Estimated Length: 12 Months Work hours:37.50 Est. OT Hrs/Wk:10.00
This job is primarily responsible for developing Incident Response (IR) plan documentation related to Cyber Security Operation Center (CSOC), Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA).
This position at the Client is a highly skilled, demanding position with up-to-date, expert security knowledge of ICS-SCADA systems. These systems including but are not limited to the following:
3. Network & Security infrastructure, Communication and internet security systems, Firewalls, Intrusion Protection Systems, Remote Access VPN, Proxy, Wireless Security, NAC, Enterprise ID Management systems, Database, computer systems, security event analysis and forensic investigation.
1. Controlling Power, Train Signaling, Communications, Ventilation, Water Pumping, Physical Security, Building Management, HVAC, and Traffic Management systems.
2. Supervisory computers, Remote terminal units, Programmable logic controllers, Communication infrastructure, and Human-machine interfacesThis Candidate must have industry standard security information on current trends, and evolving security of vendor products utilized in ICS-SCADA technology, experience with developing IR plans, procedures, and playbooks. Specific transportation industry related knowledge and experience is a plus.
OT Incident Response Preparedness
This position will interface with various Client -IT (Information Technology) and Agency operational technology (OT) departments to organize and conduct workshops with key managers, team members, stakeholders, and technical leaders within the organization to layout step by step process for incident response plan as it relates to cyber security and ICS/SCADA OT systems. These workshops will review existing Client -IT and OT incident response plans, technologies deployed and log sources in place to detect, analyze, and respond to various types of breaches.
The candidate will Provide procedures and recommendations on necessary steps to keep these documents up to date:
1. Identify and document all critical assets in OT environment
2. Layout dependencies of various systems and components in OT and IT environments.
3. Identify and document critical data sources for logging and monitoring various use cases.
4. Setup meetings with various IT and OT departments to identify and document interdependencies and key stakeholders.
5. Document step by step incident response plan from OT and IT prospective.
6. Metrics for measuring response and restoration capability and capacity of OT systems
7. Assess backup and restoration capabilities for OT systems and provide recommendations for improvement
8. Assess patching and vulnerability remediation capabilities for OT systems and provide recommendations for improvement
9. Where applicable, determine scope and capabilities of vendors/third parties when not managed in-house.
10. Document IR plan roles, contact and gaps of all third party vendors supporting ICS/SCADA systems.
11. Proper containment, remediation and recovery procedures for OT technology (software and hardware) deployment.
OT Incident Response Plan and Playbook Development
The candidate will work to develop custom deliverables specific to the Client OT environment. The Client's existing IT IR Plan could be leveraged to develop a specific OT IR Plan, with Playbooks and proper OT containment, remediation and recovery procedures. Playbooks to be developed will include but are not limited to the following US-CERT Categories:
1. Playbook 1: CAT 1 – Unauthorized Access / Accounts compromised
2. Playbook 2: CAT 2 –DOS
3. Playbook 3: CAT 3 – Ransomware
4. Playbook 4: CAT 4 – Improper Usage (USB Infections, Policy Violations, Equipment Theft or Loss)
5. Playbook 5: CAT 5 – Scans / Probes / Attempted Access / CVE Exploits / SQL Injections / Protocol Abuse
As part of IR Plan and playbook development, the candidate will identify existing processes and controls associated with investigation and remediation of OT security incidents and adapt and customize the playbook(s) to be in-line with technology, staffing and skillset level as well as industry best practices. The candidate will also develop the process for maintaining the incident playbook(s).
The following desired knowledge, skills, and abilities are required for this position.
Excellent organizational, decision making and communications skills. Excellent knowledge of cyber security and ICS-SCADA operations with a solid understanding of the technology used within the transportation industry. Good to excellent attention to detail. Excellent creative problem-solving abilities coupled with a desire to take on responsibility. Strong team player and people skills with the ability to engage and motivate fellow staff members to drive results. Ability to handle multiple tasks in a fast-paced environment and prioritize highly varied work in order to maintain required productivity levels. Ability to communicate technical info and ideas so others will understand. Ability to make appropriate decisions considering the relative costs and benefits of potential actions. Ability to apply varying team player traits that create solutions and results to unexpected situations. Ability to assist and motivate less experienced team members to achieve our goals.
Additional Skills and Information:
Technical writing skills, development of incident response plans for ICS-SCADA environments