Strengthening Operational Technology Resilience: The Importance of Cybersecurity Incident Preparedness in Industrial Environments

In an era where operational technology (OT) systems serve as the backbone of critical infrastructure and industrial operations, the convergence of digital transformation and escalating cyber threats has created an unprecedented security challenge. The statistics paint a sobering picture: ransomware attacks on industrial organizations surged 87% in 2024, with manufacturing bearing the brunt at 70% of all incidents[1][2]. More alarming still, 23.5% of industrial control system (ICS) computers globally were exposed to cyberthreats in Q2 2024, with ransomware activity increasing by 1.2 times compared to the previous quarter[3]. These figures underscore a fundamental truth that OT security professionals can no longer ignore: the question is not whether a cyber incident will occur, but when—and whether organizations will be prepared to respond effectively.

The Unique Challenge of OT Cybersecurity Incidents

Understanding the OT Threat Landscape

Operational technology environments face fundamentally different risks than traditional IT systems. Where IT security prioritizes the CIA triad (Confidentiality, Integrity, Availability), OT security inverts this priority structure, placing availability and safety at the forefront[4]. This distinction is critical because OT systems control physical processes that can have life-threatening consequences when compromised. A cybersecurity incident in an OT environment doesn’t just threaten data—it can halt production lines, compromise safety systems, and in worst-case scenarios, cause physical harm to personnel and environmental damage[5][6].

The threat landscape itself has evolved dramatically. Recent research by Dragos identified over 600 ransomware incidents affecting industrial sectors in Q4 2024 alone, with newly branded ransomware groups proliferating and leveraging increasingly sophisticated tactics[2:1]. These attacks are no longer the domain of opportunistic criminals; nation-state actors and ideologically motivated hacktivists are increasingly converging, sharing intelligence and infrastructure to target OT systems[7]. The emergence of ICS-specific malware such as Fuxnet and FrostyGoop, combined with the growing use of “living-off-the-land” techniques that leverage built-in tools to avoid detection, demonstrates the sophistication of modern OT-targeted attacks[7:1].

Common Attack Vectors and Vulnerabilities

Analysis of current OT security assessments reveals several persistent vulnerabilities that attackers consistently exploit. According to Check Point research, the top threats include lack of network segmentation, DDoS attacks, web application attacks, malware, and command injection attacks[8]. More concerning is that 65% of OT environments maintain insecure remote access conditions, with 45% of organizations having SSH communicating to publicly routable addresses[7:2]. Additionally, one in every four penetration tests uncovers default credentials in industrial environments—a critical vulnerability given the difficulty of implementing multi-factor authentication on legacy OT systems[7:3].

The challenge is compounded by the age and nature of OT infrastructure. Many systems run on legacy Windows versions—some still operating Windows 98—that were never designed with cybersecurity in mind[9]. These systems often lack basic security features such as user authentication, data encryption, and integrity checking[10]. The Bitsight research revealed nearly 100,000 ICS systems owned by global organizations exposed to potential attacks through publicly accessible infrastructure, highlighting the scale of the exposure[11].

The Imperative for OT-Specific Incident Response Planning

Why Traditional IT Incident Response Falls Short

One of the most critical misconceptions in industrial cybersecurity is that existing IT incident response capabilities can be directly applied to OT environments. This assumption has proven dangerous in real-world incidents. OT cyber incident response requires fundamentally different approaches due to several unique considerations[6:1]:

Safety-First Mentality: Unlike IT systems that can be immediately isolated or shut down during an incident, OT systems often cannot be disrupted without creating safety hazards. The incident response team must understand the safety implications of every action and maintain continuous coordination with operations and safety personnel[12].

Uptime Requirements: OT systems are designed for high availability, often operating 24/7 with minimal downtime windows. Traditional IT forensic approaches that involve taking systems offline for imaging and analysis are often impossible in OT environments without significant operational impact[6:2].

Physical Consequences: OT incidents can result in physical damage to equipment, environmental hazards, and threats to human safety. This reality fundamentally changes the risk calculus and response priorities[13].

Specialized Protocols and Technologies: OT systems utilize industrial protocols (Modbus, DNP3, EtherNet/IP) and specialized equipment that require domain expertise to understand and investigate effectively[6:3].

Core Components of Effective OT Incident Response Plans

Based on analysis of leading practices from organizations like CISA, Public Safety Canada, and industry experts, effective OT incident response plans must incorporate several critical elements:

Cross-Functional Team Structure: Successful OT incident response requires a team that bridges multiple disciplines. The Canadian government’s guidance emphasizes assembling teams that include IT security professionals, OT engineers, operations personnel, safety experts, legal counsel, and senior leadership[12:1]. This cross-functional approach ensures that technical response actions are balanced against operational and safety requirements.

Safety-Integrated Decision Making: Every OT incident response plan must establish clear decision-making processes that prioritize safety. This includes pre-defined escalation paths to safety personnel and predetermined actions that have been tested for their safety implications[12:2]. The plan should explicitly address scenarios where cybersecurity response actions might create safety risks.

OT-Specific Response Procedures: Generic IT incident response procedures must be adapted for OT environments. This includes understanding how to safely isolate OT systems, alternative methods for evidence collection that don’t require system shutdown, and procedures for maintaining operational capability during response activities[14].

Communication Protocols: OT incidents require specialized communication protocols that account for regulatory reporting requirements, public safety considerations, and coordination with external stakeholders such as emergency responders and regulatory agencies[12:3].

The Most Common Types of OT Cyber Incidents

Ransomware: The Dominant Threat

Ransomware has emerged as the predominant threat to OT environments, accounting for 80% of attacks where the threat actor is known according to the ICS-STRIVE database[15]. The appeal of targeting OT systems lies in their low tolerance for downtime—organizations are more likely to pay ransoms quickly to restore critical operations[1:1]. Recent analysis shows that ransomware attacks on industrial organizations more than doubled in the second half of 2024 compared to the first half[1:2].

The sophistication of ransomware targeting OT has evolved significantly. Modern ransomware groups employ “double extortion” techniques, not only encrypting systems but also exfiltrating sensitive data and threatening its release[16]. The Colonial Pipeline incident exemplifies this approach, where attackers compromised IT systems but the organization chose to shut down OT operations preemptively to prevent potential spread to critical control systems[17].

Insider Threats and Human Error

Human factors remain a significant vulnerability in OT environments. Research indicates that 95% of cyber breaches result from human error, with personnel serving as the primary entry point for cybersecurity attacks[18]. In OT environments, this is particularly concerning because operators often have extensive access to critical systems and may lack cybersecurity awareness training specific to industrial environments[19].

Nation-State and APT Activities

Advanced Persistent Threat (APT) groups, particularly those with nation-state backing, have increasingly targeted OT systems for espionage and pre-positioning activities. The RedFly group’s months-long infiltration of an Asian power grid demonstrates the persistence and sophistication of these threats[11:1]. These attacks often focus on gathering intelligence about system configurations and establishing persistent access for potential future disruption[20].

Supply Chain Compromises

The interconnected nature of modern OT systems has created new attack vectors through the supply chain. High-profile incidents such as SolarWinds and the more recent MOVEit Transfer vulnerability exploitation by the Cl0p ransomware gang highlight how third-party compromises can provide attackers with access to multiple industrial organizations simultaneously[19:1].

The Critical Role of Exercising Incident Response Capabilities

The Power of Tabletop Exercises in OT Environments

Tabletop exercises (TTXs) represent one of the most valuable tools for preparing OT incident response capabilities. Unlike full-scale simulations that might disrupt operations, tabletop exercises provide a low-risk environment for testing response plans, identifying gaps, and building cross-functional coordination[21]. For OT environments, these exercises are particularly valuable because they allow teams to work through complex scenarios that involve both cybersecurity and operational considerations.

Types of OT Tabletop Exercises: The most effective OT tabletop exercises fall into three categories. Strategic exercises focus on high-level decision making and involve senior leadership, operations managers, and key stakeholders. These exercises test organizational response capabilities and decision-making processes. Tactical exercises concentrate on specific response procedures and typically involve incident response team members, OT engineers, and operational personnel. Technical exercises dive deep into specific technical scenarios and focus on the hands-on response capabilities of technical staff[21:1].

Best Practices for OT Tabletop Exercise Design

Effective OT tabletop exercises require careful design to address the unique challenges of industrial environments. Based on analysis of industry best practices and frameworks like the CISA Tabletop Exercise Packages, several key principles emerge:

Scenario Realism: Exercises must be grounded in realistic attack scenarios that reflect actual threats to the specific industrial environment. This includes understanding the organization’s OT architecture, critical processes, and potential attack vectors[22]. Scenarios should be based on real-world incidents adapted to the organization’s specific context.

Multi-Disciplinary Participation: Successful OT tabletop exercises require participation from across the organization. This includes not only IT and cybersecurity personnel but also operations staff, maintenance teams, safety personnel, and senior leadership[23]. The diversity of participants helps identify interdependencies and coordination challenges that might not be apparent in single-discipline exercises.

Progressive Complexity: Effective exercise programs begin with relatively simple scenarios and progressively increase complexity as the organization’s response capabilities mature. This approach allows teams to build confidence and competence while identifying fundamental gaps before moving to more challenging scenarios[24].

Integration with Operational Constraints: OT tabletop exercises must account for operational realities such as production schedules, maintenance windows, and safety requirements. Scenarios should explore how cyber incidents might interact with planned and unplanned operational events[25].

Measuring Exercise Effectiveness

The value of tabletop exercises extends beyond the immediate learning experience. Properly designed exercises provide measurable insights into organizational preparedness and help prioritize improvement efforts. Key metrics include response time to key decisions, effectiveness of communication protocols, identification of resource gaps, and clarity of roles and responsibilities during incidents[26].

Organizations should document exercise outcomes systematically and track improvement over time. This includes not only technical capabilities but also soft skills such as communication effectiveness and cross-functional coordination. Regular post-exercise evaluations help ensure that identified gaps are addressed and that exercises continue to provide value as organizational capabilities mature.

Framework Integration and Standards Alignment

NIST Cybersecurity Framework for OT

The NIST Cybersecurity Framework provides a foundational structure for OT cybersecurity programs, but its application requires careful adaptation for industrial environments. The framework’s six functions—Identify, Protect, Detect, Respond, Recover, and Govern—each take on unique characteristics in OT contexts[27].

Identify function in OT environments requires comprehensive asset inventories that include not only IT components but also industrial control devices, safety systems, and legacy equipment that may not be network-visible[28]. The challenge is particularly acute given that OT environments often feature decades-old equipment alongside cutting-edge sensors and controllers.

Respond function must be carefully tailored to account for safety and operational constraints. Unlike IT systems that can be immediately isolated, OT response procedures must balance security concerns against operational continuity and safety requirements[27:1].

IEC 62443: The Gold Standard for OT Security

The IEC 62443 series represents the most comprehensive approach to OT cybersecurity, providing detailed guidance across the entire lifecycle of industrial systems. The standard’s four main categories—General, Policies and Procedures, System, and Component—provide a holistic framework that addresses organizational, technical, and procedural aspects of OT security[29].

The standard’s security level (SL) approach, ranging from SL 0 (no security) to SL 4 (resistant against nation-state attacks), provides a risk-based methodology for determining appropriate security measures[30]. This approach recognizes that not all OT systems require the same level of protection and allows organizations to allocate resources based on risk assessment.

Integration with Incident Response: IEC 62443-2-1 specifically addresses incident response requirements for OT environments, emphasizing the need for procedures that account for safety and operational considerations[29:1]. The standard requires that incident response plans be tested through exercises and that lessons learned be incorporated into ongoing improvement processes.

NERC CIP: Critical Infrastructure Requirements

For organizations in the electric utility sector, NERC CIP standards provide mandatory requirements for cybersecurity incident response. These standards are particularly relevant because they carry the force of law and are backed by significant financial penalties for non-compliance[31].

NERC CIP standards require specific incident response capabilities including 24/7 monitoring, defined escalation procedures, and coordination with regulatory authorities[32]. The standards also mandate regular testing of incident response capabilities, making tabletop exercises not just best practice but regulatory requirements.

Emerging Trends and Future Considerations

The AI Impact on OT Security

Artificial intelligence is creating both opportunities and challenges for OT cybersecurity. On the defensive side, AI-powered security tools are becoming more effective at detecting anomalous behavior in OT networks and identifying potential threats[33]. However, attackers are also leveraging AI to create more sophisticated and targeted attacks[34].

The integration of AI into OT security must be approached carefully, with consideration for the real-time requirements and safety constraints of industrial environments. AI systems must be designed to minimize false positives that could disrupt operations while maintaining sensitivity to genuine threats.

IT/OT Convergence Acceleration

The traditional air gap between IT and OT networks is largely gone, with over 95% of organizations now reporting some level of IT/OT integration[35]. This convergence brings significant benefits in terms of operational efficiency and data analytics but also creates new attack vectors and incident response challenges.

Future incident response planning must account for this convergence by developing integrated response capabilities that can address incidents spanning both IT and OT domains. This requires not only technical capabilities but also organizational structures that can coordinate response activities across traditional domain boundaries.

Regulatory Evolution

The regulatory landscape for OT cybersecurity continues to evolve rapidly. New requirements are emerging not only in traditional regulated industries but also in sectors that have historically had limited cybersecurity oversight. Organizations must stay current with these evolving requirements and ensure that their incident response capabilities meet both current and anticipated future regulatory standards.

Conclusion: Building Resilient OT Security Through Preparedness

The cybersecurity threat to operational technology environments represents one of the most significant challenges facing critical infrastructure and industrial organizations today. The statistics are clear: attacks are increasing in frequency and sophistication, and the consequences of successful attacks extend far beyond data breaches to include operational disruption, safety hazards, and physical damage.

However, organizations that invest in comprehensive incident response planning and regular exercise programs are demonstrating significantly better outcomes when incidents occur. The key lies in understanding that OT incident response requires specialized approaches that account for the unique characteristics of industrial environments—safety requirements, uptime constraints, and physical consequences that don’t exist in traditional IT environments.

The path forward requires a commitment to several key principles: developing OT-specific incident response capabilities rather than relying solely on IT procedures; conducting regular tabletop exercises that test not only technical response capabilities but also cross-functional coordination and decision-making processes; and staying current with evolving frameworks and standards that provide guidance for OT security.

As the threat landscape continues to evolve and the stakes continue to rise, organizations that prioritize incident response preparedness will find themselves not only better protected against cyber threats but also more resilient in the face of the operational challenges that define modern industrial environments. The investment in preparedness today will prove invaluable when—not if—the next major incident occurs.

The time for hoping that OT systems will remain secure through obscurity or air gaps has passed. The time for comprehensive, tested, and regularly exercised incident response capabilities is now. For those of us who have dedicated our careers to protecting these critical systems, the challenge is clear: we must build the capabilities today that will protect the infrastructure tomorrow. [36][37][38][39][40][41][42][43][44][45][46][47][48][49][50][51][52][53][54][55][56][57][58][59][60][61][62][63][64][65][66][67][68][69][70][71][72][73][74][75][76][77][78][79][80][81][82][83][84][85][86][87][88][89][90][91][92][93][94][95][96][97][98][99][100][101][102][103][104][105][106][107][108][109][110][111][112][113][114][115][116][117][118]

  1. https://industrialcyber.co/reports/dragos-finds-ransomware-attacks-on-industrial-sector-surge-87-manufacturing-hit-hardest-as-ot-targeting-rises/ ↩︎ ↩︎ ↩︎

  2. https://digitalisationworld.com/news/69413/more-than-600-ransomware-incidents-reported-across-industrial-sectors-in-q4-last-year ↩︎ ↩︎

  3. https://www.kaspersky.co.uk/about/press-releases/kaspersky-reports-increase-in-ransomware-and-spyware-attacks-on-industrial-systems-in-q2-2024 ↩︎

  4. https://www.otorio.com/blog/industrial-control-system-ics-security-best-practices/ ↩︎

  5. https://www.cyberark.com/resources/solution-briefs/strengthening-operational-technology-security ↩︎

  6. https://www.securityinfowatch.com/home/whitepaper/53056167/an-executives-guide-to-ot-incident-response ↩︎ ↩︎ ↩︎ ↩︎

  7. https://zeronetworks.com/blog/ot-security-trends-2025-escalating-threats-evolving-tactics ↩︎ ↩︎ ↩︎ ↩︎

  8. https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/operational-technologies-biggest-threats.html ↩︎

  9. https://www.ien.com/software/blog/21013133/security-threats-put-scada-on-thin-ice ↩︎

  10. https://www.checkpoint.com/downloads/products/top-10-cybersecurity-vulnerabilities-threat-for-critical-infrastructure-scada-ics.pdf ↩︎

  11. https://www.ecmag.com/magazine/articles/article-detail/industrial-control-systems-open-to-cyberattack ↩︎ ↩︎

  12. https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/dvlpng-ndnt-rspns-pln/dvlpng-ndnt-rspns-pln-en.pdf ↩︎ ↩︎ ↩︎ ↩︎

  13. https://www.dragos.com/blog/industry-news/handling-incidents-in-ics-getting-to-the-root-of-the-problem/ ↩︎

  14. https://ritics.org/wp-content/uploads/2024/06/ICS-COI-Considerations-for-Cyber-Incident-Response-Planning-within-ICS-and-OT.pdf ↩︎

  15. https://drj.com/industry_news/key-developments-in-ot-cybersecurity-what-to-expect-in-2025/ ↩︎

  16. https://www.cbiz.com/insights/article/cybersecurity-lessons-learned-colonial-pipeline ↩︎

  17. https://www.proarch.com/blog/the-colonial-pipeline-attack-lesson-learned ↩︎

  18. https://www.forbes.com/sites/edwardsegal/2022/05/07/1-year-later-actions-taken-lessons-learned-since-the-colonial-pipeline-cyberattack/ ↩︎

  19. https://cybermagazine.com/articles/the-rising-concerns-with-ot-security-in-the-digital-world ↩︎ ↩︎

  20. https://www.aon.com/en/insights/cyber-labs/unveiling-the-dark-side-common-attacks-and-vulnerabilities-in-industrial-control-systems?collection=5b76135e-4196-415b-ab1d-f42b6f0abb10\&parentUrl=null ↩︎

  21. https://insanecyber.com/everything-you-need-to-know-about-ot-tabletop-exercises/ ↩︎ ↩︎

  22. https://uploads.strikinglycdn.com/files/65c3a3ba-0503-4e25-b8d4-852ebcdab357/Cybersecurity ICS Tabletop Exercise 6.22.pdf ↩︎

  23. https://www.controleng.com/improving-ics-digital-safety-begins-with-a-strategic-tabletop-exercise/ ↩︎

  24. https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-run-them ↩︎

  25. https://securityboulevard.com/2024/11/leveraging-tabletop-exercises-to-enhance-ot-security-maturity/ ↩︎

  26. https://www.sophos.com/en-us/trust/security-tabletop-guidelines ↩︎

  27. https://www.cybersecuritydive.com/spons/build-more-robust-ot-security-with-the-nist-framework/747462/ ↩︎ ↩︎

  28. https://www.rockwellautomation.com/en-us/company/news/blogs/ot-security-nist-guide.html ↩︎

  29. https://www.fortinet.com/uk/resources/cyberglossary/iec-62443 ↩︎ ↩︎

  30. https://www.infineon.com/cms/en/product/promopages/iec62443/ ↩︎

  31. https://www.techtarget.com/searchsecurity/definition/North-American-Electric-Reliability-Corporation-Critical-Infrastructure-Protection-NERC-CIP ↩︎

  32. https://www.nozominetworks.com/compliance/nerc-cip ↩︎

  33. https://www.axians.co.uk/news/2025-tech-trends-for-ot-and-it-cybersecurity/ ↩︎

  34. https://www.securityweek.com/cyber-insights-2025-ot-security/ ↩︎

  35. https://www.fortinet.com/blog/business-and-technology/key-findings-from-the-fortinet-2025-operational-technology-security-report ↩︎

  36. https://securitybrief.co.uk/story/manufacturing-sector-hit-hardest-by-ransomware-in-2024 ↩︎

  37. https://www.cybersecurity-insiders.com/two-years-since-the-colonial-pipeline-hack-heres-what-weve-learned/ ↩︎

  38. https://www.securityweek.com/ransomware-attacks-on-industrial-firms-surged-in-q2-2024/ ↩︎

  39. https://www.ansi.org/standards-news/member-updates/2021/07/7-26-21-isa-white-paper-examines-standards-for-operational-technology-environments ↩︎

  40. https://en.wikipedia.org/wiki/IEC_62443 ↩︎

  41. https://www.armis.com/solution-briefs/nerc-cip-compliance-and-cyber-exposure-management/ ↩︎

  42. https://www.wateronline.com/doc/new-white-paper-applying-iso-iec-and-the-isa-iec-series-for-operational-technology-environments-0001 ↩︎

  43. https://industrialcyber.co/features/the-essential-guide-to-the-iec-62443-industrial-cybersecurity-standards/ ↩︎

  44. https://securityboulevard.com/2023/11/complete-guide-to-nerc-cip/ ↩︎

  45. https://isasecure.org/applying-iso-iec-27001-2-and-the-isa-iec-62443-sta ↩︎

  46. https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards ↩︎

  47. https://www.netwrix.com/download/documents/NERC_CIP_Requirements.pdf ↩︎

  48. https://www.isa.org/news-press-releases/2021/july/new-white-paper-applying-iso-iec-27001-2-and-the-i ↩︎

  49. https://www.akamai.com/glossary/what-is-nerc-cip ↩︎

  50. https://www.rockwellautomation.com/en-gb/company/news/blogs/iec-62443-security-guide.html ↩︎

  51. https://www.fortinet.com/resources/cyberglossary/iec-62443 ↩︎

  52. https://www.isa.org/intech-home/2021/december-2021/departments/two-standards-one-integrated-industrial-cybersecur ↩︎

  53. https://www.phoenixcontact.com/en-pc/iec-62443-the-industrial-cybersecurity-standard ↩︎

  54. https://www.nerc.com/pa/Stand/Pages/Project-2014-XX-Critical-Infrastructure-Protection-Version-5-Revisions.aspx ↩︎

  55. https://corsha.com/blog/memory-lane-5-memorable-ot-attacks ↩︎

  56. https://www.securityweek.com/details-disclosed-for-scada-flaws-that-could-facilitate-industrial-attacks/ ↩︎

  57. https://thecyberexpress.com/ics-vulnerabilities-reported-this-week/ ↩︎

  58. https://www.cyber.gc.ca/sites/default/files/cyber/2021-12/Cyber-Threat-to-Operational-Technology-white_e.pdf ↩︎

  59. https://preview.affinity.marsh.com/articles/cyberattacks-on-manufacturing-industrial-control-systems.html ↩︎

  60. https://www.darkreading.com/ics-ot-security ↩︎

  61. https://threatpost.com/threatlist-attacks-on-industrial-control-systems-on-the-rise/137251/ ↩︎

  62. https://www.fortinet.com/blog/industry-trends/scada-ics-dangers---cybersecurity-strategies ↩︎

  63. https://www.cyberdefensemagazine.com/new-data-affirms-cyber-threat-for-industrial-control-systems-2/ ↩︎

  64. https://www.fortinet.com/content/dam/fortinet/assets/white-papers/WP-Independent-Study-Pinpoints-Significant-Scada-ICS-Cybersecurity-Risks.pdf ↩︎

  65. https://pmc.ncbi.nlm.nih.gov/articles/PMC10649322/ ↩︎

  66. https://www.ssh.com/academy/operational-technology-breaches ↩︎

  67. https://gca.isa.org/blog/why-are-cyberattacks-shifting-to-ics ↩︎

  68. https://www.nccgroup.com/uk/the-operational-technology-cyber-incident-response-checklist/ ↩︎

  69. https://www.dnv.com/cyber/insights/articles/taking-a-three-step-approach-to-operational-technology-ot-cyber-security-risk-reduction-and-incident-responses/ ↩︎

  70. https://www.iot-now.com/2017/07/28/64264-plan-ics-cybersecurity-incident-response/ ↩︎

  71. https://otifyd.com/services/incident-response/ ↩︎

  72. https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf ↩︎

  73. https://www.cisa.gov/sites/default/files/FactSheets/NCCIC ICS_FactSheet_Cyber_Incident_Analysis_S508C.pdf ↩︎

  74. https://www.paloaltonetworks.co.uk/cyberpedia/incident-response-plan ↩︎

  75. https://cyberenergia.com/incident-response-recovery-plan/ ↩︎

  76. https://cheshireandmerseyside.nhs.uk/media/rpgpre1m/cm-ics-cyber-strategy-v11.pdf ↩︎

  77. https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/dvlpng-ndnt-rspns-pln/index-en.aspx ↩︎

  78. https://hub.dragos.com/whitepaper/incident-response-for-operational-technology ↩︎

  79. https://www.cisa.gov/sites/default/files/2023-01/final-RP_ics_cybersecurity_incident_response_100609.pdf ↩︎

  80. https://sikercyber.com/shop/industrial-control-systems-ics/ics202-ics-security-incident-response-fundamentals/ ↩︎

  81. https://www.sans.org/cyber-security-courses/ics-visibility-detection-response ↩︎

  82. https://securityboulevard.com/2023/05/setting-up-an-ot-ics-incident-response-plan/ ↩︎

  83. https://www.sans.org/posters/industrial-control-system-cyber-incident-response/ ↩︎

  84. https://www.cisa.gov/topics/industrial-control-systems ↩︎

  85. https://www.slideshare.net/slideshow/industrial-control-systems-and-incident-response/254091347 ↩︎

  86. https://www.cisecurity.org/insights/white-papers/six-tabletop-exercises-prepare-cybersecurity-team ↩︎

  87. https://www.youtube.com/watch?v=l4ec0SjfcH8 ↩︎

  88. https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages ↩︎

  89. https://www.ics4ics.org ↩︎

  90. https://www.youtube.com/watch?v=20fdE4aJyDI ↩︎

  91. https://www.first.org/global/sigs/ics/ ↩︎

  92. https://www.opentext.com/media/service-overview/cybersecurity-tabletop-exercise-sro-en.pdf ↩︎

  93. https://www.pluralsight.com/labs/aws/respond-to-an-ics-attack ↩︎

  94. https://digital.nhs.uk/cyber-and-data-security/training/cyber-incident-response-exercise ↩︎

  95. https://www.cisa.gov/sites/default/files/publications/Cybersecurity-Tabletop-Exercise-Tips_508c.pdf ↩︎

  96. https://www.aon.com/en/capabilities/cyber-resilience/cyber-security-tabletop-exercises ↩︎

  97. https://qmro.qmul.ac.uk/xmlui/bitstream/handle/123456789/93044/He The Agile Incident Response 2021 Accepted.pdf?sequence=2&isAllowed=y ↩︎

  98. https://www.nist.gov/news-events/news/2023/09/nist-publishes-guide-operational-technology-ot-security ↩︎

  99. https://www.centraleyes.com/glossary/ot-cyber-risk-framework/ ↩︎

  100. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf ↩︎

  101. https://www.sygnia.co/blog/incident-response-best-practices/ ↩︎

  102. https://www.tufin.com/blog/understanding-operational-technology-ot-cyber-security ↩︎

  103. https://csrc.nist.gov/pubs/sp/800/82/r3/ipd ↩︎

  104. https://www.trout.software/resources/tech-blog/how-to-build-an-incident-response-plan-for-ics ↩︎

  105. https://www.ssh.com/academy/operational-technology/navigating-ot-security-standards-guide-to-safer-operations ↩︎

  106. https://www.industrialdefender.com/resources/ot-compliance-guide-nist-cybersecurity-framework ↩︎

  107. https://www.sans.org/blog/four-keys-to-effective-ics-incident-response/ ↩︎

  108. https://www.ncsc.gov.uk/collection/operational-technology ↩︎

  109. https://www.industrialdefender.com/blog/ot-cybersecurity-the-ultimate-guide ↩︎

  110. https://simspace.com/blog/top-5-ot-security-standards-and-how-to-implement-them-effectively/ ↩︎

  111. https://www.cisa.gov/resources-tools/resources/ics-recommended-practices ↩︎

  112. https://evalian.co.uk/securing-operational-technologies/ ↩︎

  113. https://insurica.com/blog/colonial-pipeline-ransomware-attack/ ↩︎

  114. https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years ↩︎

  115. https://www.honeywell.com/us/en/press/2025/06/ransomware-attacks-targeting-industrial-operators-surge-46-percent-in-one-quarter-honeywell-report-finds ↩︎

  116. https://securitybrief.co.nz/story/manufacturing-sector-hit-hardest-by-ransomware-in-2024-q4 ↩︎

  117. https://vmblog.com/archive/2025/01/15/armexa-2025-predictions-notable-ot-cybersecurity-developments-in-2024-and-key-trends-shaping-2025.aspx ↩︎

  118. https://www.techrepublic.com/article/one-year-colonial-pipeline-attack-learned/ ↩︎