Many SOAR platforms can orchestrate IT incident response automatically—isolate a host, disable an account, block a domain. In OT, automation is tempting but dangerous. You cannot automatically shut down a PLC or disconnect a critical sensor without understanding the consequences. Building effective SOAR playbooks for industrial systems means embracing orchestration where it's safe and inserting human decision points where it's not.
We've seen organizations deploy SOAR systems into OT environments with the same automation principles they use in IT. The result: a playbook that isolates a network segment without checking whether that segment contains safety-critical devices, or one that blocks all outbound traffic from a control subnet, breaking remote engineering connections that the organization depends on for emergency response. Automation without context is a liability in OT.
Where Automation Works in OT
Data collection and enrichment are safe automation tasks. Your playbook should automatically gather network telemetry, asset inventory data, and process history. It should enrich alerts with context—which facility does this asset belong to, which process does it support, what's the criticality ranking. This happens fast, offline, and without touching any control system. Similarly, alerting and escalation are appropriate for automation. Log an event, notify the SOC, page the on-call engineer, open a ticket. These actions don't alter system state.
Containment actions are where you need careful orchestration. Automating network isolation of a VLAN suspected of hosting lateral movement is reasonable—but only if your playbook first checks whether that VLAN contains any safety systems or critical sensors. If it does, the automation should halt and route to a human for decision-making. You automate the data gathering and escalation, not the enforcement.
Key Design Principles for OT SOAR
- Understand your process dependencies: Before writing a playbook, map which monitoring and control functions depend on which network segments and devices. A playbook that blocks a subnet should cross-check this map first.
- Build in confirmation gates: Critical actions—disconnecting an interface, blocking traffic, restarting a device—should require explicit human approval from an authorized OT engineer, not just a SOAR rule.
- Test in a safe environment: Never deploy a containment playbook to production without first running it against a replica network. You need to know exactly what happens when that playbook executes.
- Log everything, audit constantly: Every action your SOAR system takes on an OT asset should be logged with timestamp, approver, and justification. This is essential for compliance and for post-incident review.
Integration Points That Matter
The most valuable SOAR integrations for OT are asset discovery tools, network TAPs and packet brokers, and your SIEM. A playbook that pulls context from your asset inventory and correlates alerts with network flows gives your team situational awareness without requiring manual investigation. Consider integrations with your industrial firewall, your OT-specific IDS, and your historians if they expose APIs. Each integration should follow the principle of observe-first, with automation layered carefully on top.
Building effective OT SOAR requires deep understanding of both incident response and industrial control systems. Many SOAR vendors and systems integrators have IT backgrounds and miss the unique constraints that OT introduces. We've helped utilities and manufacturers design and implement SOAR playbooks that accelerate response without introducing new risks. Contact us to review your SOAR strategy.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.