What is OT/ICS Incident Response?  

Incident response is the practice and technology to react to potential indicators of threats.  These indicators can be triggered by a SIEM (Security Information and Event Management) or from ICS/DCS alarms, from endpoint detection dashboards, or by technicians or operators seeing abnormal behavior in the physical process.  Types of incidents include:

  • Anomalous physical process behaviors
  • Indicators of compromise from security event monitoring
  • Anomalous endpoint behaviors

Responding to incidents is the process of diagnosing root causes, designing appropriate reactive measures, and taking action to secure or resolve an incident. These actions can include:

  • Stop a process, machine or line
  • Disconnect a port
  • Remove inappropriate software
  • Remove users or accounts

What makes OT/ICS Incident Response different?

The biggest difference is the potential for physical impact of both the incident as well as the response. Incident Response in OT/ICS must take into account the potential to impact supply chains, production output, other connected processes, etc. The consequence of both the incident and any response needs careful assessment by people knowledgeable about the process and the control systems used to ensure incidents and responses are analyzed and acted on appropriately.

Verve OT/ICS Incident Response

Detect threats, operational anomalies, and compliance gaps to enhance incident response time with an integrated SIEM and endpoint management platform

  • Endpoint Status

    Include hundreds of variables about each endpoint to improve analysis and response planning

  • Real-Time Behavioral Data

    Detailed time series data on logs, syslog, netflow, device performance, etc.

  • ICS/DCS Alarm Data

    Integrated visibility to current and past alarms for root cause analysis and incident handling

  • Security Signatures

    Detections based on known behavioral risks

  • Compliance

    NERC CIP, CIS 20, NIST CSF and other compliance checks standard out-of-the-box

  • Think Global:Act Local

    Architecture built for OT/ICS scalability across sites but with response actions activated by operators that understand the systems and the risks

  • Ticketing Systems

    Integration between Verve and popular ticketing/response systems such as SNOW and others

  • Third-Party Alarms and Alerts

    Integration with AV, whitelisting, backups and other security components to provide rich data for incident analysis

  • Remove Users

    Remove users or accounts that are causing incidents

  • Closer Ports & Services

    Close ports on HMIs, servers, networking equipment, etc.

  • Operator-Controlled Actions

    All actions confirmed with insight from operations to avoid negative impact from response actions

Benefits of Verve Incident Response

Faster Response Time

Verve’s closed-loop actions and integrated database means faster time ti root cause and faster time to response

Learn More

Built-In OT/ICS Experience

Built by ICS engineers who understand process and potential incident impact

Learn More

Simpler Process

Integrated database across all information simplifies analysis and response planning

Learn More

Request a Demo

Speak with a Verve security expert to see how to effectively respond to incidents in your ICS environment.

Request a Demo