As industrial operations continue to embrace digital transformation, Operational Technology (OT) systems—which control and monitor critical physical processes—are becoming increasingly vulnerable to cyber threats. Unlike IT systems, OT environments often lack mature cybersecurity controls, making them attractive targets for attackers. A successful cyberattack can result in physical damage, safety risks, operational disruption, and significant financial losses. In this high-stakes context, a well-structured, role-based incident response plan is essential.

This whitepaper introduces a comprehensive OT cyber incident response model that integrates globally recognized standards, including ISA/IEC 62443, NIST SP 800-82r3, NIST SP 800-61r2, and ISO/IEC 27001, while operationalizing the response using FEMA’s Incident Command System (ICS) and industry-specific enhancements from the ICS4ICS initiative. The framework focuses on establishing clear roles and responsibilities across both corporate and site-level teams—such as Incident Commander, Safety Officer, and Operations Section Chief—and aligning actions through the Planning “P” cycle to ensure a coordinated, safe, and timely response.

An example case study involving ransomware at a gas-fired power plant demonstrates the effectiveness of this approach, highlighting zero downtime, rapid containment, and regulatory alignment. By adopting this model, organizations can enhance cyber resilience, improve safety and communication during incidents, and minimize the impact of OT cyber events on production, compliance, and reputation.

Introduction

The growing demand for real-time reporting, remote access, and centralized control is accelerating the convergence of Information Technology (IT) and Operational Technology (OT) across industrial environments. This integration enhances efficiency, visibility, and automation – but also introduces new cybersecurity challenges. The growing interdependence blurs the boundaries that once provided natural protection for OT systems. Physical isolation and perimeter-based protection are no longer sufficient, as the OT environments are now exposed to digital entry points that can bypass conventional safeguards. To effectively manage these risks, organizations must adopt a structured approach that clearly outlines the roles, cross-function coordination, and rapid communication. A well-structured incident response framework ensures that both IT and OT teams are prepared to act decisively when every second counts.

Regulations and Standards

A strong OT incident response program must align with globally recognized standards and regulations that promote cybersecurity resilience. Below are key references that influence the proposed model:

ISA/IEC 62443 series is a gold standard focused on the security of Industrial Automation and Control Systems (IACS). Developed by the International Society of Automation (ISA) and adopted by the International Electrotechnical Commission (IEC), it emphasizes in defense-in-depth, risk-based segmentation (zone and conduits), Security lifecycle and Risk Assessments, and SL-based (Security Level) approach to technical requirements.

NIST SP 800-82 rev3 provides guidance to Industrial Control System (ICS) security, focusing on OT-specific threat modeling, recommendations for network segmentation and OT risk assessment and control measures. Its incident response framework is derived from NIST 800-61 but adapted to OT constraints, including availability and physical process integrity.

NIST 800-61 rev2 establishes general incident response lifecycle phase: preparation, detection, analysis, containment, eradication, recovery, and post-incident activities. Although IT-focused, many of its practices are applicable to OT environments.

ISO/IEC 27035 series focus on information security incident management across the enterprise. It supports integration of OT incident metrics into enterprise risk registers and encourages the creation of incident response teams with clearly defined SLAs. 

FEMA ICS (Incident Command System) introduces a standardized, scalable, approach to emergency response, emphasizing chain-of-command, resource management, and multi-agency coordination.

ICS4ICS Initiative adapts FEMA ICS for industrial environments, aligning site-level OT incident response with corporate oversight. It introduces unified command structures, operational period planning, and incident-specific documentation tailored for OT. 

Role and Responsibilities 

Effective OT cybersecurity incident response depends not only on technology but on clearly defined roles that function under stress and ambiguity. The following structure draws from the FEMA ICS and ICS4ICS frameworks, tailored for OT-specific requirements.

CMT (Crisis Management Team) is a corporate level group composing senior executives including CEO, COO, CISO, Chief Risk Officer, Chief Legal Officer, Head of OT/Plant Manager, and Head of Communications. They are responsible for activating the crisis response structure, assigning or confirming the Incident Commander, approving critical business decisions such as operational shutdowns, ensuring business continuity and regulatory compliance, and managing external communications and stakeholder engagement.

Unified Command Group may be established when there is no one jurisdiction, agency, or organization has primary authority and/or the resources to manage an incident independently. This group typically consists of representatives from key functions such as IT, OT, Legal, Compliance, and PR. The Unified Command structure integrate the site-level incident Commander with corporate oversight to form a single, cohesive command system. This structure ensures joint situational awareness, consistent communication, and aligned decision-making across operational and executive level. The primary goal of the Unified Command Group is to maintain organizational visibility, ensure regulatory and legal compliance, and facilitate a rapid and effective response to cyber incidents that may impact both plant operations and the broader organization.

Incident Commander (IC) is responsible for leading and coordinating the overall cybersecurity incident response, typically designated as the OT Security Manager or CISO at the site level per the organization’s Incident Response Plan. The IC activates the Incident Command System (ICS), assigns roles, maintains situational awareness, and directs coordination with internal and external stakeholders. All incidents—regardless of severity—must be reported to the IC to ensure proper documentation, escalation, and cross-functional alignment. The IC oversees containment, investigation, recovery, and communication activities, ensuring they align with strategic goals and regulatory obligations. This role also interfaces with the Crisis Management Team, participates in Unified Command if needed, and approves the Incident Action Plan (IAP), ensuring a risk-informed, safety-focused response across all involved parties. 

Command Staff Command Staff positions—including the Public Information Officer (PIO), Safety Officer, and Liaison Officer—support the Incident Commander (IC) or Unified Command by managing strategic communications, safety, and external coordination during an incident. These roles are activated based on the complexity of the event, maintaining the flexibility and scalability of the Incident Command System (ICS). By appropriately scaling Command Staff roles, organizations ensure effective coordination without compromising safety or compliance.

Public Information Officer (PIO) is a member of Command Staff oversees all external communications, ensuring accurate and timely messaging to media, regulators (e.g., BSSN, NERC, SKK Migas), and the public. The PIO coordinates with response teams, manages press releases, monitors media, and ensures unified messaging through a Joint Information Center (JIC) when needed.

Safety Officer is a member of the Command Staff monitors and enforces safety protocols during incident response, working to minimize risks to personnel, infrastructure, and the environment. This role, often held by a senior HSE officer, advises the IC, develops the Incident Safety Plan, and has the authority to halt unsafe operations.

Liaison Officer acts as the designated point of contact between the IC and external entities, including regulators, law enforcement, vendors, and mutual aid partners. Typically assigned to a senior official with external affairs experience, this role ensures timely regulatory notifications, facilitates coordination, and maintains communication logs for compliance.

Operations Section Chief leads the tactical execution of incident response activities, reporting directly to the Incident Commander. This role oversees containment, eradication, and recovery efforts by coordinating OT engineers, IT forensics teams, and vendors to isolate threats and restore operations safely. As the first section typically activated, Operations holds the largest share of response resources and may include staging areas and specialized technical units. The Chief ensures actions align with the Incident Action Plan (IAP), manages system shutdowns or failovers, and supervises backup restoration and validation. In complex or multi-site incidents, Deputy Operations Chiefs may be assigned to maintain coordination. By bridging OT and IT efforts, the Operations Section Chief plays a pivotal role in delivering a safe, timely, and technically effective response.

Planning Section Chief oversees the development and continual refinement of the Incident Action Plan (IAP), supporting situational awareness, and coordinating recovery planning using the Planning “P” cycle. This role serves as the central point for collecting and analyzing incident data, managing documentation, and integrating technical expertise—such as SCADA engineers or malware analysts—into the response. Supporting units include the Situation Unit (incident data and status reporting), Resources Unit (personnel and equipment tracking), Documentation Unit (records and IAP preparation), and Demobilization Unit (resource release in prolonged incidents). The Planning Section Chief ensures that operations are informed, data-driven, and adaptable, while laying the foundation for effective post-incident review and recovery.

Logistics Section Chief oversees all support services, tools, and third-party coordination essential for sustaining effective incident response, particularly in complex OT cybersecurity scenarios. This includes managing OEM/vendor access, specialized tools, diagnostic equipment, SLAs, and licensing to prevent response delays. The Logistics Section is organized into two major branches. The Service Branch includes the Communication Unit (manage incident communications), Medical Unit (Medical care and planning), and Food Unit (meal delivery across sites), and Support Branch consists of the Supply Unit (procurement and inventory), Facilities Unit (setup and security of Incident Command Post and staging areas), and Ground Support Unit (transportation, maintenance, and traffic management). By proactively managing logistics and vendor dependencies, the Logistics Section ensures uninterrupted response operations, accelerating recovery while controlling cost and complexity.

Finance/Admin Section Chief manages all financial, contractual, and administrative functions during an incident, including cost tracking, vendor agreements, and insurance coordination. This role ensures proper documentation of emergency expenses and supports compliance with financial reporting and reimbursement requirements. The section comprises four units: Time Unit (tracks personnel and equipment usage), Procurement Unit (manages contracts and vendor fiscal matters), Compensation/Claims Unit (handles financial issues from damages or injuries), and Cost Unit (monitors expenditures and advises on cost efficiency). In smaller incidents, specific functions—such as cost analysis—may be assigned to a Technical Specialist within the Planning Section rather than activating the full Finance/Administration Section. This scalable approach supports financial accountability while preserving operational agility during OT cybersecurity incidents.

Operational Period Planning Cycle (Planning P)

Following the assignment of roles and activation of the Incident Command System (ICS) structure, incident response efforts must follow a disciplined planning process that ensures an effective, coordinated, and scalable response—particularly within critical infrastructure environments. Borrowed from FEMA’s Incident Command System (ICS), the Operational Period Planning Cycle, also known as the Planning “P”, provides a structured timeline for managing resources, decisions, and communication in evolving incidents.

The Planning “P” serves as a visual and procedural guide that assists the Incident Command team in developing an Incident Action Plan (IAP) for each Operational Period—a defined interval of time, typically 8 to 12 hours or aligned with shift cycles.

Steps in the Planning “P” Applied to OT Cyber Incidents

Initial Notification and Assessment: The Planning “P” process begins with incident recognition—typically triggered by SOC alerts, anomaly detection systems, or field-level reports. Once a potential OT cybersecurity incident is identified, it is escalated to the Incident Commander (IC), who activates the ICS structure, notifies key stakeholders, and performs a rapid impact assessment across safety, environmental, operational, and regulatory domains. Based on this assessment, the OT Incident Response Team (OT-IRT) is activated, and initial ICS roles are assigned.

Incident Briefing: The IC conducts a briefing with Command and General Staff to share key facts, system status, and immediate threats. The Safety Officer outlines physical hazards and any operational restrictions, while the Liaison Officer reviews external reporting obligations, such as notifications to ICS-CERT or national regulators. This briefing ensures informed early decision-making and establishes a foundation for coordinated response actions.

Unified Command and Strategy Meeting (if needed): For multi-stakeholder environments—such as joint OT/IT incidents, third-party involvement, or regulatory exposure—a Unified Command may be formed. Strategic alignment between stakeholders (e.g., IT, operations, legal, OEM vendors) is critical to ensure a coordinated response.

IC/UC Develops/Updates Incident Objectives: IC leads a meeting with Section Chiefs to define response priorities: ensure safety, maintain process control, isolate impacted systems, initiate regulatory notification, and prevent lateral threat movement. This meeting ensures the response effort is driven by shared, realistic, and risk-informed goals that protect both digital and physical assets.

Tactics Meeting: Led by the Operations Section Chief, the Tactics Meeting brings together Planning, Logistics, and Safety Section Chiefs to refine and validate tactical steps for containment, eradication, and recovery. The OT Operations Chief outlines proposed actions, which are reviewed for feasibility, resource readiness, and safety. The Safety Officer evaluates risks to personnel and system stability, while Logistics confirms availability of critical support such as OEM access and diagnostic tools. This meeting ensures that all tactical actions are executable within the OT environment and aligned with response priorities—forming the technical foundation of the next Operational Period’s Incident Action Plan (IAP).

Planning Meeting: Led by the Planning Section Chief, the Planning Meeting unites all Section Chiefs and key Technical Specialists to finalize the response strategy for the next operational period. It ensures tactical decisions align with logistics, safety, communications, regulatory obligations, and financial constraints. Operations confirms resource feasibility; Safety enforces risk mitigations; Logistics validates tool and vendor readiness; Liaison ensures external communications are integrated; and Finance/Admin confirms cost controls and contractual limits. This meeting secures cross-functional alignment and results in a finalized Incident Action Plan (IAP), which serves as the operational blueprint for coordinated execution.

IAP Preparation and Approval: The Planning Section Chief compiles input from all ICS functions into the Incident Action Plan (IAP), detailing tactical objectives, safety measures, resource allocations, communications, and regulatory requirements for the next operational period. The Incident Commander (IC) reviews the IAP to ensure alignment with strategic goals and operational conditions. The Safety Officer confirms that risk mitigations are in place, while the Liaison Officer verifies external coordination and reporting requirements. Once approved by the IC, the IAP becomes the definitive guide for unified and coordinated incident response execution.

Operational Period Briefing: Led by the Incident Commander (IC) with support from Section Chiefs, the Operational Period Briefing ensures that all response teams—OT engineers, IT forensics, field technicians, and third-party vendors—clearly understand their assignments, sequencing, safety protocols, and communication channels. The briefing covers execution timelines, escalation paths, inter-team dependencies, and known hazards. While grounded in the Incident Action Plan (IAP), it also incorporates real-time updates to maintain flexibility. This briefing formally transitions the response effort from planning to execution, ensuring operational alignment and readiness across all tactical personnel.

Execute Plan and Assess Progress: The Operations Section oversees execution of containment, eradication, and recovery tasks by coordinating OT, IT, and vendor teams. The Planning Section tracks progress, documents deviations from the Incident Action Plan (IAP), and updates situational awareness. The Safety Officer monitors for emerging risks, ready to pause operations if safety is compromised. The Incident Commander (IC) and Section Chiefs evaluate ongoing effectiveness and make tactical adjustments as needed. At the close of the operational period, the IC leads an After-Action Review to assess outcomes, capture lessons learned, and refine the response strategy—ensuring continuous improvement and disciplined execution throughout the incident lifecycle.

The Planning “P” cycle provides a structured, repeatable framework that brings clarity, accountability, and adaptability to OT cybersecurity incident response. In high-stress scenarios—such as ransomware attacks during peak industrial operations—it replaces reactive firefighting with coordinated, informed action. By embedding engineering realities, cybersecurity discipline, safety oversight, and regulatory compliance into each phase, the Planning “P” transforms crisis management into a disciplined, adaptive operational cycle. This approach enables organizations to mitigate cyber-physical risks without compromising uptime, safety, or compliance—ultimately enhancing the resilience and reliability of critical infrastructure systems in an increasingly complex threat landscape.

Example Case Study: Coordinated Ransomware Response in a Power Generation Plant

At 03:42 AM, operator terminals at a Southeast Asian gas-fired power plant began displaying ransomware lockout messages. Simultaneously, alarms activated across several HMIs, and data historians stopped updating. OT anomaly detection tools flagged lateral movement across engineering workstations. This plant controlled five turbines producing over 700 MW for regional distribution. A shutdown could destabilize the grid and lead to cascading outages. Recognizing a serious OT cyber event, the control room supervisor triggered the emergency protocol, escalating the incident to the Plant Security Manager, who assumed the role of Incident Commander (IC). IC activates ICS4ICS-aligned roles:

• Operations Section Chief: Lead DCS Engineer

• Planning Section Chief: Senior IT/OT Architect

• Safety Officer: HSE Supervisor

• Liaison Officer: Compliance Manager

• Public Information Officer (PIO): Corporate Communication Lead

• Logistics Section Chief: Supply Chain Director

• Finance/Admin Section Chief: Finance Director

03:50 AM, an initial incident briefing was conducted to establish shared situational awareness. Early assessments confirmed that ransomware had compromised several engineering workstations and HMI terminals, but there were no immediate safety threats to turbine systems. The Safety Officer confirmed that critical process controls remained intact, while the Liaison Officer prepared regulatory notifications under NERC CIP and energy sector CERT guidelines.

At 04:30 AM, the IC convened the Objectives Meeting with all section chiefs. The response priorities were clearly defined: preserve personnel and plant safety, maintain critical generation operations (target: 300MW output), isolate affected VLAN segments, and meet mandatory reporting deadlines within 60 minutes. The Operations Section Chief outlined the technical containment strategy, while the Safety Officer flagged potential hazards associated with automated system restarts.

The Tactics Meeting followed at 05:00 AM, where the Planning and Operations Chiefs coordinated a safe path for containment and recovery. The Logistics Chief confirmed the availability of OEM vendor support, isolation tools, and backup restoration media. Simultaneously, the Liaison Officer initiated coordination with regulatory bodies and OEM partners.

By 05:30 AM, the Planning Meeting finalized the Incident Action Plan (IAP), integrating all tactical steps, resource allocations, safety mitigations, and communication protocols. The Finance/Admin Section outlined service thresholds and financial controls for vendor involvement. Once validated by the Liaison and Safety Officers, the IAP was approved by the IC at 06:00 AM.

Shortly after, at 06:15 AM, an Operations Briefing was delivered to all field personnel, including OT engineers and third-party support vendors. The briefing emphasized containment steps, communication timelines, safety boundaries (e.g., no reboots without turbine pressure clearance), and escalation points. Field teams then began executing the IAP at 06:30 AM, initiating forensic imaging of compromised HMIs and restoring validated backups to maintain system continuity.

As the operational period progressed, the Planning Section monitored implementation and collected real-time situational updates. By 07:30 AM, two of the three HMIs were successfully restored without disrupting turbine operations. At 08:30 AM, a mid-shift review confirmed that segmentation had successfully halted ransomware propagation, and that the root cause—a phishing email exploiting a contractor’s VPN credentials—was being investigated.

Finally, at 10:00 AM, the IC conducted a Hotwash (After-Action Review) to evaluate performance against objectives, capture lessons learned, and plan the next operational cycle. The response transitioned smoothly into the second Planning “P” cycle, setting new objectives around forensic completion, hardened email gateways, and VPN credential revocation.

The pre-established ICS4ICS structure enabled seamless coordination among plant operators, cybersecurity teams, OEM vendors, and regulatory authorities. The unified response—guided by ICS4ICS principles and the Planning “P” cycle—not only preserved operational continuity but also improved the plant’s overall cyber resilience posture. This case demonstrated how disciplined, cross-functional planning can transform a potentially catastrophic cyber event into a manageable, well-contained incident.

How ITSEC Asia can help

ITSEC Asia can provide significant support to industrial and critical infrastructure organizations in the OT (Operational Technology) sector during the preparation for, response to, and recovery from cybersecurity incidents. ITSEC Asia is also officially certified by ICS4ICS for two key incident management roles: Incident Commander and Operations Section Chief. These certifications, supported by the use of recognized ICS4ICS digital badges, demonstrate ITSEC Asia's hands-on experience and authority in applying FEMA ICS structures within industrial cybersecurity environments. This positions the organization to not only advise but also actively lead during incident response efforts across IT and OT domains.

• Cybersecurity Program Development

ITSecAsia assists organizations to develop cybersecurity program, defining clear OT/ICS cybersecurity roles (e.g., Incident Commander, Safety Officer, OT Response Lead), and aligning policies and procedures with ISA/IEC 62443-2-1 and NIST 800-82 rev3.

• Incident Response Planning

ITSec Asia assists in building and operationalizing OT Incident Response Plan (IRPs) including customized playbook, escalation matrices, and cross-function coordination workflows to ensure swift, structured, and effective incident response.

• Tabletop Exercise

Leveraging ICS4ICS and ISA frameworks, ITSec Asia can help designing and conducting OT-focused tabletop exercise to validate readiness, clarify roles, and simulate real-world scenarios.

• Risk Assessment

ITSecAsia supports organization in performing a comprehensive asset inventory, grouping them into zones and conduit. Then evaluate the OT assets using ISA/IEC 62443-3-2 and 3-3 to define appropriate Security Levels (SL-T and SL-A) and identify gaps across zones and conduits.

• Training & Awareness

ITSec Asia provides structured training and awareness tailored to ICS/OT-specific providing clear separation of IT and OT responsibility and risk, building awareness of regulatory expectations, and enhance coordination between engineering, security, and operations teams.

• Post-Incident Response and Lessons Learned

Following a cyber incident, ITSEC Asia facilitates structured After-Action Reviews (AARs) and conducts forensic assessments and root cause analysis. Insights gathered during these post-incident activities are used to refine policies, improve response playbooks, and strengthen technical controls—ensuring that lessons learned drive ongoing resilience.

Conclusions

In the face of escalating threats targeting industrial control systems, an effective OT cybersecurity incident response demands more than technical expertise—it requires structured coordination, clear roles, and standardized planning. Leveraging the Incident Command System (ICS) as adapted by FEMA and the ICS4ICS initiative, organizations can operationalize response workflows in alignment with proven emergency management models. When mapped to cybersecurity frameworks such as ISA/IEC 62443, NIST SP 800-82, NIST SP 800-61r2, and ISO/IEC 27001, this approach ensures that both technical controls and procedural safeguards are addressed across safety, compliance, and recovery domains. The use of the Planning “P” provides a repeatable and scalable cycle that balances cybersecurity actions with process stability and regulatory obligations—critical in sectors where downtime is not an option. As demonstrated in the power plant case study, integrating these standards and frameworks through ICS4ICS roles enables faster containment, safer recovery, and clearer communication with external partners. Ultimately, disciplined planning, practiced roles, and cross-functional coordination are key to protecting critical infrastructure in today’s cyber-physical threat landscape. ITSEC Asia directly supports these capabilities by aligning its services with core ICS/ICS4ICS roles:

• Incident Commander: ITSEC helps design escalation protocols and governance frameworks.

• OT Analysts & Forensics Teams: Deliver real-time detection, containment, and recovery.

• Public Information & Liaison Officers: Support regulatory reporting and external coordination.

• Safety Officer & SME Support: Ensure physical and process safety during cyber response.

• Scribe & Documentation Lead: Enable legal defensibility and post-incident compliance.

Ultimately, mature OT incident response is not just about tools—it's about people, process, and readiness. By adopting this structured model and rehearsing it through regular tabletop exercises, organizations can dramatically reduce downtime, protect human safety, and maintain trust in critical infrastructure operations

References

ICS4ICS: Incident Command System for Industrial Control Systems. Available: https://www.ics4ics.org/