New guide by Lesley Carhart arms industrial teams with a blunt reality check: your IT playbook won’t save you
If your organization’s ransomware response plan was built for IT systems, it’s not just ineffective in OT environments. It could be the reason your operations grind to a halt.
Ransomware attacks targeting OT are escalating, and so are the consequences. Downtime from a single incident now averages $4.73 million. Forty-five percent of ICS compromises still originate in IT through weak integration points that most organizations overlook.
Today, SANS Institute released A Simple Framework for OT Ransomware Preparation, a white paper by renowned incident responder and SANS Instructor Lesley Carhart, that tosses out the generic advice and gives industrial teams a grounded, adaptable playbook built for real-world attacks on operational technology.
Ransomware is no longer about locking up data. In OT environments, it’s about shutting down power grids, halting manufacturing lines, and putting lives at risk. And yet, 52 percent of ICS facilities still don’t have a ransomware-specific incident response plan in place. Another 20 percent of operators don’t even know if one exists
“This is not an abstract threat. Modern OT networks are packed with vulnerable systems, and attackers know exactly how to exploit the gap between IT and engineering,” said Carhart. “Generic IT incident response plans don’t work here. You need custom, engineering-driven planning to stop operational fallout.”
This white paper is the first step in SANS’ effort to confront the growing threat of OT-specific ransomware head-on. It offers a clear and adaptable framework for building incident response playbooks that work in industrial environments. These are engineering-informed strategies built for the systems that keep critical operations running.
What makes this different?
- It’s built for engineers, not just analysts.
- It pushes past theory.
- It bridges the IT and OT gap.
- It’s adaptable by design.
“This guide gives security leaders a wake-up call,” said Carhart. “Too many organizations still treat OT like IT, and that disconnect creates dangerous blind spots in response planning.”
Download the white paper, A Simple Framework for OT Ransomware Preparation: https://www.sans.org/mlp/ics-ot-malware-and-ransomware/
Explore SANS ICS Security Training: https://www.sans.org/industrial-control-systems-security/