vendor or management
  • Anomalous login following email click (time correlation analysis)

Steps: Response Steps:

1
Detect
Correlate email gateway logs with EDR telemetry; sandbox suspicious attachments in isolated environment; monitor for follow-on authentication anomalies.
2
Contain
Disable potentially compromised accounts; block sender domains and malicious URLs; isolate affected endpoints from network.
3
Eradicate
Reimage affected endpoints; revoke active vendor remote access sessions; remove any persistence mechanisms or scheduled tasks created post-compromise.
4
Recover
Reinstate user access with mandatory MFA enabled; conduct immediate security awareness training for affected users and their teams.
5
Lessons Learned
Implement IEC 62443 supplier security controls; conduct regular (safe) phishing simulations; enhance email filtering rules; require vendor access through jump hosts only.

๐Ÿ“š References

Target: Key Indicators

  • Malicious attachment detection
  • Suspicious sender domains
  • Automated mailbox rules
  • Post-click authentication anomalies

Timeline: Response Timeline

  • 0-5 min: User report & initial triage
  • 5-30 min: Account disable & endpoint isolation
  • 30-120 min: Endpoint reimaging
  • 2-4 hours: User training & access restoration