ICS/OT Incident Response in the Era of Living-off-the-Land Attacks

Traditional IT incident response plans are built for environments dominated by general-purpose operating systems where isolating hosts, pulling network cables, killing processes, or reimaging systems is tolerable. Those assumptions do not hold in ICS/OT.

Most industrial control systems that run traditional operating systems help support the environment but there are more systems that are not running traditional operating systems that cannot be rapidly rebuilt with IT processes, and cannot be taken offline without impacting safety, reliability, and physical processes.

Applying IT-centric IR actions in OT—such as aggressive containment, indiscriminate isolation, or automated shutdowns—can halt production, could damage equipment, or create unsafe operating conditions.

This creates a massive and dangerous gap in critical infrastructure defense. ICS/OT incidents require response plans built around engineering context, process awareness, and operational continuity, not IT recovery playbooks. Without purpose-built ICS/OT incident response planning, organizations risk turning a cyber event into a self-inflicted control system outage.

ICS/OT Incident Response is Different from IT Incident Response

According to the 2025 SANS State of ICS/OT Security Survey, more than one in five organizations reported an ICS/OT cyber incident in the past year, with many causing operational disruption and extended recovery timelines.

While detection and containment times have improved across some industrial sectors, remediation and safe recovery remain persistent challenges. This gap highlights a core reality many organizations are still grappling with: ICS/OT incident response is fundamentally different from traditional IT incident response. ICS/OT demands a tailored approach, and traditional IT incident response controls and processes can sometimes cause more harm than good when applied directly to industrial environments.

In IT environments, incident response is typically optimized around confidentiality, data protection, and rapid isolation of compromised systems. That approach works well for IT, and it should not change. In ICS/OT environments, however, priorities shift. Safety and operational integrity come first, followed closely by reliability. Taking an HMI, PLC, or protection relay offline, isolating a production line segment, or terminating access at the wrong time may reduce cyber risk, but it can also introduce immediate physical risk, disrupt critical services, or create unsafe process conditions.

As a result, ICS/OT incident response must be engineering-led, process-aware, and deeply informed by how industrial systems actually operate.

Containment Does Not Always Mean a Facility Shutdown

One of the most important distinctions in ICS/OT incident response is that containment does not always mean shutdown. If a threat is understood, constrained, and not actively impacting the physical process, maintaining controlled operations while containing the threat may be safer than aggressive isolation or shutdown. This requires real-time situational awareness and close coordination among cybersecurity teams, engineers, operators, and leadership.

When IT personnel are responsible for ICS/OT security without understanding these nuances, response actions are more likely to cause additional damage. Anyone responsible for an ICS/OT SOC or incident response function must be trained specifically in ICS/OT incident response.

Organizations that involve, or lead with, ICS/OT engineering and operations staff in incident response planning and exercises consistently report stronger readiness and faster recovery. Their response decisions are grounded in engineering and process realities rather than traditional IT security assumptions.

The Rise of Living-off-the-Land ICS Attacks: Key Defensive Priorities to Consider

Industrial incidents are no longer dominated by malware alone. Increasingly, adversaries rely on living-off-the-land (LotL) techniques, abusing legitimate engineering systems, tools, credentials, and control system functionality already present in ICS/OT environments. These attacks are often far more difficult to detect than traditional malware-based intrusions.

Adversaries often move from IT into OT using valid credentials, trusted remote access paths, or shared identity infrastructure. Once inside the ICS network, they can leverage standard engineering software, HMIs, scripting tools such as PowerShell, and industrial protocols to interact directly with physical processes. No vulnerability, exploit, or custom malware is required if authorized access, often obtained through stolen credentials, already exists.

Real-world incidents demonstrate this clearly, from power distribution disruptions to water treatment system intrusions. In these cases, adversaries manipulated HMIs, issued legitimate control system protocol commands, or reprogrammed controllers using standard engineering workflows. In such scenarios, traditional security tools like anti-malware agents frequently fail because nothing appears overtly malicious from a software perspective.

From a defensive standpoint, several priorities consistently stand out when addressing living-off-the-land risk:

• Network segmentation aligned to the Purdue Model to enable containment without unsafe shutdowns
• ICS-aware remote access controls with strong monitoring and governance
• Protocol-aware visibility to detect unauthorized control activity
• Engineering change monitoring and baselining
• Regular, scenario-driven incident response exercises involving engineers and operators

ICS/OT Incident Response Must Be Purpose-Built

These realities place new demands on ICS/OT incident response programs. While it is important to leverage what works from IT incident response, those approaches must be deliberately adapted for industrial environments. Effective industrial response depends on having ICS-specific incident response plans.

These realities are central to the upcoming SANS IR Command Roundtable on March 5, 2026, where cross-domain security leaders will examine how real incidents unfold, where response breaks down, and what disciplined, coordinated execution looks like when the pressure is highest. The goal is not to treat ICS/OT as a separate problem, but to understand how it fits into the broader incident response landscape organizations must be ready for.

We hope you’ll join that conversation as we continue exploring what effective incident response requires in a world where cyber events increasingly have physical consequences.

Register for the SANS IR Command Roundtable here.

Looking to go deeper?

Explore additional SANS incident response resources focused on safe, engineering-led response across IT and OT environments.