The Operational Technology Cyber Incident Response Checklist:

1. Make safety the #1 priority

In an IT incident, time is money. But in the vast majority of cases (healthcare is a notable exception), no one’s life is on the line. It’s safe to disconnect affected machines and components and/or even shut off the internet to the entire company if needed. 

However, safety must be the number one priority when OT is breached. In fact, the SANS 2024 State of ICS/OT Cybersecurity report referenced earlier states that 38% of ransomware incidents compromise safety or process reliability. Whether it’s an attack on a nuclear facility, disruption at a water treatment plant, or malfunction of a furnace at a steel manufacturer, the impact on human health and safety can be catastrophic.

Because of this risk, safety must be a cornerstone of your OT IR plan, with considerations, contingencies, and protocols woven throughout to protect workers, customers, and the public.

2. Let regulatory compliance be your guide.

The regulatory landscape is shifting rapidly, with many countries implementing compliance standards aimed particularly at critical infrastructure. While compliance and the threat of sanctions may add a layer of anxiety and urgency, these standards also provide a framework for building your plan. 

Consult applicable standards, such as the NIST Cybersecurity Framework, NIS2, and the EU Cyber Resilience Act, and leverage existing protocols, like the SANS ICS Five Critical Controls and the PICERL response model.

Many of these standards have also introduced a new level of c-suite accountability for the organization’s cyber security apparatus, including OT. That means CISOs and other executives may be held personally responsible for vulnerability exploits and lack of compliant response. For security teams, this provides added support for prioritizing OT security investment.  

3. Conduct Facility Due Diligence

You can’t protect what you can’t identify. Conducting a complete asset inventory is fundamental to understanding your OT landscape and assessing your risk. Once you’ve conducted an inventory, you can use this data to prioritize remediation based on your risk appetite and the impact of a breach on health and safety, business continuity, and financial position. 

As part of your assessment, evaluate your internal resource capacity and expertise. Do you have the budget, workforce, and skillset to build out an OT IR plan and actually execute it? Be honest about your capacity and realistic about whether you can acquire the added skillset in-house or if you’ll need a partner to help.

4. Build up collaboration & communication.

Collaboration between IT and OT is essential from the start when building an effective OT IR plan. IT may be primarily concerned with containing and mitigating a breach, but without understanding operational conditions, their strategies may create unintended consequences. Similarly, OT may not have a robust knowledge of response protocols and may inadvertently cause more damage.

Bringing everyone to the table can ensure both sides acknowledge the others’ concerns and lay the groundwork for cooperation, which will be critical in the event of an attack. You’ll also want to include your legal team to address any mandated disclosure and/or privilege issues and corporate communications/PR teams to handle crisis management. 

Bringing in a neutral, outside perspective to formulate your OT IR plan ensures everyone’s needs and concerns are addressed and conflict minimized.

5. Validate access, roles, and responsibilities.

Say there’s a breach on one of your offshore drilling rigs. Do your IT personnel have the proper clearances and maritime training required to work on-site? Do you have a helicopter available to get someone there?  

Assigning roles and responsibilities for who does what in the event of a breach is critical but so is verifying their ability to access and even touch the equipment. In many facilities, there’s an entire ecosystem of vendors and OEM relationships that may require participation from third parties. 

Be sure to address response times and breach-related SLAs in any vendor contracts so that you won’t be stuck waiting at the vendor’s mercy.

6. Include a contingent operations plan.

Again, during a typical IT breach, shutting down the affected system might cost you considerable money, but it’s unlikely to have much downstream effect. Even in banking and healthcare, customers would likely have other options. 

But what if you’re a pharmaceutical manufacturer or natural gas supplier? Can you maintain operations if your production shuts down due to an OT cyber incident? Business continuity and disaster recovery plans must be included and considered a vital part of the overall planning process—don’t assume you’ll figure it out if it happens. 

7. Control the damage

Too often, when equipment goes down, the operations team’s instinct is to assume it’s faulty and repair or replace it to get production back online. But in an OT cyber attack, an equipment glitch may be the first sign of a problem. The damage may already be done, and replacing the part might make it worse—or, at the very least, not solve the problem.

Train the operations team to consider the possibility of an OT cyber attack first in the event of an equipment malfunction—or at least as part of their initial triage. Simply putting this possibility on their radar can be critical to controlling the damage. 

8. Perform tabletop exercises.

A plan is only effective when you’re confident it works, and that requires practice. Conduct tabletop exercises as part of your IR process and evaluate your plan at least annually. Take this one step further and build a cyber pathway that includes offensive testing to see your response in action.

Remember that every change to your ecosystem—a new piece of equipment, a configuration change, or even a software update—changes the risk profile. Incident readiness has to be an ongoing process, not a one-time exercise.

9. Deal with data and documentation.

You’ll obviously want to document every plan and process in your incident response protocol. Still, remember that it also needs to be accessible; if your plan is stored on a SharePoint server, there’s a very real risk that it will be either compromised or rendered inaccessible if the network is breached. 

Always have a paper hard copy ready to pull off the shelf and execute immediately, including vendor agreements, insurance documents, and a list of key personnel and contacts. 

You’ll also want to involve your legal team in planning around discoverability—the risk that your communications, assessments, and analytics might be admissible if the breach case goes to court. Always assume it will and understand if that changes how you communicate during response execution.  

10. Ensure the appropriate level of support.

Clearly, ICS/OT IR planning is a lot to take on, especially when almost half of organizations are struggling with a shortage of labor. However, to be cyber-ready, organizations must prioritize incident planning on a continual basis and assume no two attacks will be the same.

That’s why, even with an extensive checklist, entrusting an experienced third party like NCC Group to help test and strengthen your OT IR plan can make all the difference. Instead of spending months starting from scratch, all the while remaining vulnerable, working with a team of IT/OT incident experts can facilitate collaboration, build internal support, and prepare you faster and more efficiently. 

In our case, a partnership with Dragos enables access to secure asset inventory tools, technical expertise on standby 24/7, and planning workshops to ensure that an OT IR plan covers all the bases for a swift and effective response.

Unfortunately, no organization can afford to ignore OT cyber risk any longer. The stakes have never been higher. Now is the time to build a plan before a breach is detected.