The first 90 minutes of an operational technology incident are not like IT security incidents. Your response during this window determines whether you're managing a contained problem or fighting a facility-wide shutdown. At Cascadia OT Security, we've worked through dozens of breaches and unplanned events—and timing is everything.
Most industrial organizations have no formal incident response plan specific to OT assets. They treat an industrial control system breach like a ransomware incident on their corporate network, which is a critical mistake. OT systems operate on different timescales, have different constraints, and require different containment strategies. The stakes—human safety, environmental impact, production loss—are higher and more immediate.
The First Call: What Needs to Happen
When your SOAR platform or analyst detects unusual activity on your PLC network or SCADA historian, the first action is not damage assessment—it's isolation verification. Your goal is confirmation: Is this real, or is it a false positive? Simultaneously, you need to notify your on-site OT leadership and, if critical infrastructure regulations apply, your compliance officer. In the first 15 minutes, you should have a dedicated incident commander, a documented timeline, and a go/no-go decision on whether to initiate a full playbook.
Do not assume you can "observe and contain" an OT breach like you would in IT. Many critical systems don't pause gracefully. If your incident response plan hasn't accounted for how to safely isolate a Purdue Level 1 or 2 control system without triggering a cascade failure, you will make the situation worse by moving too fast.
Core Actions in Minutes 1–30
- Declare the incident: Get your incident commander, OT lead, and operations manager in a war room (virtual or physical).
- Preserve evidence: Begin logging all system behavior and network traffic; do not yet restart or reboot any system.
- Verify scope: Confirm which control systems are affected. A single compromised edge device is not the same as a compromised engineering workstation with PLC access.
- Check safety systems: Confirm that interlocks, alarms, and emergency shutdown systems are still functioning. This is non-negotiable.
Minutes 30–90: Stabilization
By minute 30, you should know whether you're in a containment scenario or a recovery scenario. If the threat is contained to a single VLAN or device, you can begin surgical isolation. If the threat has spread to process networks, you may need to execute a controlled shutdown or transition to manual operations. Your runbook must have pre-authorized decision points and clear escalation to plant management and executive leadership.
In this window, forensics takes a back seat to stabilization. You can collect artifacts later. Right now, your job is to prevent further damage and maintain safe state. Communication is critical—every 15 minutes, your incident commander should issue a status update to stakeholders: what we know, what we're doing, and what we expect in the next hour.
The teams that handle industrial incidents well don't improvise. They've run tabletop exercises, they've practiced isolation procedures on test networks, and they have a documented chain of command. If you're starting from zero, now is the time to reach out to our team. We help utilities, water systems, and manufacturers build playbooks that work in the chaos of a real incident. Contact us to schedule a response readiness assessment.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.