Emergency Drill Plan Template for Industrial Control System Cybersecurity

If you need a Word version, please leave a message.

**1. Purpose and Basis of the Drill**

1.1. Purpose of the Drill To effectively respond to cyber attack incidents targeting the company’s Industrial Control System (ICS), and to verify and assess the adequacy, effectiveness, and operability of the existing cybersecurity emergency plan. The aim of this drill is to:

Test Capabilities: Assess the capabilities of security event monitoring, early warning, analysis, response, and recovery.

Validate Processes: Verify the rationality of the emergency response process and the efficiency of inter-departmental collaboration.

Enhance Awareness: Improve the cybersecurity awareness and emergency response skills of control system engineers, operators, and management personnel.

Identify Issues: Identify deficiencies in the current security protection system, management policies, and emergency plans, providing a basis for continuous improvement.

Meet Compliance: Fulfill the regulatory requirements of national and industry authorities for annual emergency drills on critical information infrastructure.

1.2. Basis for the Drill

Cybersecurity Law of the People’s Republic of China

Basic Requirements for Cybersecurity Level Protection (GB/T 22239-2019)

Guidelines for Information Security Protection of Industrial Control Systems (Ministry of Industry and Information Technology Document [2016] No. 338)

Guidance on Strengthening Chemical Process Safety Management (State Administration of Work Safety Document [2013] No. 88)

Company’s Industrial Control System Cybersecurity Emergency Plan

──────────────────────────────────────────────────

**2. Overview of the Drill**

Drill Name: Desktop Simulation of Ransomware Attack on ABB 800xA Control System

Drill Method: Tabletop Exercise (Tabletop Exercise). Conducted in a meeting format, the drill director presents simulated scenarios and event progress, with participants verbally describing their decisions, actions, and communications, without involving actual operations of production systems.

Drill Date: YYYY year MM month DD day, XX:XX – XX:XX

Drill Location: Company XXX Conference Room

Core Systems: ABB 800xA DCS/SIS system, Triconex SIS system

Key Components: PM864/PM865 controllers, engineering stations, operator stations, historical servers, OPC servers

──────────────────────────────────────────────────

**3. Organizational Structure and Responsibilities**

Overall Commander: (Recommended to be the Vice President of Production or Plant Manager)

Responsibilities: Overall responsibility for the drill, approving major decisions, announcing the start and end of the drill.

Director Group: (Composed of the information security officer, automation department head, and external experts)

Responsibilities: Responsible for planning the drill scheme, writing scripts, releasing scenarios, controlling progress, and evaluating the drill.

Participating Teams:

Emergency Response Team: (Composed of automation engineers, IT network engineers, and security engineers)

Responsibilities: Responsible for technical assessment, attack tracing, virus removal, system isolation, and network recovery.

Production Operation Team: (Composed of on-duty process technicians, chief operators, and DCS operators)

Responsibilities: Responsible for monitoring process parameters, executing emergency shutdown or load reduction operations, and simulating on-site handling.

Equipment Support Team: (Composed of instrumentation and electrical engineers)

Responsibilities: Assess the impact on SIS and DCS controllers, prepare hardware spare parts and recovery tools.

Comprehensive Coordination Team: (Composed of office, public relations, and legal personnel)

Responsibilities: Responsible for internal and external information communication and reporting to government regulatory departments.

Evaluation Observation Team: (Composed of representatives from various departments or designated personnel)

Responsibilities: Record the drill process, evaluate the performance of participants, fill out evaluation forms, and provide a basis for the drill summary.

──────────────────────────────────────────────────

**4. Drill Scenario Setting**

4.1. Background Setting The company’s control network (L2) is isolated from the enterprise management network (L3) through a firewall, and data exchange between the two is conducted via an OPC server located in the isolation zone (DMZ/L2.5). The control network is not directly connected to the internet. Recently, the company’s IT department detected a small amount of malware activity on the L3 network, but it has been addressed.

4.2. Scenario Summary: Ransomware Moves Laterally viaOPC Server The attacker, through a compromised host on the L3 enterprise network, successfully penetrates the control network using the OPC protocol or known vulnerabilities of the server. The ransomware begins to spread laterally within the control network, causing some ABB 800xA operator stations (HMI) and engineering stations (EWS) to be encrypted, rendering the screens unresponsive and displaying ransom messages. The SIS (Triconex) system is temporarily unaffected, but its status monitoring interface may be inaccessible.

──────────────────────────────────────────────────

**5. Drill Process and Script**

Phase

Time

Event Injection (Released by the Director Group)

Expected Actions and Discussion Points (Responded by Participating Teams)

Phase One: Incident Occurrence and Discovery

T+0

Injection1:Report to the overall commander, operator Zhang San of Unit 2 reports that his two operator station screens suddenly turned blue, followed by a ransom window demanding payment in Bitcoin, and the operation screen is frozen, unable to perform any actions!

Production Operation Team: Immediately report the anomaly to the workshop director and emergency response team via intercom or phone. Attempt to switch to a backup operator station (if available). Closely monitor on-site instruments and prepare for manual intervention. Emergency Response Team: Upon receiving the report, confirm the information. Who is the first responder? How to record the event information (time, location, phenomenon)?

T+5 minutes

Injection2:Engineer Li Si reports that he cannot remotely log into the engineering station, and another engineer on-site confirms that the engineering station also displays the same ransom interface.

Emergency Response Team: Immediately assess the nature of the incident as a cyber attack. How to preliminarily evaluate the scope of the incident? Should the overall commander and each team be notified immediately?

Phase Two: Analysis and Assessment

T+15 minutes

Injection3: “IT network engineer reports that the firewall logs show a large amount of abnormal SMB (445 port) communication between the OPC server and the infected operator station one hour before the incident.

Emergency Response Team: Based on this information, preliminarily locate the attack source possibly from the OPC server. How to confirm that the OPC server is a compromised host? Is physical isolation of the server necessary? What are the risks of isolation (production data interruption)?

T+30 minutes

Injection4:According to the vendor’s emergency manual, the PM864/865 controllers are based on a proprietary operating system, and the risk of direct infection by this ransomware is low. However, if the engineering station is compromised, there is a risk of malicious installation of the controller program. The Triconex system is highly independent, but its monitoring computer may also be affected.

Equipment Support Team/Emergency Response Team: How to confirm whether the controller logic has been tampered with? Check program checksums or last modified times? How to ensure that the SIS system remains safe and effective? Discuss whether personnel need to be dispatched to check the controller status indicators.

Phase Three: Emergency Response and Containment

T+45 minutes

Injection5:The overall commander, the emergency response team suggests disconnecting the physical connection between the OPC server and the L2 control network immediately to prevent further spread of the virus. This will cause the MES system to be unable to obtain production data.

Overall Commander: Weigh the pros and cons (loss of production data vs. total paralysis of the control system). Decide whether to approve the disconnection. Emergency Response Team: Describe the specific disconnection steps (unplugging the network cable or operating on the switch?). How to handle the alarms from the OPC client after disconnection?

T+1 hour

Injection6:It has been confirmed that 3 operator stations and 2 engineering stations have been infected. No signs of the virus spreading to the controllers have been found so far. Production is temporarily stable, but operators can only rely on on-site instruments and the SIS system to ensure safety.

Production Operation Team: Report the current process status. Is it necessary to reduce load or execute emergency shutdown procedures? What is the basis for the decision? Emergency Response Team: How to handle the infected equipment? Is it formatting and reinstalling or attempting to decrypt? What is the company’s backup strategy? Is there a clean system image and project backup?

Phase Four: System Recovery and Business Continuity

T+2 hours

Injection7:The emergency response team has successfully restored one operator station and one engineering station using backup images. The recovery process took 1.5 hours.

Emergency Response Team/Equipment Support Team: Describe the system recovery process. What checks need to be done before recovery (such as virus scanning)? How to restore project programs? How to verify that the system functions normally after recovery? Overall Commander: Assess recovery time to see if it meets production requirements.

T+3 hours

Injection8:All infected devices have been restored. Prepare to reconnect the OPC server to the network. What needs to be done before reconnection?

Emergency Response Team: Describe the hardening and recovery process for the OPC server. Before reconnection, confirm that the virus has been cleared, vulnerabilities patched, and passwords changed. How to conduct a security audit before allowing it to go back online?

Phase Five: Summary and Reporting

T+3.5 hours

The drill ends, entering the summary phase.

Comprehensive Coordination Team: According to the Cybersecurity Law, does this type of incident need to be reported to the Cyberspace Administration, public security organs, or industry regulatory departments? What are the reporting deadlines and processes? All Members: Review the entire process, discussing strengths and weaknesses.

──────────────────────────────────────────────────

**6. Evaluation and Summary**

6.1. Evaluation Criteria

Timeliness: Whether the incident discovery, reporting, and preliminary handling can be completed within the specified time.

Accuracy: Whether the nature of the incident, impact scope, and attack path can be accurately judged.

Collaboration: Whether information communication between teams is smooth, and whether decision-making instructions are clear and effective.

Process Compliance: Whether all operations comply with the company’s emergency plan regulations.

Resource Effectiveness: Whether emergency tools, backup data, and spare parts are available and effective.

6.2. Post-Drill Work

Hold a Summary Meeting: The director group and evaluation group will review the drill situation, and each participating team will express their opinions.

Write a Drill Report: Detail the drill process, analyze identified issues, and propose specific improvement suggestions along with responsible persons and completion deadlines.

Plan Revision: Revise and improve the Company’s Industrial Control System Cybersecurity Emergency Plan based on the drill report.

Technical and Management Improvements: Implement improvement suggestions, such as strengthening OPC server security hardening, optimizing backup strategies, and conducting targeted training.

──────────────────────────────────────────────────

Disclaimer: This template is a general guiding document. Please customize it according to your company’s system configuration, management processes, and personnel situation to ensure its applicability and effectiveness. In actual operations, any changes or recovery operations to production systems should be conducted under strict risk assessment and authorization.[^1]: Guidance on Strengthening Chemical Process Safety Management__2013 No. 31 State Council Bulletin_China Government Network

[^2]: industrial control system (ICS) – Glossary

[^3]: Industrial Control Systems (ICS) Certifications

Leave a Comment