implementing-ot-incident-response-playbook
Installation
SKILL.md
Implementing OT Incident Response Playbook
When to Use
- When building OT-specific incident response procedures for the first time
- When existing IT IR playbooks do not address ICS/SCADA-specific requirements
- When preparing for OT ransomware scenarios like EKANS or LockerGoga
- When aligning IR procedures with IEC 62443 and NERC CIP incident reporting requirements
- When conducting post-incident reviews to improve OT IR capabilities
Do not use for IT-only incident response without OT components (use standard NIST 800-61 playbooks), for day-to-day OT security monitoring (see implementing-dragos-platform-for-ot-monitoring), or for tabletop exercise design (see performing-ics-tabletop-exercise).
Prerequisites
- OT asset inventory with criticality ratings and safety system identification
- Defined roles: OT IR Lead, IT SOC Analyst, Plant Operations Manager, Process Safety Engineer
- Communication plan including out-of-band channels (OT incidents may compromise IT communications)
- Known-good backups of PLC programs, HMI configurations, and historian data
- Contact information for ICS vendors, Dragos/Claroty support, and CISA ICS-CERT