News

Incident Response Plan for ICS: act before disaster

Industrial Control System (ICS) Incident Response Plan: acting before it's too late is essential

cyber security

6 August 2025

Table of contents

  • ICS Cyber security: introduction to the ICS incident response plan
  • What is an Incident Response Plan for ICS
  • Essential Components of a Robust Incident Response Plan
  • The role of the response team and detection tools
  • Practical examples of ICS Incident Response Plan
  • Backup Management in ICS Environments
  • OT Network Segmentation: A critical action
  • Prepare with simulations and tabletop exercises
  • Lessons from past incidents: lessons learned
  • Integration with Threat Intelligence and SIEM
  • Don’t wait for the accident

ICS Cyber security: introduction to the ICS incident response plan

When it comes to critical infrastructure and industrial control systems (ICS), it’s not a question of if a cyber incident will happen, but when. And when it does, the difference between a manageable outage and an operational disaster will depend on whether or not you have a structured, up-to-date, and tested ICS Incident Response Plan.

In this article, we will explore how to prepare an incident response plan specific to OT and ICS environments, analyzing concrete examples, the responsibilities of the response team, managing network segmentation, backups and the importance of integration with intrusion detection and threat intelligence systems.

What is an Incident Response Plan for ICS

An ICS Incident Response Plan is an operational document that defines procedures, resources and responsibilities for addressing cyber security incidents in industrial control systems.

Unlike traditional IT environments, where priorities may include data recovery or business continuity, in ICS and OT environments, physical security, continuity of critical processes and the integrity of industrial infrastructure are at stake.

These plans must take into account the fragility of devices such as PLCs, SCADAs and RTUs, which often lack native security mechanisms, and the difficulty of applying patches in continuous production environments.

Essential Components of a Robust Incident Response Plan

A robust incident response plan for industrial environments must include:

  • Up-to-date asset inventory
    Know exactly which industrial control systems (ICS) are present and how they are interconnected.
  • Define roles and responsibilities: (define roles and responsibilities)
    Each member of the response team must know their role, including who can make operational decisions (e.g. turning off machines).
  • Identification and analysis procedures
    Understanding the incident, analyzing indicators of compromise, alerts from intrusion detection systems and logs from security information and event management (SIEM).
  • Containment and Isolation Strategies
    How to Quickly Isolate Compromised OT Network Using Network Segmentation Techniques.
  • Recovery and recommissioning
    Backup planning, periodic restore testing, control software updates.
  • Lessons learned
    Document the incident, update the plan, improve safety posture.

The role of the response team and detection tools

Incident response teams must be composed of a mix of IT and OT personnel. OT personnel know how the machines and processes work, while IT personnel are trained in managing digital incidents. Collaboration between these two worlds is crucial.

Example
During a ransomware attack that hit the IT network, OT technicians isolated the PLCs using physical switches and emergency protocols.

Tools such as SIEM, IDS, firewall logs and ICS-specific network sensors (e.g. Nozomi Networks, Claroty, Dragos) help in early detection and understanding the potential impacts of the attack.

Practical examples of ICS Incident Response Plan

A typical ICS response plan may include the following scenarios:

  • Scenario A: Compromise via infected USB
    • Physical isolation of the system
    • Malware Forensics Analysis
    • HMI and PLC cleanup
    • Firmware integrity check
  • Scenario B: Remote attack via compromised VPN
    • Disconnecting VPNs
    • RDP and SSH access control
    • Check system and network logs
    • Threat intelligence integration to identify the actor
  • Scenario C: Ransomware in IT Threatens OT as Well
    • Network segmentation
    • Check PLC file integrity
    • Restore from offline backup
    • Communication to the competent authorities (e.g. CSIRT Italy)
Backup management

Backup Management in ICS Environments

Backup in ICS environments cannot be treated like in the IT world. Programmable Logic Controller (PLC), SCADA and HMI configurations must be backed up regularly, but recovery tests must take place in controlled environments, perhaps through virtual simulations. It is essential:

  • offline and immutable backups
  • Using checksums to verify integrity
  • Automate backups but with manual logs
  • Document firmware versions and configurations accurately

OT Network Segmentation: A critical action

Implementing effective network segmentation means dividing networks into logical segments (zones) and applying restrictive communication policies (e.g. zone-to-zone firewalls). The guiding principle is “need to connect”, not “nice to have”. Connections between ICS and IT should only occur via industrial DMZs and intermediate servers (jump servers).

A reference model can be the ISA/IEC 62443, which suggests multi-level architectures and segmentation of industrial processes.

Prepare with simulations and tabletop exercises

A plan on paper is not enough. It is essential to conduct periodic exercises, both in the form of technical simulations and as tabletop exercises, during which team members simulate responses to plausible scenarios. For example:

  • An attack on the SCADA system that manages the temperature in a thermal power plant
  • An unexpected interruption in Modbus communications
  • HMI display blocking

During these exercises, response times, correctness of actions and communication between teams are evaluated.

Lessons from past incidents: lessons learned

Every accident leaves behind traces of what went wrong and what could have gone better. It is essential to draw up post-accident reports that contain:

  • Response phase timing
  • Activated communications (internal, customers, authorities)
  • Problems encountered in defining roles
  • Future changes to the plan

A case in point is the attack on the drinking water control system in Florida (2021), where an intruder attempted to increase the levels of caustic soda. The alarm raised by an attentive operator prevented damage. After the event, the city installed new IDS systems and segmented the networks.

Integration with Threat Intelligence and SIEM

An effective ICS Incident Response Plan cannot ignore the use of up-to-date threat intelligence, ICS-CERT CVE reports, and indicator of compromise feeds. This data, integrated into SIEM systems, allows:

  • Detecting suspicious activity
  • Automating the initial response
  • Creating alerts specific to the OT environment
  • Analysis of threat trends over time

Don’t wait for the accident

Every company with ICS systems must act before an incident occurs. A robust incident response plan, validated and updated, not only reduces the impact of an attack, but can make the difference between a simple outage and irreversible damage to critical infrastructure

Engaging OT and IT teams, investing in training, testing plans, and integrating advanced detection and response tools are necessary steps to address the growing wave of cyber threats hitting the industrial world.

Questions and answers

  1. What is an Incident Response Plan for ICS?
    It is an operational plan to respond to cyber incidents in industrial control systems, limiting damage and downtime.
  2. What is the difference between an ICS and an IT plan?
    ICS require different priorities: physical security protection and business continuity before data protection.
  3. Who should be part of an incident response team?
    Both IT and OT experts, with clearly defined roles and responsibilities.
  4. What does network segmentation mean in OT?
    Separation of ICS networks from IT networks to contain the propagation of threats.
  5. How do you manage backups in ICS environments?
    Frequent, offline backups, with restore tests in separate environments.
  6. What are tabletop exercises?
    Theoretical simulations where the team discusses how to respond to attack scenarios.
  7. What tools help in detecting ICS incidents?
    SIEM, intrusion detection systems, and OT-specific sensors.
  8. How important is threat intelligence?
    It is essential to prevent attacks and update defenses proactively.
  9. How often should the plan be updated?
    At least once a year or after each major incident.
  10. Should the plan be tested?
    Yes, through real or simulated exercises to verify timing, effectiveness and coordination.
5
To top