Implementing OT Incident Response Playbook

When to Use

• When building OT-specific incident response procedures for the first time
• When existing IT IR playbooks do not address ICS/SCADA-specific requirements
• When preparing for OT ransomware scenarios like EKANS or LockerGoga
• When aligning IR procedures with IEC 62443 and NERC CIP incident reporting requirements
• When conducting post-incident reviews to improve OT IR capabilities

Do not use for IT-only incident response without OT components (use standard NIST 800-61 playbooks), for day-to-day OT security monitoring (see implementing-dragos-platform-for-ot-monitoring), or for tabletop exercise design (see performing-ics-tabletop-exercise).

Prerequisites

• OT asset inventory with criticality ratings and safety system identification
• Defined roles: OT IR Lead, IT SOC Analyst, Plant Operations Manager, Process Safety Engineer
• Communication plan including out-of-band channels (OT incidents may compromise IT communications)
• Known-good backups of PLC programs, HMI configurations, and historian data
• Contact information for ICS vendors, Dragos/Claroty support, and CISA ICS-CERT