Regardless of your OT incident response plan status, non-existent to mature and tested, this week’s task is to identify the OT incident response team members. If you had an OT cyber incident, who would you involve in the response? List them and their roles / area of expertise in the plan.
Do you have access to the talent and roles required to respond to an OT cyber incident? What is missing?
Many of the roles will be the same for IT and OT, you will need legal, investor and media relations, executive management, and likely some IT and IT security. There will be some specific members for OT cyber incidents, such as Operations Managers, Engineers, and Technicians.
One area that deserves special attention is the expertise to evaluate what the attacker has done in your OT environment. OT forensics and investigation is a specialized, and thankfully rarely needed, field. It’s common for asset owners to hire experts from Mandiant, Dragos, and other specialty firms for this role. Can you fill this role quickly if an OT cyber incident occurs? Should you have access to these capabilities on a retainer basis?
Note: The Security Log Management information from Week 43 will be a big help to the OT forensic investigation specialists.
Person | Department | Title | OT Incident Response Role