Good practice guide for CERTs in the area of industrial control systems : computer emergency response capabilities considerations for ICS

Industrial Control Systems (ICS) are indispensable for a number of industrial processes, including energy distribution, water treatment, transportation, chemical, government, defence and food processes. Though until a few decades ago ICS functioned in discrete environments, nowadays they tend to be connected to the Internet. This enables streamlining and automation of industrial processes, but carries with it the risk of exposure to cyber-attacks. The ICS are lucrative targets for intruders like criminal groups, foreign intelligence, phishers, spammers or terrorists. Therefore, the ability to respond to and mitigate the impact of ICS incidents is crucial for protecting critical information infrastructure and enhancing cyber-security on a national, European and global level. This document is an initial attempt to provide a good practice guide for the entities that have been tasked to provide ICS Computer Emergency Response Capabilities (ICS-CERC). On the other hand, this guide does not have the ambition to prescribe to the EU Member States which entities should be entrusted with provision of ICS-CERC services. This document builds upon the current practice of CERTs with responsibilities for ICS networks, and also on the earlier work of ENISA on a baseline capabilities scheme for national/ governmental (n/g) CERTs. Consequently, it employs a similar approach in addressing the topics relevant for ICS-CERC provision, by using four categories of baseline capabilities: mandate, service portfolio and operations in relation to ICS-CERC and, last but not least, cooperation with the other ICS stakeholders. These four categories of capabilities are mutually interdependent.