Respond to and Recover from OT Cybersecurity Incidents
Overview
This standard defines the competencies required to respond to and recover from cybersecurity incidents affecting Operational Technology (OT) environments. It includes identifying, triaging, containing, analysing, and recovering from incidents in ways that protect operational continuity, safety functions, and industrial processes. It also incorporates non-intrusive forensic techniques, chain-of-custody practices, safety-baseline validation, and applicable incident-notification requirements.
This standard is intended for OT cybersecurity responders, engineers, and operational staff responsible for managing cybersecurity incidents across industrial systems.
Performance criteria
You must be able to:
- Identify and triage OT cybersecurity incidents to determine severity, safety impact, and required response actions.
- Contain OT cybersecurity incidents to limit operational disruption and maintain system control.
- Coordinate incident-response activities with OT, safety, engineering, and cybersecurity teams.
- Conduct non-intrusive OT forensic analysis to support investigation and evidence preservation.
- Support evidence collection and chain-of-custody processes in line with organisational and legal requirements.
- Communicate incident status and impacts to internal stakeholders and regulatory bodies as required.
- Support recovery actions to restore safe OT operations.
- Validate recovered OT systems to confirm integrity, operational readiness, and alignment with safety baselines.
- Document incident findings and lessons learned in accordance with organisational and regulatory processes.
- Review incident-response processes to identify improvement opportunities.
Knowledge and Understanding
You need to know and understand:
- Types of OT cybersecurity incidents and relevant indicators.
- Methods for identifying and triaging OT incidents and prioritising response based on operational and safety impacts.
- Containment strategies suitable for OT environments.
- Techniques for analysing incident causes in OT systems.
- Forensic principles and non-intrusive techniques for OT environments, including chain-of-custody.
- Communication and escalation methods including regulatory notification requirements.
- Procedures for restoring OT system integrity and operational continuity.
- Methods for validating system state following recovery.
- Reporting requirements relevant to OT cyber incidents.
- Lessons-learned processes for improving incident-response readiness.
- The relationship between OT cybersecurity incidents, functional safety, and process integrity.
- Legal and regulatory requirements related to incident response and evidence handling.
Scope/range
Scope Performance
Scope Knowledge
Values
Behaviours
Skills
Glossary
Incident Triage
The process of assessing and prioritising incidents based on severity, impact, and required response actions.
Non-Intrusive Forensics
Forensic techniques that gather evidence without disrupting OT operations or affecting safety-critical processes.
Chain of Custody
A documented process that tracks the handling and transfer of digital evidence to ensure integrity.
Indicators of Compromise (IoCs)
Observable signs that an OT asset, system, or process may be compromised.
Firmware Manipulation
Unauthorised modification of firmware on OT devices.
Incident Notification Requirements
Legal or regulatory obligations to report certain types of cybersecurity incidents.
Operational Continuity
Maintaining essential OT processes and control functions during and after an incident.