A Cyber Incident Response and Recovery Framework to Support Operators of Industrial Control Systems

Staves, Alex and Anderson, Tom and Balderstone, Harry and Green, Benjamin and Gouglidis, Antonios and Hutchison, David (2022) A Cyber Incident Response and Recovery Framework to Support Operators of Industrial Control Systems. International Journal of Critical Infrastructure Protection, 37: 100505. ISSN 1874-5482

[thumbnail of A_Cyber_Incident_Response_and_Recovery_Framework_to_SupportOperators_of_ICS_and_Critical_National_Infrastructure]
Text (A_Cyber_Incident_Response_and_Recovery_Framework_to_SupportOperators_of_ICS_and_Critical_National_Infrastructure)
A_Cyber_Incident_Response_and_Recovery_Framework_to_SupportOperators_of_ICS_and_Critical_National_Infrastructure.pdf - Accepted Version
Available under License Creative Commons Attribution-NonCommercial-NoDerivs.

Download (659kB)


Over the last decade, we have seen a shift in the focus of cyber attacks, moving from traditional IT systems to include more specialised Industrial Control Systems (ICS), often found within Critical National Infrastructure (CNI). Despite a push from governments to introduce appropriate legislation and guidance for such systems, operators of ICS and CNI still face multiple challenges in their cyber incident response and recovery capabilities, a theme that is often viewed as a last line of defence in minimising the impact of cyber attacks. This paper provides the following contributions: Firstly, we analyse existing standards and guidelines within cyber incident response and recovery. This analysis provides a structure on key response and recovery phases, a foundational understanding of associated requirements for these, and identifies challenges that could affect the quality of in-practice response and recovery capabilities. Using this analysis as a baseline, we examine how response and recovery processes are currently undertaken in practice through engagement with UK-based CNI operators and regulators. Secondly, as a starting point towards improving identified challenges in existing standards and guidelines and their use in practice, we propose a framework, built using the outputs identified from the document analysis and the stakeholder engagement, for use by operators to support them in assessing and improving their response and recovery capabilities.

Item Type:
Journal Article
Journal or Publication Title:
International Journal of Critical Infrastructure Protection
Additional Information:
This is the author’s version of a work that was accepted for publication in International Journal of Critical Infrastructure Protection. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in International Journal of Critical Infrastructure Protection, 37, 2022 DOI: 10.1016/j.ijcip.2021.100505
Uncontrolled Keywords:
?? icscniotcyber securitycyber incidentresponse and recoverycomputer science(all)modelling and simulationinformation systems and managementcomputer science applicationssafety, risk, reliability and quality ??
ID Code:
Deposited By:
Deposited On:
07 Jan 2022 14:25
Last Modified:
15 Apr 2024 00:13