creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-ot-incident-response-playbook/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

60 lines
2.6 KiB
Markdown
Raw Blame History

# API Reference: Implementing OT Incident Response Playbook
## ICS-CERT Incident Categories
| Category | Severity | Description | Response Time |
|----------|----------|-------------|---------------|
| Unauthorized Access | P1 - Critical | PLC/HMI/SIS unauthorized access | Immediate |
| Malware/Ransomware | P1 - Critical | OT network malware (EKANS, Triton) | Immediate |
| DoS/DDoS | P1 - Critical | OT communication disruption | Immediate |
| Network Intrusion | P2 - High | IT-OT boundary breach | < 4 hours |
| Reconnaissance | P3 - Medium | OT network scanning detected | < 24 hours |
| Policy Violation | P4 - Low | Unauthorized configuration change | < 72 hours |
## Purdue Model Containment Zones
| Level | Name | Containment Action |
|-------|------|--------------------|
| L0 | Physical Process | Manual control, verify SIS |
| L1 | Basic Control (PLC, SIS) | Isolate network, do NOT power off |
| L2 | Supervisory (HMI, SCADA) | Disconnect HMI, activate backup |
| L3 | Operations (Historian) | Isolate segment, preserve logs |
| L3.5 | DMZ | Sever IT-OT bridge |
| L4-5 | Enterprise IT | Standard IT IR procedures |
## NIST SP 800-82 IR Controls
| Control | Title | OT Consideration |
|---------|-------|------------------|
| IR-1 | IR Policy | Must address safety-critical systems |
| IR-4 | Incident Handling | Include OT engineering team |
| IR-5 | Incident Monitoring | Passive monitoring only in OT |
| IR-6 | Incident Reporting | CISA ICS-CERT within 72 hours |
| IR-8 | IR Plan | Separate OT and IT playbooks |
## SANS PICERL Framework for OT
| Phase | OT-Specific Actions |
|-------|---------------------|
| Preparation | Maintain PLC backup programs, define safe states |
| Identification | Correlate OT alerts with process anomalies |
| Containment | Network isolation without process disruption |
| Eradication | Restore from known-good PLC/HMI configurations |
| Recovery | Staged restart with operator verification |
| Lessons Learned | Update OT-specific TTPs and detection rules |
## Reporting Obligations
| Authority | Timeframe | Trigger |
|-----------|-----------|---------|
| CISA ICS-CERT | 72 hours | Critical infrastructure impact |
| Sector ISAC | 48 hours | Sector-relevant threat |
| TSA (pipeline) | 12 hours | Pipeline cybersecurity incident |
| NERC (electric) | 1 hour | Cyber Security Incident |
### References
- NIST SP 800-82 Rev 3: https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final
- IEC 62443-4-2: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
- CISA ICS-CERT: https://www.cisa.gov/topics/industrial-control-systems
Reference in New Issue View Git Blame Copy Permalink