implementing-ot-incident-response-playbook

Featured

Develop and implement OT-specific incident response playbooks aligned with SANS PICERL framework, IEC 62443, and NIST SP 800-82 that address unique ICS challenges including safety-critical systems, limited downtime tolerance, and coordination between IT SOC, OT engineering, and plant operations teams.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing OT Incident Response Playbook ## When to Use - When building OT-specific incident response procedures for the first time - When existing IT IR playbooks do not address ICS/SCADA-specific requirements - When preparing for OT ransomware scenarios like EKANS or LockerGoga - When aligning IR procedures with IEC 62443 and NERC CIP incident reporting requirements - When conducting post-incident reviews to improve OT IR capabilities **Do not use** for IT-only incident response without OT components (use standard NIST 800-61 playbooks), for day-to-day OT security monitoring (see implementing-dragos-platform-for-ot-monitoring), or for tabletop exercise design (see performing-ics-tabletop-exercise). ## Prerequisites - OT asset inventory with criticality ratings and safety system identification - Defined roles: OT IR Lead, IT SOC Analyst, Plant Operations Manager, Process Safety Engineer - Communication plan including out-of-band channels (OT incidents may compromise IT communications) - Known-good backups of PLC programs, HMI configurations, and historian data - Contact information for ICS vendors, Dragos/Claroty support, and CISA ICS-CERT ## Workflow ### Step 1: Define OT-Specific Incident Classification and Response Procedures ```python #!/usr/bin/env python3 """OT Incident Response Playbook Engine. Implements structured OT incident response procedures following SANS PICERL lifecycle with ICS-specific considerations for safety, availability, and cross-team coo...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

building-incident-response-playbook

Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-patch-management-for-ot-systems

This skill covers implementing a structured patch management program for OT/ICS environments where traditional IT patching approaches can cause process disruption or safety hazards. It addresses vendor compatibility testing, risk-based patch prioritization, staged deployment through test environments, maintenance window coordination, rollback procedures, and compensating controls when patches cannot be applied due to operational constraints or vendor restrictions.

12,642 Updated today
mukul975
AI & Automation Featured

building-ransomware-playbook-with-cisa-framework

Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment.

12,642 Updated today
mukul975
Data & Documents Listed

ir-runbook

Incident Response runbook — NIST SP 800-61 phases (Preparation/Detection-Analysis/Containment-Eradication-Recovery/Lessons-Learned), per-scenario playbooks (ransomware, BEC, data exfil, credential compromise, cloud), regulatory reporting (NIS2 24h/72h, AVG breach 72h, DORA), comms templates, and post-incident review.

4 Updated 1 weeks ago
roodlicht
AI & Automation Featured

building-soc-playbook-for-ransomware

Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.

12,642 Updated today
mukul975