OT Incident Response
When a cybersecurity incident occurs in an OT environment, the response must balance two competing priorities: containing the threat and maintaining safe operations. Unlike IT incident response where you can isolate and shut down systems, abruptly disconnecting OT systems can itself cause dangerous conditions - loss of visibility, uncontrolled shutdowns, or disabling safety systems.
OT Incident Response Phases
Preparation
Before an incident happens: develop OT-specific response plans, identify critical assets, establish communication channels, define roles (who makes the call to shut down?), and conduct tabletop exercises.
Key question: Who has the authority to disconnect the OT network from IT during an active attack? This must be pre-agreed and documented.
Detection & Analysis
Identify the incident through OT network monitoring, anomalous process behaviour, or alerts from security tools. Determine the scope - which zones, which assets, what is the attacker doing?
OT-specific challenge: Distinguishing between a cyber attack and an equipment malfunction. A PLC sending unexpected commands could be compromised or simply faulty.
Containment
Isolate affected systems while maintaining safe operations. This may mean switching to manual control, activating backup systems, or severing the IT-OT connection at the DMZ firewall.
Critical rule: Never disable a Safety Instrumented System (SIS) during incident response. The SIS is the last barrier against catastrophic failure.
Eradication & Recovery
Remove the threat, rebuild compromised systems from known-good backups, re-validate PLC programmes against master copies, and restore normal operations in a controlled, phased manner.
Lessons Learned
Conduct a thorough post-incident review. What was the root cause? How did the attacker get in? What detection failed? Update defences, procedures, and training based on findings.
OT-Specific Considerations
Manual Fallback
Operators must be trained to run the plant manually if SCADA is compromised. Regular drills ensure this capability is maintained.
PLC Programme Integrity
Maintain verified master copies of all PLC programmes. After an incident, compare running programmes against masters to detect tampering.
Forensic Challenges
OT devices have limited logging. Network traffic captures and historian data may be the only forensic evidence available.
Regulatory Reporting
Many jurisdictions require mandatory reporting of cyber incidents affecting critical infrastructure within 24-72 hours.