New guide by Lesley Carhart arms industrial teams with a blunt reality check: your IT playbook won’t save you
Bethesda, MD, April 16, 2025 (GLOBE NEWSWIRE) — If your organization’s ransomware response plan was built for IT systems, it’s not just ineffective in OT environments. It could be the reason your operations grind to a halt.
Ransomware attacks targeting OT are escalating, and so are the consequences. Downtime from a single incident now averages $4.73 million. Forty-five percent of ICS compromises still originate in IT through weak integration points that most organizations overlook.
Today, SANS Institute released A Simple Framework for OT Ransomware Preparation, a white paper by renowned incident responder and SANS Instructor Lesley Carhart, that tosses out the generic advice and gives industrial teams a grounded, adaptable playbook built for real-world attacks on operational technology.
Ransomware is no longer about locking up data. In OT environments, it’s about shutting down power grids, halting manufacturing lines, and putting lives at risk. And yet, 52 percent of ICS facilities still don’t have a ransomware-specific incident response plan in place. Another 20 percent of operators don’t even know if one exists.
“This is not an abstract threat. Modern OT networks are packed with vulnerable systems, and attackers know exactly how to exploit the gap between IT and engineering,” said Carhart. “Generic IT incident response plans don’t work here. You need custom, engineering-driven planning to stop operational fallout.”
This white paper is the first step in SANS’ effort to confront the growing threat of OT-specific ransomware head-on. It offers a clear and adaptable framework for building incident response playbooks that work in industrial environments. These are engineering-informed strategies built for the systems that keep critical operations running.
What makes this different?
- It’s built for engineers, not just analysts. The framework accounts for the physical impact of response decisions, such as how full-network isolation plays out in a live process environment.
- It pushes past theory. This is a real-world guide authored by someone who has responded to ransomware incidents in power plants, factories, and refineries.
- It bridges the IT and OT gap. The framework calls out the communication breakdowns that stall containment and recovery and gives actionable fixes.
- It’s adaptable by design. The playbook is built to be a living document, drilled regularly, and updated as systems and threats evolve.
“This guide gives security leaders a wake-up call,” said Carhart. “Too many organizations still treat OT like IT, and that disconnect creates dangerous blind spots in response planning.”
Download the white paper, A Simple Framework for OT Ransomware Preparation: https://www.sans.org/u/1AYd
Explore SANS ICS Security Training: https://www.sans.org/industrial-control-systems-security/
CONTACT: Jenn Elston SANS Institute 301-654-7267 press@sans.org
- St. Charles Residents Urged to Fortify Fencing Against Severe Weather with Fence and Deck Depot’s Expert Guidance - April 18, 2025
- Machine Learning Engineer Interview Course 2025 – Interview Kickstart Releases ML Engineer Course With Interview Prep - April 18, 2025
- Pixelle Specialty Solutions Pauses Chillicothe Mill Closure - April 18, 2025
