What is OT/ICS Incident Response?
Incident response is the practice and technology to react to potential indicators of threats. These indicators can be triggered by a SIEM (Security Information and Event Management) or from ICS/DCS alarms, from endpoint detection dashboards, or by technicians or operators seeing abnormal behavior in the physical process. Types of incidents include:
- Anomalous physical process behaviors
- Indicators of compromise from security event monitoring
- Anomalous endpoint behaviors
Responding to incidents is the process of diagnosing root causes, designing appropriate reactive measures, and taking action to secure or resolve an incident. These actions can include:
- Stop a process, machine or line
- Disconnect a port
- Remove inappropriate software
- Remove users or accounts
What makes OT/ICS Incident Response different?
The biggest difference is the potential for physical impact of both the incident as well as the response. Incident Response in OT/ICS must take into account the potential to impact supply chains, production output, other connected processes, etc. The consequence of both the incident and any response needs careful assessment by people knowledgeable about the process and the control systems used to ensure incidents and responses are analyzed and acted on appropriately.
Verve OT/ICS Incident Response
Detect threats, operational anomalies, and compliance gaps to enhance incident response time with an integrated SIEM and endpoint management platform