NIST Cybersecurity framework - Recover function. Kevin T. Smith, Tridium

2. RECOVER
Kevin T. Smith, Tridium

3. A Scenario
● Alert - Your Building (or Campus of Buildings) is Acting Strangely!
○ Temperature Controls unresponsive
○ Security badging systems not working
○ Cooling systems for data center inoperative, shutting down data center
○ Elevators not working - people trapped
● After Analysis, Malware has affected your IT and OT Networks!
○ Initial malware weaponized infrastructure (AD instances) that spread infections to
systems at login time
○ Secondary malware attacked connected BAS systems
○ Malware had been dormant for months before until activated
● People want answers!!
○ Customers, tenants & stakeholders angry
○ Local Media is here and “want to ask you a few questions.”
○ And.. your communication systems are all also down - email systems, VoIP systems

4. What’s Involved in the Recover function?
● Recovery Planning
○ You need to have a plan & you probably haven’t thought out how complex this plan
needs to be
○ Your plan must have enough detail so that members of your team can execute it
for various scenarios
○ People typically don’t make complex decisions on-the-spot very well during
stressful conditions - they need to be prepared in advance
● Communications
○ How do you communicate to your internal stakeholders? Your customers? The
media?
○ Who will need to be involved in crafting communication?
○ What communication can you pre-plan NOW vs. in the heat of the moment?
● Improvements
○ Identifying Lessons Learned & Adapting your process - not just for recovery, but in
the functions of identify, protect, detect, and respond.

5. How Do You Recover Technical Functionality?
● How do you begin the process?
○ What takes priority?
○ Have you done a previous dependency analysis & criticality analysis & understand SLAs
to determine what systems you should bring online first?
○ Are there interim approaches that you can apply to restore partial services?
● Is the threat over, or is it still active?
○ Too many times, we jump to recovery without addressing the issue, which can repeat
itself (ex: not eliminating the threat or not mitigating how it came in)
● In recovering individual systems, have you planned for:
○ Recovering from Hardware failure?
○ Restoring from Backups of individual systems and their components?
■ Not just backups of your logic, but operating systems, filesystems, the works!
○ Restoring your communication systems so that you can respond??
● What people will be involved & what groups will you need to coordinate with?
○ Management? Who from OT? Who From IT?

6. Communication - It’s Complex!
● Communication often has legal, regulatory, and reputation impacts
● Who will you need to work with & coordinate with?
○ You most likely need to work closely with Marketing communications, Legal, and
Executive before you communicate with your customers
■ What communications can you plan in advance of an attack?
● What’s Your Message?
○ To Customers? To stakeholders? To shareholders? The media?
○ What’s the Plan?
○ What Systems will be restored - and when?
● How will your organization technically communicate?
○ Do you have alternative channels of communication?
● Who will do the communication?

7. How To Prepare, Test & Execute Your Plan
● CISA US-CERT Cyber Resilience Review (CRR)- https://www.us-cert.gov/resources/assessments
● NIST CSF (& References!) https://www.nist.gov/cyberframework/recover
● Using these references as a guide, gather stakeholders and draft a plan.
● Think through scenarios and see if your plan addresses it
● Do tabletop exercises with those who will be involved, walking through scenarios
● Best practice: Red team/Blue team exercises
● Finally, when you do execute the plan, apply lessons learned to your entire process.