Evolving cyber threat landscapes have led to OT/ICS incident response priorities being under significant pressure. By stressing the need for fast detection, containment, and recovery methods, businesses are turning away from reactive responses and toward proactive ones to stop critical infrastructure disruptions, lower organizational downtime, assure public safety, and maintain operational continuity. Operational stability in OT/ICS (operational technology/industrial control systems) settings calls for strong backup and recovery options. To protect public safety and reduce economic losses, organizations must ensure their systems can quickly return to normal operation following an event.
Incident response has been further complicated by the merging of IT and OT technologies. Although IT/OT integration improves data sharing and efficiency, it also broadens the attack front, therefore making OT surroundings more exposed. Ensuring that IT security systems do not hinder OT operations calls for incident response teams to deal with the particular difficulties of connected systems. Effectively addressing risks in these combined surroundings calls for a cooperative strategy whereby IT and OT teams cooperate.
Notwithstanding technology improvements, the human element is still absolutely important in OT/ICS incident reactions. Interpreting data, making judgments, and carrying out response plans require qualified staff. On the other hand, human errors might bring danger. To increase the preparedness and performance of their teams, companies need to develop a cybersecurity-aware culture, run simulations, and provide training.
A strong means of enhancing OT/ICS incident response is threat intelligence. Using live data on developing dangers lets businesses forecast assaults and customize their defenses. By sharing threat intelligence across sectors, businesses can better collectively build resilience and keep ahead of threats to essential infrastructure.
In OT/ICS settings, maintaining operational continuity calls for strong backup and recovery systems. Organizations have to make sure their systems can rapidly return to normal operations following an event, which helps to protect public safety and reduce financial damage.
New OT/ICS incident response is being changed by developing technologies such as artificial intelligence, machine learning, and automation. Reducing dependency on human intervention, these resources allow for faster threat identification, automatic containment, and predictive analytics. Their dependability, however, needs to be judiciously analyzed to confirm they enable continuous operational flow in sensitive conditions.
Ultimately, improving cyber resilience and guaranteeing the continuation of critical operations depends on a thorough response to OT incidents that integrates human knowledge, cooperation, and advanced technologies.
Shifting priorities in OT/ICS incident response
Industrial Cyber reached out to industrial cybersecurity experts to learn how the operational priorities in OT/ICS environments shape incident response strategies and how these priorities have evolved over the past 12 to 18 months.
Paul Shaver, global practice leader at Mandiant’s Industrial Control Systems/Operational Technology Security Consulting practice – Google Cloud told Industrial Cyber that OT/ICS incident response strategies prioritize availability and safety to minimize downtime. “Trends in the last 12-18 months show an increase in sophisticated cyberattacks targeting OT/ICS systems, as well as ransomware impacting critical systems. Consequently, organizations are placing greater emphasis on proactive planning and resilience, prioritizing resilience through backup/recovery, network segmentation, critical spare management, and enhanced monitoring.”
He added that IT/OT convergence requires closer collaboration and integrated plans. AI/ML is also being used to improve detection and response by helping automate routine tasks, identify anomalies, and accelerate response times.
“Operational priorities lean toward keeping the OT environment running safely and at the desired capacity,” Mike Hoffman, technical leader at Dragos, told Industrial Cyber. “Historically, these priorities have not shifted much. Control systems, however, are becoming more complex and have increasing interdependencies. Incident response now requires faster detection and containment without triggering unintended system shutdowns and enhanced collaboration between responders and engineering teams to ensure remediation efforts don’t compromise operational integrity.”
Alex Yevtushenko, co-founder and CEO of Salvador Technologies, identified that over the last year, incident response strategies have shifted to prioritize safety and uninterrupted operations to prevent snowballing system failures. “These changes have been driven by the growing frequency and sophistication of cyber-attacks and the evolving need for solutions that permit rapid restoration of operations.”
He added that organizations are now focusing more on their cross sites and organizational resilience, which translates into how fast they can overcome a cyber attack or a massive failure without it affecting their production or operational continuity. “This is key. Whether it is ensuring that their data is secure from continuous ransomware demand or ensuring their staff can resume operations in unmanned locations, these factors and many more are now playing a major role in ensuring uninterrupted business and operational continuity. These changes reflect a broader industry move towards cyber-resilience to minimize downtime while protecting critical infrastructure.”
Bryson Bort, founder and CEO of SCYTHE, told Industrial Cyber that the operational priorities in OT drive the incident response (IR) strategy, period. “Safety (protection of life and limb) and Availability (how the organization makes revenue) are the priorities that drive the how and why of IR. The evolution over the last 12-18 months continues with more efforts to bring cybersecurity into OT, which started in 2020 when then CISA DIR Chris Krebs and I announced at RSAC the coming scourge of ransomware as a national threat.”
Incident response in the age of IT-OT convergence
The executives look into the ways the integration of IT and OT systems has complicated incident response efforts, and they assess the crucial roles that asset inventory and network segmentation play in preparing for potential incidents.
Shaver said that OT/IT network connections increase incident risk by expanding attack surfaces. “IT teams typically prioritize confidentiality and integrity, while OT teams prioritize availability and safety. These conflicting priorities can make it difficult to develop and implement effective and collaborative incident response plans, especially when IT and OT teams often operate in silos, which hinders communication and delays response.”
Additionally, he noted that many OT teams lack the skills and experience necessary to respond to sophisticated cyberattacks, often leading to extended downtime. “Forensic capabilities frequently reside with OEMs/vendors, necessitating asset awareness for effective planning. Good asset inventories are essential to response teams for effective planning and impact assessment of a compromise. They also help rapidly identify additional systems and devices potentially vulnerable to a particular compromise. Additionally, if devices need to be replaced, it’s crucial to understand what critical assets are necessary to restore production.”
Lastly, Shaver pointed out that effective network segmentation is critical for minimizing compromise impact, controlling access/data flow, and enabling better monitoring/detection that can aid in the early detection of a compromised network.
Hoffman said that IT/OT integration has slowly introduced indirect operational impacts. “The integration of the MES and ERP systems in manufacturing showcases this. Plant floor production can be significantly impacted if one of these systems, which are typically on the business side, is compromised.”
He added that a robust asset inventory and documenting critical data flows support identifying critical assets. “With this, segmentation provides the capability to create defensible areas of trust between OT and IT systems. A well-segmented network support provides an arduous path for attackers to navigate and areas of isolation during containment. Identifying key assets and their data flows is critical to understanding the impacts of containment during an IR event.”
Yevtushenko gauged that companies are now realizing that they need better and more comprehensive visibility over their OT systems, but that greater visibility means they need to look at cybersecurity in a whole new light.
“While the convergence of IT and OT systems provides unprecedented efficiency and innovation, it also exposes traditionally isolated systems to new security risks by expanding the attack surface, making it more difficult to monitor and detect emerging vulnerabilities or threats,” he added. “That is why network segmentation and comprehensive backup procedures are crucial to limiting the spread of incidents by containing potential breaches within isolated segments. This is especially critical in OT environments where a single breach could disrupt entire production lines.”
“Convergence is the reason we’re here, and we’re not going back: the benefits in operational safety, efficiency, and utility are too great and will only grow,” Bort assessed. “I work with about 50 asset owners around the country every year and all are in one of two phases managing this problem: 1) visibility – establishing asset inventory and host monitoring; 2) defensible architecture – using viability to architect for a more secure OT environment with holistic monitoring which allows effective detection for IR.”
Balancing human factor in OT/ICS incident response
The executives assess the role of organizational culture in fostering a proactive incident response strategy and identify measures to effectively train OT/ICS personnel to recognize and manage cyber incidents while ensuring operational continuity.
“Security culture should emulate decades of successful safety culture, which has dramatically decreased industrial safety incidents over the last 30+ years because we’ve held regular safety training sessions, introduced job safety aids, held safety briefings before work starts, and empowered employees with stop work authority if there were unsafe working conditions,” Shaver said. “Translating this to cybersecurity you can see how regular security awareness training, intel briefings, and building security processes, plans, and playbooks into our work culture could greatly improve the rate of early detection, containment, and even improve incident prevention rates when employees become aware of a new attack vector that may provide an attacker an easy access point.”
Hoffman identified that culture plays a significant role in responding to an incident. When leadership understands that their OT environment could be in the crosshairs of an adversary, it motivates them to ensure adequate response capabilities.
“Developing an OT-specific incident response plan and then testing that plan via tabletop exercises (TTX) is a foundational activity,” Hoffman added. “TTX scenarios should be based on known threat activity targeting the organization’s vertical, leveraging realistic artifacts and timelines. Responders must also have the technical acumen to perform their roles. Often, this is achieved by taking IR and Forensics courses from training providers, such as SANS.”
“A proactive vulnerability detection approach needs to be deeply rooted in an organization’s culture and has the power to transform how teams identify and respond to threats,” Yevtushenko said. “Businesses that encourage open and real-time communication, continuous learning, and cross-team collaboration foster an environment where both OT and IT personnel recognize their role in mitigating vulnerabilities to quickly recover from any threat.”
For this reason, he added that it is important that all teams are equipped to address cyber threats utilizing now available easy-to-use recovery-based technology that does just that often in just a single click of a button.
Bort evaluates that culture can decrease attack surface area, making an organization a harder target, but also can follow the continuous process improvement principles of OT operations themselves to support proactive testing and tuning to build a good balance of preventative and detective controls to support an optimal IR approach.
“The challenge I see for asset owners is where to start with personnel. In my experience, it is easier to train an OT specialist on cybersecurity than it is to start the other way,” Bort added. “Also, I recommend starting with a dedicated OT Security Operations Center (SOC) and growing to a fusion center (IT and OT) together; in other words, start simple and grow your functional maturity.”
Improving incident response with OT/ICS threat intelligence
The executives examine how organizations can utilize threat intelligence to improve incident detection and response capabilities within OT/ICS environments.
Shaver identified that sharing threat landscape information and the tactics, techniques, and procedures (TTPs) with internal/external stakeholders enhances threat awareness, security culture, and overall security posture.
He added that applying threat intel to vulnerability management helps teams proactively mitigate risks, which is essential when legacy systems limit patching. “Integrating threat intelligence with security tools (SIEMs, IDS, firewalls) allows teams to prioritize alerts based on the relevance and severity of the threat to their environment and develop response playbooks specific to OT/ICS threats.”
“Threat Intelligence provides a bidirectional view that allows organizations to learn what has happened and prepare for potential future attacks,” Hoffman identified. “Understanding adversarial tactics, techniques, and procedures allows defenders to verify their detection capability. It provides a mirror to understand whether the deployed preventative, detective, and recovery controls are equipped to handle the threat.”
Yevtushenko said that organizations can leverage threat intelligence by implementing a single view of real-time, actionable data into every aspect of operations, allowing for proactive fast detection of vulnerabilities. “This approach and comprehensive overview allow businesses to pinpoint compromised areas, but it also facilitates continuous monitoring to analyze patterns and better inform their overall security posture and with that their overall resilience.”
“Security is defined by the threat: the measure of prevention, detection, and response are what the threat can or cannot do against what you can or cannot see,” Bort assessed. “The ability to operationalize this intelligence into a signal to drive this testing is the key to internally resolving risk management. The external aspect of threat intelligence is best driven by Known Exploited Vulnerabilities (KEVs), which CISA aggregates for easy reference.”
Delivering operational continuity in OT/ICS environments
The executives focus on strategies to ensure operational continuity during and after a cyber incident, emphasizing the critical importance of robust backup and recovery processes in achieving this objective.
“In our experience, 99% of cyberattacks begin on IT infrastructure,” Shaver said. “To maintain operational continuity, leveraging virtualized systems and immutable backups for mission-critical systems, and regularly testing disaster recovery, is essential. Additionally, many OT environments now have connectivity to enterprise and cloud-based resources. As a result, organizations must understand where those critical interconnections are and build strategies that maintain operations for an acceptable period of downtime during a compromised enterprise infrastructure,” he added.
Hoffman mentioned that incident response plans are often shortsighted around recovery. “The effort and forethought needed to properly carry out these activities, starting from the activation phase followed by recovery and reconstitution phases, should be documented in a Disaster Recovery Plan (DRP). The DRP should align with the operational and process needs for systematic recovery, reconstitution, and operational resumption.”
He added that a tested immutable backup and recovery process is a vital part of the DRP, but it needs to be aligned with maximum tolerable downtime, which drives the recovery strategy.
“Operational continuity is a non-negotiable in OT and ICS environments, and organizations looking to maintain operations must implement a multi-pronged approach that includes rapid detection, segmented networks and robust and immediate recovery processes that are completed within minutes or even seconds,” according to Yevtushenko. “Without these resilience-focused strategies, even a brief disruption can cause unexpected downtime and significant financial losses. Robust backup and recovery processes are crucial to maintaining operational continuity, preserving essential data, and minimizing the impact of cyber incidents to ensure that critical systems can restore normal operations with near zero disruption.”
Bort noted that operations already devote resources to business continuity planning and disaster recovery; cyber incidents should build on the processes and people already there. “Improving back-ups is a great example where IT cybersecurity can help OT engineers. And test them! Remember, the worst moment in an incident is when you go to the back-ups… that don’t work.”
Leveraging emerging tech for OT/ICS cyber resilience
The executives address how emerging technologies, such as AI, machine learning, and automation, are transforming incident response in OT/ICS environments. They also evaluate the reliability of these technologies in supporting sustained operational continuity and their potential to enhance resilience in the face of cyber threats.
Shaver observed that emerging technologies are enabling faster and more accurate threat detection, anomaly identification, and automated response actions. “While these offer significant potential for improved incident response and operational continuity, their reliability depends on data quality, OT/ICS complexity, and the integration with existing systems.”
“There are also benefits from leveraging ML trained on production data and used for optimization processes in enabling anomaly detection,” he added. “Process variables from control devices such as CPU run times, memory usage, and program run times can be logged in historical data and used to detect when changes may have occurred and raise alerts which can then be used in SIEM/SOAR for triage, analysis, and escalation where necessary.”
AI and Machine Learning (ML) are dynamically shaping how IR is done, from detecting malicious activity in the network and host to supporting dynamic playbooks, Hoffman identified. “Additionally, automation through integration brings another benefit. Some network monitoring solutions, for example, can detect a threat and, through API integration, insert a new firewall rule in a parameter firewall. It should be noted, however, that AI and ML are just tools. Trained people are still the ultimate defenders.”
Yevtushenko mentioned that emerging technologies play an incredibly important role in reshaping incident response by enhancing the accuracy of vulnerability detection and introducing automatic response, allowing businesses to detect threats earlier and more accurately. “When these technologies are correctly integrated, they can be highly reliable. However, their effectiveness relies on human oversight and strategy, continuous training, and seamless integration with existing cybersecurity frameworks. While these emerging technologies have the power to enhance incident response speed and accuracy, they must be accompanied by comprehensive risk management and cyber-resilience strategies to sustain operational continuity.”
Bort said that AI/ML implementation already exists in the field to identify anomalous patterns from various hosts and network sensors. “The key areas we’re seeing automation in the environment is to support asset discovery (passive and hybrid enumeration and fingerprinting) and the higher Purdue levels of segmentation. The primary value of AI in general in OT has been preventative maintenance and diagnostics,” he concluded.
