One of the most important considerations for leaders to keep in mind is that OT cyber incident response is not a simple add-on to an existing IT incident response program. The unique nature of OT environments requires an incident response plan and program that are specifically tailored to OT risks, which are significantly different from IT risks. The stakes are so exceedingly high when cyber incidents strike industrial environments because OT systems are inextricably tied with physical world. These systems are designed to run everything from machines and robots in manufacturing facilities to pumps and valves at water stations to electrical grid equipment run by power plants. Cyber incidents that impact these OT systems can also have very real physical consequences, posing a threat to human and environmental safety. OT cyber incidents can also make a material impact on operational uptime. Consequently, every minute they remain ongoing can directly affect revenue. This means that the risk management goals of an OT incident response team are going to be vastly differentiated from those of an IT-focused team.
In addition to the goals and risk calculations being different for OT incident response, there are also important differences in the way that teams would assess and respond to an OT incident. Responders must be able to effectively:
- interact with systems from which forensic data must be collected differently to maintain stricter operational and uptime requirements
- triage systems without shutting them down or disconnecting them the way IT systems can be disabled during an ongoing incident
- examine activity for systems that use different protocols and technology into which typical IT forensic tools offer little to no visibility
- bring enough OT network expertise to the table to understand what abnormal activity looks like and when their actions may do more harm than good for system stability
Every organization’s OT IRP will look different, but most plans should offer guidelines, documentation, and best practices for the organization in nine important areas, covered in a recent Dragos report and webinar.