Waterfall BlackBox Helps Prevent Attackers from Undermining Incident Response Efforts

By Sid Snitkin

ARC Report Abstract

Incident management has become a top priority for industrial cybersecurity professionals. Given the sophistication of modern attacks, it would be naïve to trust defenses to block all intrusions.

The primary objective in protecting ICS environments is to block attacks, i.e., make sure they “never happen.” For those you fail to prevent, minimizing the impact of the compromise is imperative. This requires a proven strategy for rapidly detecting and isolating intrusions and then remediating and restoring operations.

Effective incident management requires trustworthy information. This includes records of system events and messages, as well as master copies of backups, files, and database records. As time is of the essence, some companies implement security information and event management (SIEM) solutions to help defenders aggregate, filter, correlate, and analyze this voluminous information.

Smart attackers understand the value of this information and do their best to modify and erase all records of what they did. Limiting attacker access to these files is essential, but challenging for industrial facilities. Aggregation solutions like SIEMs and support tools require local access to repositories, and enables the attacker the same access. Connectivity and confidentiality constraints often preclude offsite solutions, like cloud storage. Even with cloud backup, an attacker can access the data (as the backup system can) and delete or modify.

ARC Advisory Group clients can view the complete report at ARC Client Portal on Office 365 or Box.com or New Client Portal on this website

If you would like to buy this report or obtain information about how to become a client, please Contact Us


Keywords: Industrial Cybersecurity, Risk Management, Unidirectional Security Gateways, ARC Advisory Group.

Engage with ARC Advisory Group