Presenter:
This session argues that incident response and recovery in OT environments are fundamentally misunderstood—organizations plan for containment, but not for the messy reality of restoring operations safely and quickly.
Key takeaways
- Response plans stop at containment
- Most strategies focus on detection and isolation
- Very little planning goes into how to safely bring systems back online
- Recovery is treated as an afterthought
- Recovery is the hardest phase
- You can’t just “reboot” industrial systems
- Restarting processes incorrectly can cause physical damage
- Systems are interdependent, so recovery must be sequenced carefully
- Downtime decisions are business decisions
- When to shut down vs. keep running
- Trade-offs between safety, revenue, and risk
- These decisions often aren’t pre-planned
- Backups aren’t a silver bullet
- They may be outdated, incomplete, or incompatible
- Restoration can take longer than expected
- Validation of restored systems is critical before resuming operations
- Exercises don’t reflect reality
- Tabletops focus on ideal scenarios
- They rarely simulate real operational constraints and pressure
- Teams aren’t prepared for the chaos of actual recovery
