diff --git a/skills/incident-response/containment/SKILL.md b/skills/incident-response/containment/SKILL.md index 92c06089..7655cc26 100644 --- a/skills/incident-response/containment/SKILL.md +++ b/skills/incident-response/containment/SKILL.md @@ -12,7 +12,7 @@ phase: [respond] frameworks: [NIST-SP-800-61r2, MITRE-ATT&CK] difficulty: intermediate time_estimate: "15-30min" -version: "1.0.1" +version: "1.0.2" author: unitoneai license: MIT allowed-tools: Read, Grep, Glob @@ -57,6 +57,7 @@ Before selecting a containment strategy, gather or confirm: - [ ] **Network topology** -- VLANs, subnets, firewall zones, cloud VPCs, segmentation boundaries relevant to the affected systems. - [ ] **Evidence preservation status** -- Has volatile evidence been captured? (Reference forensics-checklist.) Containment actions may destroy evidence if not collected first. - [ ] **Current containment state** -- What actions, if any, have already been taken? +- [ ] **OT/ICS safety context** -- If affected assets include PLC, DCS, SIS, HMI, historian, engineering workstation, OT jump host, or vendor remote access, confirm process state, safety interlock status, preserve/block flow needs, fallback mode, and named operations/control-engineering approval before disruptive isolation. --- @@ -201,6 +202,32 @@ Wiper and destructive malware require a distinct containment approach from ranso **Key difference from ransomware containment:** Do not attempt to "monitor and observe" a wiper in progress. Every second of observation is data permanently destroyed. Aggressive, immediate containment is always the correct posture for confirmed wiper activity. +### Step 4c: OT/ICS Safety and Operations Gate + +OT/ICS containment must protect human safety, environmental safety, process stability, and operator visibility while still blocking the attacker path. Do not treat PLC, DCS, SIS, HMI, historian, engineering workstation, OT jump host, or vendor remote access paths like ordinary IT endpoints. + +**Required evidence gates before full isolation, switchport shutdown, controller ACL changes, vendor remote-access changes, or controlled shutdown decisions:** + +| Gate | Required evidence | Unsafe false positive prevented | +|---|---|---| +| `OTICS-SAFE-01` | Asset role and dependency map for PLC/DCS/SIS/HMI/historian/engineering workstation/jump host/vendor access paths. | Disconnecting a shared path without knowing it carries control or safety visibility. | +| `OTICS-SAFE-02` | Current process state, operating mode, affected line/unit, and whether the process is stable, startup, shutdown, paused, or abnormal. | Applying IT-style isolation while the process is in a fragile state. | +| `OTICS-SAFE-03` | Safety interlock, alarm, operator-visibility, and SIS status from operations/control engineering. | Removing visibility or safety monitoring while claiming containment is safe. | +| `OTICS-SAFE-04` | Named operations/control-engineering approver, timestamp, decision, and emergency override rationale if approval is bypassed. | SOC-only containment decisions on safety-critical assets. | +| `OTICS-SAFE-05` | Manual-mode, local-control, alternate HMI, or controlled-shutdown fallback if containment affects control paths. | No safe fallback when network changes disrupt process control. | +| `OTICS-SAFE-06` | Preserve/block flow matrix covering controller, HMI, historian, safety monitoring, logging, time sync, IT ingress, vendor VPN, remote admin, SMB/RDP, and C2 egress. | Blocking required OT flows or leaving the attacker ingress open. | +| `OTICS-SAFE-07` | OT evidence continuity plan for historian data, security telemetry, backup status, and post-action logging. | Blinding responders or losing process evidence during containment. | +| `OTICS-SAFE-08` | Post-containment validation owner and checks for process stability, alarm state, controller communication, historian continuity, and approved remote access state. | Assuming the containment was safe without operational validation. | + +**Finding guidance:** + +| Condition | Result | +|---|---| +| A plan shuts down controller/HMI/historian/shared OT network paths without the OT/ICS safety gate | Fail; revise before execution unless immediate life/safety or equipment-damage risk is documented | +| Vendor remote access remains open without break-glass approval, recording, time limit, and named owner | High | +| IT ingress and remote administration are blocked while controller/HMI/SIS/historian/logging flows are explicitly preserved and validated | Pass | +| Process state, safety interlock status, or operations approval is unavailable | Not Evaluable; request operations/control-engineering evidence | + ### Step 5: Containment Validation After implementing containment, verify effectiveness before proceeding to eradication. @@ -215,6 +242,9 @@ After implementing containment, verify effectiveness before proceeding to eradic | Attacker persistence neutralized | Scan for known persistence mechanisms | No active persistence artifacts | | Business services operational (if surgical containment) | Verify critical service health checks | Services responding normally | | Evidence preserved | Verify forensic images and memory dumps are intact and hashed | Hash verification passes | +| OT process stability confirmed (if applicable) | Operator/control-engineering confirmation after containment change | Process remains safe, stable, and visible | +| Required OT flows preserved (if applicable) | Verify controller, HMI, SIS/alarm, historian, logging, backup, and time-sync paths | Preserve flows remain available | +| OT attacker ingress blocked (if applicable) | Review vendor VPN, jump host, IT ingress, remote admin, SMB/RDP, and C2 controls | Block flows are denied or explicitly approved break-glass | **Containment failure indicators:** - New C2 connections from previously unknown infrastructure @@ -256,7 +286,7 @@ Produce the containment plan with these exact sections: ```markdown ## Containment Plan: [Incident ID] **Date:** [YYYY-MM-DD] -**Skill:** containment v1.0.0 +**Skill:** containment v1.0.2 **Frameworks:** NIST SP 800-61 Rev 2, MITRE ATT&CK **Incident Commander:** [Name] @@ -289,6 +319,19 @@ threat severity and business criticality, and expected impact on operations.] |---|---|---|---| | [Service] | [Description of disruption] | [Workaround if any] | [Yes/No -- requires escalation] | +### OT/ICS Safety and Operations Gate +| Field | Evidence | +|---|---| +| OT asset role and dependencies | [PLC/DCS/SIS/HMI/historian/engineering workstation/jump host/vendor access/Not applicable] | +| Process state and operating mode | [Stable/startup/shutdown/paused/abnormal/unknown] | +| Safety interlock and operator visibility | [Healthy/degraded/unknown/not applicable] | +| Operations/control engineering approval | [Approver, timestamp, decision, emergency override rationale if any] | +| Manual fallback or controlled shutdown | [Fallback path, local-control mode, alternate HMI, or shutdown window] | +| Preserve flows | [Controller/HMI/SIS/historian/logging/backup/time sync] | +| Block flows | [IT ingress/vendor VPN/remote admin/SMB/RDP/C2/internet egress] | +| Evidence continuity | [Historian/security telemetry/backup status/logging continuity] | +| Post-containment validation owner | [Owner and validation checks] | + ### Containment Validation Checklist | Check | Result | Timestamp | |---|---|---| @@ -317,6 +360,10 @@ NIST SP 800-61 Rev 2 Section 3.3 defines containment as the first priority after - **Criteria for strategy selection.** NIST identifies potential damage to resources, need for evidence preservation, service availability, time and resources needed, effectiveness of the strategy, and duration of the solution as the key factors for choosing a containment approach. +### NIST SP 800-82 Rev 3 -- OT Security + +NIST SP 800-82 Rev 3 emphasizes that OT systems have safety, reliability, availability, timing, and process-continuity constraints that differ from enterprise IT. For OT/ICS containment, use staged preserve/block decisions and operations/control-engineering approval before disruptive network isolation unless immediate life/safety or equipment-damage risk justifies an emergency override. + ### MITRE ATT&CK -- Mapping Techniques to Containment MITRE ATT&CK provides a taxonomy of adversary techniques organized by tactical objective. For containment purposes, the most relevant tactic categories are: @@ -376,3 +423,5 @@ This skill processes incident data including attacker-controlled indicators (IP 10. **MITRE ATT&CK -- Disk Wipe (T1561)** -- https://attack.mitre.org/techniques/T1561/ 11. **CISA Destructive Malware Guidance** -- https://www.cisa.gov/topics/cyber-threats-and-advisories 12. **KrebsOnSecurity: Iran-backed wiper attack on Stryker medtech (2026)** -- https://krebsonsystems.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/ +13. **NIST SP 800-82 Rev 3** -- Guide to Operational Technology (OT) Security -- https://csrc.nist.gov/pubs/sp/800/82/r3/final +14. **CISA ICS Recommended Practices** -- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices diff --git a/skills/incident-response/containment/tests/benign/ot_ics_staged_containment_with_safety_gate.json b/skills/incident-response/containment/tests/benign/ot_ics_staged_containment_with_safety_gate.json new file mode 100644 index 00000000..7e579f5b --- /dev/null +++ b/skills/incident-response/containment/tests/benign/ot_ics_staged_containment_with_safety_gate.json @@ -0,0 +1,76 @@ +{ + "case": "benign_ot_ics_staged_containment_with_safety_gate", + "skill": "containment", + "expected_result": "Pass", + "incident": { + "summary": "Vendor VPN account used for suspicious remote administration into an OT engineering workstation", + "selected_action": "Close vendor VPN ingress, block RDP and SMB from the enterprise zone, preserve required OT control and visibility flows, and monitor the engineering workstation through an approved jump path" + }, + "safety_gate": { + "OTICS-SAFE-01_asset_role_dependency_map": { + "engineering_workstation": "programming path only", + "plc": "controller path preserved", + "hmi": "operator visibility preserved", + "sis": "independent safety path untouched", + "historian": "replication preserved", + "jump_host": "approved break-glass path with recording" + }, + "OTICS-SAFE-02_process_state": { + "line": "batch-line-4", + "state": "stable", + "operating_mode": "normal production", + "shutdown_window": "available in 45 minutes if needed" + }, + "OTICS-SAFE-03_safety_interlock_operator_visibility": { + "sis_status": "healthy", + "alarms_visible_on_hmi": true, + "operator_confirmation": "shift-supervisor-2026-06-06T22:15Z" + }, + "OTICS-SAFE-04_operations_approval": { + "approver": "control-engineer-on-call", + "timestamp": "2026-06-06T22:18Z", + "decision": "approve staged containment; no controller isolation" + }, + "OTICS-SAFE-05_manual_fallback": { + "manual_mode_available": true, + "alternate_hmi": "local panel", + "fallback_owner": "process-engineer" + }, + "OTICS-SAFE-06_preserve_block_flow_matrix": { + "preserve": [ + "PLC to HMI", + "PLC to historian", + "SIS alarms to HMI", + "OT logging to collector", + "NTP within OT zone" + ], + "block": [ + "vendor VPN ingress", + "RDP from enterprise zone", + "SMB from enterprise zone", + "known C2 egress" + ] + }, + "OTICS-SAFE-07_evidence_continuity": { + "historian_continuity": "verified", + "security_telemetry": "verified", + "backup_status": "verified" + }, + "OTICS-SAFE-08_post_containment_validation_owner": { + "owner": "shift-supervisor", + "checks": [ + "process stable", + "alarms visible", + "controller communication healthy", + "historian receiving data", + "vendor VPN disabled" + ], + "timestamp": "2026-06-06T22:30Z" + } + }, + "expected_review": { + "status": "Pass", + "severity_floor": "None", + "rationale": "The plan blocks the attacker ingress and remote-admin paths while preserving required OT control, safety, historian, logging, and operator-visibility flows with named operations approval and post-change validation." + } +} diff --git a/skills/incident-response/containment/tests/vulnerable/ot_ics_isolation_without_safety_gate.json b/skills/incident-response/containment/tests/vulnerable/ot_ics_isolation_without_safety_gate.json new file mode 100644 index 00000000..8b870f51 --- /dev/null +++ b/skills/incident-response/containment/tests/vulnerable/ot_ics_isolation_without_safety_gate.json @@ -0,0 +1,37 @@ +{ + "case": "vulnerable_ot_ics_isolation_without_safety_gate", + "skill": "containment", + "expected_result": "Fail", + "incident": { + "summary": "Suspicious SMB and remote-administration traffic from an engineering workstation in an OT cell", + "proposed_action": "Disable the shared switchport carrying engineering workstation, PLC, HMI, historian, and security logging traffic", + "asset_roles": { + "engineering_workstation": "suspected compromise", + "plc_path": "unknown", + "hmi_path": "unknown", + "historian_path": "unknown", + "sis_or_alarm_visibility": "unknown" + } + }, + "missing_evidence": { + "OTICS-SAFE-01_asset_role_dependency_map": true, + "OTICS-SAFE-02_process_state": true, + "OTICS-SAFE-03_safety_interlock_operator_visibility": true, + "OTICS-SAFE-04_operations_approval": true, + "OTICS-SAFE-05_manual_fallback": true, + "OTICS-SAFE-06_preserve_block_flow_matrix": true, + "OTICS-SAFE-07_evidence_continuity": true, + "OTICS-SAFE-08_post_containment_validation_owner": true + }, + "unsafe_effects": [ + "May remove operator HMI visibility during a running process", + "May interrupt historian and security telemetry at the same time containment is applied", + "May block engineering access needed for a controlled shutdown or manual fallback", + "Does not prove vendor or IT ingress paths are the actual attacker path being blocked" + ], + "expected_review": { + "status": "Fail", + "severity_floor": "High", + "required_revision": "Stage containment by closing IT ingress/vendor remote access and remote-admin paths while preserving controller, HMI, SIS/alarm, historian, logging, backup, and time-sync flows until operations/control engineering approves any disruptive isolation." + } +}