Ransomware isn’t going away in 2025, in fact, it’s getting more efficient, targeted, and disruptive, especially for operational technology (OT) environments. If your organization is running critical infrastructure or has industrial environments, you’re already in the crosshairs.
In the A Simple Framework for OT Ransomware Preparation white paper, SANS Instructor Lesley Carhart lays out a practical, action-oriented approach for organizations looking to build or refine ransomware response playbooks tailored to OT. The key message? Preparation matters. And in the OT world, a lack of preparation can have real-world consequences.
Why OT Is Especially at Risk
Industrial networks are high-value targets. They’re essential to operations but often lag behind IT in terms of security maturity. The combination of criticality and weaker defenses makes them ideal candidates for ransomware affiliates looking for maximum leverage and fast paydays.
Attackers typically don’t go after programmable logic controllers (PLCs) or lower-level devices. Instead, they target higher-level systems like human machine interfaces (HMIs), supervisory control and data acquisition (SCADA) servers, or engineering workstations, anything that supports process visibility and control. When these systems are locked or encrypted, operations grind to a halt.
Despite the stakes, many organizations still don’t have a clear plan for what to do when ransomware hits. That’s the gap this framework is designed to address.
Start with the Basics: Know Your Environment
Before drafting a playbook, you need a baseline understanding of your OT environment: the architecture, assets, communication flows, key personnel, and existing controls. This isn’t about perfection, it’s about alignment. OT, IT, and cybersecurity teams need a shared understanding of what’s running, what’s at risk, and who does what during an incident.
Key questions include:
How is a ransomware incident detected and escalated?- What remote access exists, and who manages it?
- What systems are vendor-managed, legacy, or difficult to recover?
- Are there current backups? Who owns them? Have they been tested?
These discussions also help identify where communication or accountability may break down in the middle of a crisis.
Fix the IT/OT Disconnect
A recurring point in the paper is how often OT and cybersecurity teams talk past each other. Misaligned goals, unfamiliar terminology, and a lack of shared mission can derail planning before it even begins.
Carhart suggests several ways to bridge that gap:
Center conversations on safety and process impact, not just cyber tactics.- Build a shared glossary of terms to avoid confusion.
- Implement structured job shadowing to help cybersecurity personnel understand industrial operations.
- Set up regular communication between teams to reduce friction and avoid workarounds or “shadow IT” behaviors.
You can’t build a functional ransomware playbook without cooperation. This is a great place to start.
The Playbook Structure: What to Include
The playbook itself follows the SANS PICERL lifecycle: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Each phase includes OT-specific considerations and clear guidance for collaboration between stakeholders.
Preparation
This phase covers everything from identifying budget and authority for emergency purchases to scheduling and running tabletop exercises. Playbooks should be regularly updated and drilled, ideally more than once a year.
Identification
Detection in OT often relies more on human observation and passive monitoring than advanced endpoint tools. The playbook should account for this, documenting detection methods, escalation paths, and how forensic evidence will be collected and handled.
Containment
In OT, containment usually means isolating entire network segments, which is clearly not an ideal scenario, but sometimes necessary none the less. The playbook should define who makes that call, what tools are available, and how containment will affect operations.
Eradication
Removing attacker tools and backdoors is complicated when systems are old, vendor-managed, or critical to production. The playbook should identify who owns which parts of the process and include cross-references to configuration backups, password resets, and any external support needed.
Recovery
Whether rebuilding from backups or (in rare cases) considering ransom payment, the playbook should help organizations make informed, risk-based decisions. If recovery depends on vendors, hypervisors, or offline backups, those paths need to be clearly documented and tested in advance.
Lessons Learned
Post-incident reviews are essential. The playbook should mandate after-action reviews that focus on operational impact, not just technical analysis, and identify updates needed across response plans, network diagrams, inventories, and communication workflows.
Supporting Material
To keep the core playbook usable in a crisis, Carhart recommends moving tactical details, like metadata collection procedures, containment decision trees, or restoration workflows, to appendices. These should be cross-referenced and aligned with real-world conditions in your environment.
Start Preparing Now
This isn’t a theoretical framework, it’s a working model designed for ICS/OT environments that need to be ready for ransomware, now. Carhart’s approach is grounded in the reality of OT: legacy systems, complex vendor relationships, and real consequences for downtime or missteps.
The bottom line: Having an ICS/OT-specific plan isn’t optional anymore, it’s essential. A well-structured, regularly tested, and collaboratively built ransomware playbook could be the difference between hours of downtime and days or even weeks of crisis.
If you’re in OT, this framework is a must-read and a clear call to action.
This blog just scratches the surface of what you need to know to protect OT and critical infrastructure environments from ransomware.
For a deeper dive into building a tested, process-focused response plan, download the full white paper and explore SANS Institute's ICS Security courses to take the next step in securing your operational technology.
