Understanding the Changes in OT Incident Response

I have a fascinating job at Dragos that’s unusual. I’ve worked as a cybersecurity incident response and digital forensics expert for six years, focusing solely on our customers’ industrial networks. In simple terms, when something like a water treatment plant or a manufacturing device gets infected or hacked, my team is one of the few groups on Earth that responds to the situation.

The cases we handle vary greatly. Some days, we respond to ransomware attacks affecting huge Fortune 500 factories. Other times, we deal with intrusions or insider threats in small municipal utilities that might only have one IT person. We also assist with in-depth forensics for low-level industrial devices. What remains constant is that incident response and forensics in these environments differ significantly from those in traditional enterprise cases. The processes and vendor integrations often require us to use outdated methods and custom tools for unique vendor firmware and interfaces. We frequently encounter Windows 2003 or even older operating systems. Using modern forensic agents safely across most environments is often not an option, and everything revolves around ensuring life and safety.

Recently, I’ve noticed an exciting shift in our incident response cases that shows a positive trend in cybersecurity awareness across different industries.

Our incident response team at Dragos has seen an increase in retainer activations related to three main situations:

1. Triage of Long-Term Compromise and Infections: More customers are interested in figuring out how to scope and create plans for removing long-term infections (think, lasting 5-10 years) and architectural compromises in their industrial systems. Safe operation requirements make cleaning up and reimaging extensive facilities very hard. Many have lived with infections for years because it was too costly or risky to fix. However, these compromises can lead to operational problems down the line. Customers now want to understand the extent of the issue and develop a careful plan for removal.
2. Investigating OT Due to IT or Supply Chain Compromise: We often respond to malware and insider threat cases that affect the boundaries between Enterprise and operational technology (OT). Recently, we’ve seen a rise in requests to get involved early when there are compromises related to IT or suppliers. With more network and cloud integrations, customers want to be sure that intrusions affecting one part of their network or a partner haven’t spread to their sensitive operational environments.
3. Cybersecurity Forensic Analysis of OT Process Incidents: We’re also being called in more frequently at the start of physical industrial incidents, where the root cause isn’t clear. Customers contact us to analyze high- and low-level devices, logs, and network behaviors to identify or rule out digital issues like device tampering, infections, or misconduct.

What does this mean?

The increase in incident response calls for these cases is more encouraging than worrying. It shows a growing maturity and awareness of cybersecurity in industrial environments. It also indicates that organizations integrate cybersecurity more effectively into business continuity planning and risk management. As cyberattacks—whether from insiders, criminals, or state-sponsored groups—become more common against industrial networks, it’s reassuring to see our customers eager to involve us early in their investigative processes. They want to ensure they’re not missing any potential intrusions or misuse of their digital equipment.

Our incident response workload will continue to include various industries, organizations, and incident types. While some cases will always be profoundly troubling and significantly impact people’s lives, it’s encouraging to witness the industry moving towards improved cybersecurity maturity and the ability to detect and respond to threats. This gives the Dragos Incident Response team a sense of hope for the future.