Utility
__________________________
If possible, disconnect compromised computers
from the network to isolate breached
components and prevent further damage, such
as the spreading of malware. Do not turn off or
reboot systems – this preserves evidence and
allows for an assessment to be performed.
Notify IT personnel and/or IT vendor of the
incident and the need for emergency response
assistance. In addition, NCCIC can assist with IT
system response and recovery (888-282-0870 or
NCCIC@hq.dhs.gov).
Assess any damage to utility systems and
equipment, along with disruptions to utility
operations.
Execute the utility ERP as needed, including
notication of utility personnel, actions to restore
operations of mission critical processes (e.g.,
switch to manual operation if necessary), and
public notication (if required).
Report the cyber incident as required to law
enforcement and regulatory agencies.
Notify any external entities (e.g., vendors, other
government ofces) that may have remote
connections to the affected network(s).
Document key information on the incident,
including any suspicious calls, emails, or
messages before or during the incident, damage
to utility systems, and steps taken in response to
the incident (including dates and times).
Actions to Respond to a Cyber Incident
IT Staff or Vendor
________________
Review system and network logs, and use
virus and malware scans to identify affected
equipment, systems, accounts and networks.
Document which user accounts were or are
logged on, which programs and processes were
or are running, any remote connections to the
affected IT systems or network(s) and all open
ports and their associated applications.
If possible, take a “forensic image” of the
affected IT systems to preserve evidence. Tools
to take forensic images include Forensic Tool Kit
(FTK) and EnCase.
If possible, identify any malware used in the
incident, any remote servers to which data may
have been sent during the incident, and the
origin of the incident. NCCIC can assist with the
forensic analysis (888-282-0870 or NCCIC@
hq.dhs.gov).
Research and identify if any employee or
customer personally identiable information (PII)
was compromised.
Check the system back-up time stamp to
determine if the back-up was compromised
during the incident.
Document all ndings, and avoid modifying or
deleting any data that might be attributable to the
incident.
Notes:
4 of 6