Incident response in OT environments: why your IT playbook won't work here
Your IT security team has an incident response plan. It probably involves isolating the compromised machine, taking a forensic image, and restoring from backup. In a corporate environment, that works. In a plant processing natural gas at 60 bar, isolating the wrong device can trigger an emergency shutdown. Or worse.
The difference isn't technical, it's physical
In IT, the worst-case scenario from an incident is usually data loss or a service outage. In OT, we're talking about damage to equipment worth millions, environmental spills, or injuries to people. The 2017 TRITON attack against a petrochemical plant in Saudi Arabia made that painfully clear: the malware targeted the safety instrumented systems (SIS), the ones that prevent explosions and catastrophic leaks. Not the data. The physics.
When a compromised asset controls a physical process, every containment decision has real-world consequences. You can't just "turn it off and on again" when the industrial furnace takes 72 hours to reach operating temperature.
Why IT playbooks fail in OT
The timelines don't match. An IT SOC can spend hours triaging an alert without serious consequences. In OT, if an attacker modifies the setpoints on a pressure controller, you have minutes before the process becomes unstable.
The tools don't translate either. You can't install an EDR agent on a Siemens S7-1200 PLC or run an aggressive vulnerability scan against devices speaking Modbus TCP. Those controllers weren't built to handle unexpected traffic. A poorly planned scan can crash a production device outright.
And the chain of command is different. In IT, the CISO calls the shots. In OT, the plant manager has the final say on anything that affects production. If your response plan doesn't include Operations at the decision table, it will fall apart when it matters most.
What an OT incident response plan actually needs
NIST SP 800-82 and the IEC 62443 series provide guidance specific to industrial environments. But a useful plan goes beyond ticking compliance boxes. These are the elements you can't skip:
- ▹An up-to-date OT asset inventory. Most plants don't know how many PLCs they have or what firmware they're running. Without this inventory, you can't prioritize containment.
- ▹Zone and conduit classification per IEC 62443. Knowing which network segments you can isolate without affecting process safety is information you need before the incident, not during it.
- ▹Containment procedures by asset type. Disconnecting a switch in the supervision zone is not the same as disconnecting one in the control zone. Your plan has to reflect that difference.
- ▹Joint IT-OT exercises. The IT team needs to understand industrial processes. The OT team needs to understand cyber threats. Without regular drills that bring both sides together, coordination during a real incident will be chaotic.
The Colonial Pipeline reminder
In May 2021, DarkSide ransomware compromised Colonial Pipeline's IT systems. The company shut down OT operations as a precaution, even though the malware hadn't reached the control systems. The result: fuel shortages across the US East Coast for nearly a week. Without visibility into the actual separation between IT and OT, a company may be forced to shut everything down just to be safe. And the costs are massive.
Preparation is what matters
The difference between an incident contained in hours and one that shuts down production for weeks is decided before anything happens. Map your assets. Segment your networks. Define clear roles between IT and OT. Run realistic drills. None of it is glamorous, but it's what separates organizations that manage incidents from the ones that make headlines.
Need to assess your industrial incident response capability? Contact our team for an OT security posture review.