SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
OT Ransomware
Downtime from an ICS/OT ransomware attack costs an average $4.73M — not including safety risks, regulatory penalties, or reputational damage. Yet many organizations remain unprepared:
- 52% of ICS facilities lack a dedicated incident response plan
- 20% of ICS operators are unaware if they even have one
- 45% of compromises stem from IT networks where attackers exploit weak IT-OT integrations.
Unlike IT breaches, ransomware in ICS/OT shuts down operations — and puts lives at risk
If ransomware hit your environment tomorrow, would your team know what to do?
IT Incident Response Plans Fall Short in ICS/OT
Our “A Simple Framework for OT Ransomware Preparation” white paper by SANS Instructor Lesley Carhart provides a practical, engineering-driven framework for developing ransomware response playbooks tailored to critical infrastructure — emphasizing life safety, operational continuity, and realistic ICS tabletop exercises. With a focus on cross-disciplinary collaboration and sector-specific threats, the guide outlines how to detect, contain, eradicate, and recover from ransomware attacks without compromising industrial operations. It also underscores the importance of treating response plans as living documents — continually tested and refined as environments and threats evolve.
Want a quick take on what’s inside?
Read our blog, Building a Better OT Ransomware Response Plan: A Simple Framework for ICS Environments, to explore key highlights and practical perspectives from the framework — then dive into the full white paper to build your own OT-specific response plan.
Learn from Those Leading the Front Lines
Top ICS/OT security experts — Tim Conway, Robert M. Lee, Jason Christopher, and Lesley Carhart — share how to protect industrial operations from ransomware in this expert-led webcast. You’ll hear about business and safety consequences of an attack, how to apply the Five ICS Cybersecurity Critical Controls, and learn where to focus training to improve your team’s readiness.
Want a preview? Read our blog, OT Ransomware on the Rise: What You Need to Know and How to Prepare, for key takeaways — then watch the full session to ensure your team is ready to respond.
Go Beyond the First Control: Build a Complete ICS/OT Security Strategy
After focusing on ICS-specific incident response, it’s time to see how all Five ICS Cybersecurity Critical Controls work together to form a resilient ICS/OT security foundation.
In this short video, SANS Principal Instructor Dean Parsons breaks down each control — covering incident response, defensible architecture, visibility, secure remote access, and risk-based vulnerability management — to help OT defenders detect earlier, respond faster, and recover safely.
Want to go deeper? Download the white paper to explore how each control applies in the field, how they support your role, and strengthens your team’s response.
OT Ransomware Response Starts with Prepared People
ICS/OT threats require more than IT training — they demand operational insight and hands-on experience.
In this short video, SANS ICS Curriculum Lead Tim Conway and SANS CEO Dennis Kirby explain what makes SANS ICS Security training uniquely effective, and why it’s trusted by industrial cyber defenders across all sectors worldwide. You’ll learn why OT-specific skills are critical for detecting ransomware early, responding confidently, and restoring operations with minimal impact.
.png&w=1920&q=75)
