TroutTrout
Back to Glossary
OT incidentICS cyber eventIndustrial cybersecurity

Cybersecurity Incident (OT)

4 min read

A cybersecurity incident in OT is any event that threatens the safety, availability, or integrity of a control system. The definition matters because regulatory reporting obligations (DFARS 72-hour reporting, NIS2 significant-incident reporting, CISA disclosure) all hinge on whether an event meets the reporting threshold — and OT incident shapes differ materially from IT incident shapes.

The reference OT incidents

Five events, each illustrating a distinct incident category:

Stuxnet (2010) — physical destruction via PLC logic modification. Targeted Siemens S7-300 and S7-400 PLCs at the Natanz uranium-enrichment facility. Modified centrifuge rotational speeds to induce mechanical failure while reporting normal operation. The first publicly documented cyber attack that produced physical destruction of industrial equipment.

Ukraine power grid (2015–2016) — substation disruption via native protocols. BlackEnergy 3 and Industroyer/CrashOverride opened substation breakers using legitimate ICS protocols (IEC 60870-5-101/104, IEC 61850). Tens of thousands of customers lost power. Demonstrated that attackers could operate grid equipment using its own control protocols, not exploits.

Colonial Pipeline (2021) — operational impact without OT compromise. DarkSide ransomware encrypted billing systems. The pipeline itself was not compromised. The operator shut down the pipeline for five days as a precaution. Fuel shortages followed across the US East Coast. Canonical example of IT ransomware causing OT shutdown via precautionary response.

Norsk Hydro / LockerGoga (2019) — IT ransomware with production impact. Ransomware encrypted 22,000+ Windows endpoints across the global operation. Smelters and rolling mills continued running on manual procedures. $70M+ impact, no OT malware deployed.

Oldsmar water treatment (2021) — unauthorized HMI access. An attacker accessed an HMI via TeamViewer and attempted to change the sodium hydroxide feed rate from 100 ppm to 11,100 ppm. Operator observed the change in real time and reverted it. Illustrated the risk of remote-access exposure on control-system HMIs.

What makes an OT incident different from IT

Four structural differences shape OT incident response:

  • Safety-first containment. An IT host can be isolated by pulling its network cable. An OT controller mid-process cannot be simply disconnected — the physical process must be brought to a safe state first. Runbooks must preserve safety during response.
  • Physical consequences. Equipment damage, environmental release, and human safety are possible outcomes. Incident categorization considers physical impact alongside data impact.
  • Forensics without endpoint visibility. PLCs and RTUs do not produce traditional system logs. Forensic investigation relies on network captures, engineering-workstation history, and physical process data.
  • Reporting obligations are broader. DFARS 252.204-7012 requires reporting within 72 hours of any event that could affect contract performance. NIS2 Article 23 requires an early warning within 24 hours. An OT event that never touched CUI still produces reporting obligations when production is affected.

Incident response structure

The NIST SP 800-61 lifecycle (Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity) applies to OT but each phase carries OT-specific constraints:

  1. Preparation. Runbooks must be jointly owned by OT operations and cybersecurity teams. A response that conflicts with safety procedures is not a valid response.
  2. Detection. Most OT detection signals come from network telemetry, not endpoint logs. Anomalous protocol behavior, unexpected command flows, and credential usage outside change windows are the leading indicators.
  3. Containment. Isolating an OT asset may mean reverting to manual operation, not pulling it offline. The decision is operational, not purely security-driven.
  4. Recovery. Restoring a PLC configuration requires the original project files, which may be held by an integrator or vendor. Recovery time depends on supply-chain relationships.
  5. Post-incident. Root-cause analysis feeds into both cybersecurity improvements and process-safety reviews.

Related terms

Access Gate connection

Access Gate produces the network-layer telemetry — session logs, protocol anomalies, identity-bound access records — that OT incident detection depends on when endpoint visibility is not available. See OT Network Visibility.

Other Terms

Industrial cybersecurityOT standards

Industrial Cybersecurity Standards

Industrial Cybersecurity Standards are a set of guidelines and best practices designed to protect industrial control systems (ICS) and operational technology (OT) networks from cyber threats. These st...

OT malwareICS malware

Malware in OT Environments

ICS-specific malware targets control systems directly. Stuxnet, Industroyer, TRITON, and PIPEDREAM are the reference cases — each exploited the fact that OT assets cannot run endpoint agents and assume trusted internal traffic.

OT/IT convergenceIT/OT integration

OT/IT Convergence

OT/IT convergence is the integration of operational-technology networks with enterprise IT for shared data, identity, and services. The security consequence is that IT attacks now have reachable paths to OT — the specific attack paths are predictable and worth enumerating.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles