The process and team for handling cybersecurity incidents. In an OT scenario, Incident Response means the procedures to follow when a control system is suspected of being compromised or attacked. This could involve isolating affected systems (without unintentionally halting the plant), investigating malware on an HMI, coordinating with operations to safely shut down if needed, and recovering systems. IR in ICS has the added complexity of potential safety and process impacts. Many organizations create an IR plan specific to their ICS, and some have a designated ICS-CERT or similar partnership for expertise. Having an IR plan ensures you’re not scrambling without a clue when something bad happens in your OT network.
