Data Backup, Recovery Plan Vital
Monday, May 9, 2016 @ 05:05 PM gHale
A water sector entity suffered a ransomware hit which encrypted a large portion of customer data and a number of business systems. The organization did not pay the ransom amount and began recovery efforts shortly after workers first noticed the infection.
Identified business systems were mostly virtual machines and were readily recovered from last known good backups. These backups had been recently captured, which facilitated fast recovery with a negligible amount of data loss, according to a report on the ICS-CERT Monitor.
Much to the water company’s dismay, the customer data had not undergone a backup as recently as the business systems. This led to a large gap between the last known good backup and current data sets. It is unknown if all the encrypted customer data will ever end up recovered.
What became crystal clear to the water company and should be evident to all users in the industrial control environment, backup and recovery schemas are vital to incident response planning.
When planning backups, there are costs of storage, man-power, and data availability to consider, according to the ICS-CERT Monitor. When should you capture a full backup? Should you supplement an infrequent full backup with an incremental or differential backup? On what schedule should you do so to avoid affecting operations? Has a recovery been exercised? How successful was the exercise? What gaps were identified?
These costs should end up weighed against the value of the data you want to capture. How effectively will business operations continue with a gap in recovered data?
Offsite storage is a good way to ensure the integrity of data, but it can add time to the recovery process and may make it harder to keep current data sets. The types of data considered vital and the frequency of the backup will drive a manageable recovery plan that fits the cost and risks of data loss.