A Simple Framework for OT Ransomware Preparation White Paper

OT Ransomware: Are You Prepared?

The numbers paint a stark reality: Downtime from an ICS/OT ransomware attack costs an average of $4.73 million per incident—and that’s before factoring in safety risks, regulatory penalties, and reputational damage.

Yet, many organizations remain unprepared:

52% of ICS facilities lack a dedicated incident response plan
20% of ICS operators are unaware if they even have one
45% of ICS network compromises stem from IT networks, where attackers exploit weak IT-OT integrations to infiltrate industrial systems. Despite this, many organizations still rely on IT-centric security controls that fail to address ICS-specific threats—leading to false positives, operational disruptions, and ineffective defenses.

Unlike IT breaches that lock up data, ICS/OT ransomware shuts down operations—disrupting power grids, crippling supply chains—putting lives at risk. Attackers don’t just want access; they leverage operational importance for maximum extortion.

Will your organization be ready to respond?

Download Now

Download “A Simple Framework for OT Ransomware Preparation” White Paper

written by SANS Instructor, Lesley Carhart

First Name

Last Name

Phone

Organization

Industry

Accounting

Agriculture

Automotive

Banking/Finance

Business Services/Consulting

Chemicals

Computer Services/Consulting

Computer Software

Consumer Electronics

Consumer Package Goods

Education

Energy - Nuclear

Energy - Oil & Gas

Engineering & Construction

Food & Beverage

Govt - Canada - Civilian - Federal

Govt - Canada - Civilian - Reg or Local

Govt - Canada - Law Enforcement

Govt - Canada - Military

Govt - Contractor

Govt - EMEA Region - Civilian

Govt - EMEA Region - Law Enforcement

Govt - EMEA Region - Military

Govt - Other Regions - Civilian

Govt - Other Regions - Law Enforcement

Govt - Other Regions - Military

Govt - US - Civilian - Federal

Govt - US - Civilian - State or Local

Govt - US - Law Enforcement

Govt - US - Military

Health Care

Hospitality

Insurance - Health

Insurance - Other

Legal

Logistics & Supply Chain

Manufacturing - Aerospace

Manufacturing - Defense

Manufacturing - Industrial

Manufacturing - Other

Media & Entertainment

Metals & Mining

Nonprofit

Other

Pharmaceutical/Biotechnology

Real Estate

Retail Trade

Software

Technology

Telecommunications

Transportation

Travel & Tourism

Utilities - Other

Utilities - Power

Utilities - Water

Wholesale Trade

Country

United States

Canada

United Kingdom

Spain

Belgium

Denmark

Norway

Netherlands

Australia

India

Japan

Singapore

Afghanistan

Aland Islands

Albania

Algeria

American Samoa

Andorra

Angola

Anguilla

Antarctica

Antigua and Barbuda

Argentina

Armenia

Aruba

Austria

Azerbaijan

Bahamas

Bahrain

Bangladesh

Barbados

Belarus

Belize

Benin

Bermuda

Bhutan

Bolivia

Bonaire, Sint Eustatius, and Saba

Bosnia And Herzegovina

Botswana

Bouvet Island

Brazil

British Indian Ocean Territory

Brunei Darussalam

Bulgaria

Burkina Faso

Burundi

Cambodia

Cameroon

Cape Verde

Cayman Islands

Central African Republic

Chad

Chile

China

Christmas Island

Cocos (Keeling) Islands

Colombia

Comoros

Cook Islands

Costa Rica

Cote D'ivoire

Croatia (Local Name: Hrvatska)

Curacao

Cyprus

Czech Republic

Democratic Republic of the Congo

Djibouti

Dominica

Dominican Republic

East Timor

Ecuador

Egypt

El Salvador

Equatorial Guinea

Eritrea

Estonia

Eswatini

Ethiopia

Falkland Islands (Malvinas)

Faroe Islands

Fiji

Finland

France

French Guiana

French Polynesia

French Southern Territories

Gabon

Gambia

Georgia

Germany

Ghana

Gibraltar

Greece

Greenland

Grenada

Guadeloupe

Guam

Guatemala

Guernsey

Guinea

Guinea-Bissau

Guyana

Haiti

Heard And McDonald Islands

Honduras

Hong Kong

Hungary

Iceland

Indonesia

Iraq

Ireland

Isle of Man

Israel

Italy

Jamaica

Jersey

Jordan

Kazakhstan

Kenya

Kiribati

Korea, Republic Of

Kosovo

Kuwait

Kyrgyzstan

Lao People's Democratic Republic

Latvia

Lebanon

Lesotho

Liberia

Liechtenstein

Lithuania

Luxembourg

Macau

Madagascar

Malawi

Malaysia

Maldives

Mali

Malta

Marshall Islands

Martinique

Mauritania

Mauritius

Mayotte

Mexico

Micronesia, Federated States Of

Moldova, Republic Of

Monaco

Mongolia

Montenegro

Montserrat

Morocco

Mozambique

Myanmar

Namibia

Nauru

Nepal

Netherlands Antilles

New Caledonia

New Zealand

Nicaragua

Niger

Nigeria

Niue

Norfolk Island

North Macedonia

Northern Mariana Islands

Oman

Pakistan

Palau

Palestine

Panama

Papua New Guinea

Paraguay

Peru

Philippines

Pitcairn

Poland

Portugal

Puerto Rico

Qatar

Reunion

Romania

Russian Federation

Rwanda

Saint Bartholemy

Saint Kitts And Nevis

Saint Lucia

Saint Martin

Saint Vincent And The Grenadines

Samoa

San Marino

Sao Tome And Principe

Saudi Arabia

Senegal

Serbia

Seychelles

Sierra Leone

Sint Maarten

Slovakia

Slovenia

Solomon Islands

South Africa

South Georgia and the South Sandwich Islands

South Sudan

Sri Lanka

St. Helena

St. Pierre And Miquelon

Suriname

Svalbard And Jan Mayen Islands

Sweden

Switzerland

Taiwan

Tajikistan

Tanzania, United Republic Of

Thailand

Togo

Tokelau

Tonga

Trinidad And Tobago

Tunisia

Turkey

Turkmenistan

Turks And Caicos Islands

Tuvalu

Uganda

Ukraine

United Arab Emirates

United States Minor Outlying Islands

Uruguay

Uzbekistan

Vanuatu

Vatican City State

Venezuela

Vietnam

Virgin Islands (British)

Virgin Islands (U.S.)

Wallis And Futuna Islands

Western Sahara

Yemen

Zambia

Zimbabwe

Job Title

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Your Guide for an OT-Specific Incident Response

IT incident response plans aren’t built for the realities of ICS/OT environments. This white paper provides a practical, engineering-driven framework for developing ransomware response playbooks tailored to critical infrastructure — emphasizing life safety, operational continuity, and realistic ICS tabletop exercises. With a focus on cross-disciplinary collaboration and sector-specific threats, the guide outlines how to detect, contain, eradicate, and recover from ransomware attacks without compromising industrial operations. It also underscores the importance of treating response plans as living documents — continually tested and refined as environments and threats evolve.

Want a quick take on what’s inside?

Read our blog, Building a Better OT Ransomware Response Plan: A Simple Framework for ICS Environments, to explore key highlights and practical perspectives from the framework — then dive into the full white paper to build your own OT-specific response plan.

OT Ransomware on the Rise - How To Protect Your Operations and Business

Learn from Those Leading the Front Lines

Available to watch OnDemand starting May 16, this webcast features top ICS/OT security experts — Tim Conway, Robert M. Lee, Jason Christopher, and Lesley Carhart — discussing how to protect industrial operations against the growing threat of ransomware.

You’ll hear about the real-world business and safety consequences of an attack, how to apply the Five ICS Cybersecurity Critical Controls, and where to invest in training to improve your team’s readiness. Whether you’re building or refining your OT ransomware playbook, this session will equip you with the insight needed to lead a confident, real-world response.

OT Ransomware Response Starts with Prepared People

Defending against ICS/OT-specific threats requires more than traditional IT cybersecurity training — it demands a deep understanding of operational systems and real-world scenarios that impact safety and uptime.

In this short video, SANS ICS Curriculum Lead Tim Conway and SANS CEO Dennis Kirby explain what makes SANS Industrial Control Systems Security training unique, and why it's trusted by industrial cyber defenders across all sectors worldwide. You’ll learn why developing OT-specific expertise is essential for building a capable, confident response team — whether you're on the front lines or leading from the top. Learn how hands-on ICS training helps defenders recognize ransomware activity early, coordinate response efforts, and restore operations faster, with fewer missteps.

Explore Training That Builds Real OT Resilience

SANS ICS Security courses and GIAC certifications are built to meet today’s threats — arming engineers, analysts, responders, and security leaders with practical skills to protect what matters most. From foundational concepts to advanced detection and recovery, each course fits into a structured learning path designed to improve response readiness and build lasting resilience across your organization.

New

ICS310: ICS Cybersecurity Foundations™

ICS410: ICS/SCADA Security Essentials™

ICS418: ICS Security Essentials for Leaders™

ICS456: Essentials for NERC Critical Infrastructure Protection™

ICS515: ICS Visibility, Detection, and Response™

ICS612: ICS Cybersecurity In-Depth™

Beta

ICS613: ICS/OT Penetration Testing & Assessments

See All ICS Security Courses & Certifications

What SANS Alumni Say About SANS ICS Security

Meet Oren Niskin, an ICS/OT Cybersecurity Consultant who has taken many SANS ICS Security courses. He shares how he used this training to gain practical skills and advance his career in ICS/OT cybersecurity.

Explore the ICS Security Curriculum

Courses

Hands-On Simulations

Certifications

Ways to Train

Training Events & Summits

Free Training Events

Security Awareness

Featured: Solutions for Emerging Risks

Discover tailored resources that translate emerging threats into actionable strategies

By Focus Area

By NICE Framework

DoDD 8140 Work Roles

By European Skills Framework

By Skills Roadmap

New to Cyber

Leadership

Degree and Certificate Programs

Featured

New to Cyber resources

Watch & Listen

Read

Download

SANS Community Benefits

CISO Network

Team Development

Leadership Development