Week 22: Evaluate The Ability To Recover And Meet The RTO (1st Pass)

In Week 21 you identified the recovery time objective (RTO). Your task this week is to evaluate, at a high level via interview and inspection, if that RTO can be credibly met. Assume a scenario where everything with an IP address in IT and OT has been compromised and needs to be rebuilt to function. 

Remember recovery is not restoring all cyber assets. Recovery is the ability to produce and provide the product or service for your customers at an acceptable level. Don’t forget to consider the necessary IT cyber assets, information and services identified in Week 19.

The first place to look is at your existing disaster recovery and business continuity plans. Do the plans address the scenario of everything with an IP address being corrupted? Many plans will have recovery time requirements for recovery of servers or databases, but they won’t discuss recovery of network infrastructure or PLCs / controllers. Many plans will have a single system recovery time and not consider that multiple systems, or all systems need to be recovered.

The second place to look is incident response plans. Is there an incident response plan for the OT environment? Is there a scenario where everything with an IP address is considered compromised? Does the incident response include investigation or forensic actions that would delay the recovery plan?

After identifying and reviewing the documentation, the next step is to look for testing results to determine the level of confidence in performing recovery as planned and required. 

This week’s task is to provide a qualitative answer to two questions assuming every cyber asset with an IP address is corrupted and needs to be rebuilt:

1. Will your organization be able to recover the ability to produce and deliver the product or service as planned in a business continuity plan, disaster recovery plan or incident response plan? Here you are evaluating the reasonableness and certainty of the plan.
2. Will your organization be able to meet the RTO to produce and deliver the product or service? 

For each of these questions provide one of the three answers below and a paragraph or more on why this is the correct answer.

• Yes, based on known and proven recovery testing, the applicable plan can be met and the RTO can be met.
• No, based on known recovery testing or a logical analysis of the plan the recovery plan and the RTO cannot be met. 
• Uncertain - there could be many reasons for this answer. The testing may not have been performed. The plans may not cover all assets with an IP address compromised scenario. The organization may not know how to recover because it has never happened before.

Will your organization be able to recover the ability to produce and deliver the product or service as planned in a business continuity plan, disaster recovery plan or incident response plan?

Will your organization be able to meet the RTO to produce and deliver the product or service