Khunatorn -


How to create a critical infrastructure incident response plan

Does your organization have an incident response plan for disruptions to critical infrastructure? Learn how to write a successful plan for your company.

As the number of threats against critical infrastructure rises, organizations should prepare for potential disruptions to these key resources.

Here, explore what constitutes critical infrastructure, the benefits of an incident response (IR) plan and how to create a critical infrastructure incident response plan.

What is included in critical infrastructure?

The U.S. Department of Homeland Security defines critical infrastructure as "physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety."

Critical infrastructure resources include highways, bridges, tunnels, railways, utilities, the internet, drinking water, disaster response capabilities and more. It is important to ensure these resources' protection from events such as flooding, severe weather, earthquakes, explosions, solar storms, cybersecurity attacks, and other human-made and natural disasters.

What is needed to respond to an infrastructure emergency?

Given the current state of the nation's infrastructure, coupled with growing concerns about climate change, a rising demand for energy, an increased number of cyber attacks and continuing dependence on IT, it's more important than ever to have plans on how to deal with critical infrastructure disruptions.

Three essential tools for responding to critical infrastructure events are an IR plan, disaster recovery (DR) plan and business continuity (BC) plan. When dealing with potential critical infrastructure events, it's essential to have a process to quickly analyze the incident and make informed decisions on how to respond and mitigate the consequences of the event.

Organizations should complement IR, DR and BC plans with policies that delineate the company's position on critical infrastructure events and list expectations on how the company will respond. The presence of both policies and plans is also important from an audit perspective.

Questions to ask before developing a plan or policy

Because critical infrastructure assets are managed by others, find out how the critical infrastructure companies plan to respond to an incident. Most utility and telecommunication companies and local, state and federal governments have defined IR activities. Getting access to such information can be invaluable when developing policies, plans and procedures for responding to critical infrastructure disruptions.

Start by contacting local, county and state agency departments that manage infrastructure. Utility companies probably can't share their IR activities, but they may shed light on their general strategies and approaches to an incident.

Learn how to assess the scope of an incident

When considering the nature of a critical infrastructure event, organizations should assess the severity of the event and the likelihood of it ending quickly. Conduct a risk analysis to identify specific incidents, the threats posed by each, the likelihood that the incident can occur and the potential damages that could result.

Think of an incident as an event that may be, or may lead to, a business interruption, disruption, loss or crisis. An incident could be something as simple as a leaky pipe, for example, but if a local water main ruptures, the situation can quickly escalate into a disaster. Similarly, a malware attack on an electric company's infrastructure could affect your organization's ability to access electricity and prevent your employees from accessing other resources, such as the internet.

What is an incident response plan?

IR plans are sometimes called incident management plans or emergency management plans. In the context of critical infrastructure, all these terms apply if the plan's content is consistent with good IR practices and an understanding of how different types of critical infrastructure events can disrupt a business.

Incident response planning
This incident timeline demonstrates how incident response activities fit into the overall critical infrastructure disruption management process.

An IR plan optimized for a critical infrastructure event establishes the actions and procedures needed to achieve the following:

  • Acknowledge and respond to an incident.
  • Assess the situation quickly and effectively.
  • Notify the appropriate individuals and organizations about the incident.
  • Organize a company's response, including activating a command center.
  • Escalate the company's response efforts based on the severity of the incident.
  • Support the business recovery efforts being made in the aftermath of the incident.

Benefits of having an incident response plan for critical infrastructure

Benefits of an IR plan designed for critical infrastructure disruptions include the following:

  • Faster IR. An IR plan ensures an organization uses its risk assessment activities by spotting early signs that a critical infrastructure event is about to happen or is happening. It also helps organizations follow proper protocol to contain and recover from a critical infrastructure threat.
  • Early threat mitigation. A well-organized IR team with a detailed response plan can mitigate the potential effect of critical infrastructure events, unless the event is so serious -- such as an earthquake or flooding -- that routine IR procedures are inadequate. In those cases, rapid evacuation of employees and others is paramount.

    Depending on the nature and severity of the critical infrastructure event, an IR plan can minimize the duration of the incident and shorten recovery time. Properly executed -- and with communication to the appropriate people (e.g., family, clients) and organizations (e.g., first responders, government agencies, customers) -- these actions can help contain operational, financial and reputational damages.
  • BCDR plan launch prevention. If the critical infrastructure event is not serious, it may be possible to save an organization from launching a more complex and costly BCDR plan. In addition to helping the company quickly return to normal, an IR plan can minimize negative publicity that could affect the firm's reputation and competitive position.

    Timeline from security incident to business continuity
    This timeline demonstrates that incident response should precede disaster recovery and business continuity activities.
  • Links to BCDR plans. IR plans are often included with BCDR plans and specify conditions needed to activate those plans.
  • Better communication for faster action. Critical infrastructure events may go beyond the capabilities of an IR team. In these situations, the IR team should communicate with emergency management teams and first responders to resolve the event. If the incident causes building damage and damage to critical business systems, employees must evacuate to an alternate location, and BCDR plans should be activated.

Components of a critical infrastructure incident response plan

An IR plan for critical infrastructure events should identify and describe the roles and responsibilities of the IR team members who must keep the plan current, test it regularly and put it into action. The plan should also specify the tools, technologies and physical resources that must be in place to recover damaged facilities and systems and damaged or lost data. It should also define criteria for launching BCDR plans if the severity of the critical infrastructure incident has escalated.

According to the SANS Institute, there are six parts to an incident response plan:

  1. Preparation. Train users and IT staff to handle potential incidents should they arise, and perform risk analyses of critical infrastructure and potential threats and vulnerabilities.
  2. Identification. Determine whether an event is a critical infrastructure incident.
  3. Containment. Limit damage from the incident, and isolate the affected assets to prevent further damage.
  4. Eradication. Determine the incident's cause and remove affected systems from the production environment. This may not be immediately possible in a severe critical infrastructure event.
  5. Recovery. Reintroduce affected systems into production, and ensure no threats remain.
  6. Lessons learned. Document the critical infrastructure incident, and analyze how it happened so staff can learn from it and improve future response efforts.

Developing an incident response plan for critical infrastructure

Developing and implementing an incident response plan for critical infrastructure involve several steps. The order depends on how critical infrastructure systems and resources are used, potential vulnerabilities of those resources and the effects to the organization if the resources are disrupted or destroyed.

Include the following sections in an incident response plan for critical infrastructure:

  • policy, definition and scope;
  • risk and critical infrastructure vulnerability analysis;
  • process for reporting a critical infrastructure incident;
  • first responders and their contact details;
  • incident team members and their contact details;
  • infrastructure organizations and their contact details;
  • assessing the critical infrastructure incident and initial response steps;
  • site evacuations and employee relocation if the event is serious;
  • actions to perform during the critical infrastructure incident;
  • disaster declaration if the situation escalates;
  • launching BCDR plans;
  • criteria for standing down from the critical infrastructure incident;
  • post-event review and after-action report;
  • updating critical infrastructure response policies, procedures, training, hardware, software and network services; and
  • scheduling and conducting testing of IR plans and updating them as needed.

Developing a process to respond to events that affect the operational integrity of critical infrastructure resources is key for many organizations. The nature and severity of a critical infrastructure event will determine how your organization should respond, for example, initiating a recovery and return-to-work process or evacuating all employees and moving them to a safe alternate location.

Next Steps

Biden signs law on reporting critical infrastructure cyber attacks

How to create a ransomware incident response plan

Is cloud critical infrastructure? Prep now for provider outages

13 incident response best practices for your organization

 Building an incident response framework for your enterprise

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing