Episode 85 — Coordinate IT and OT During Incidents: Nuances, Authority, and Safety Priorities

When an incident happens in an organization that has both Information Technology (I T) and Operational Technology (O T), one of the fastest ways for the situation to get worse is for the two worlds to respond as if they are separate planets. Beginners often assume that security response is universal, meaning the same playbook works everywhere, but the reality is that I T and O T have different goals, different constraints, and different definitions of what “safe” means. I T environments often prioritize confidentiality and rapid containment, and they can usually tolerate more aggressive actions like reimaging machines, forcing password resets, or taking systems offline temporarily. O T environments prioritize safety and continuity of physical processes, and they often cannot tolerate actions that remove visibility or disrupt control timing. The problem is not that one side is right and the other is wrong; the problem is that incidents often cross the boundary, and the organization must coordinate decisions so containment does not create operational hazards and operational continuity does not ignore cyber risk. This lesson is about understanding the nuances of coordination, clarifying authority during stressful moments, and keeping safety priorities explicit so that response actions are both effective and responsible. In a well-run incident, I T and O T do not merely cooperate; they align their decisions around a shared understanding of consequences.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

A good place to start is recognizing that the I T and O T boundary is rarely a clean line on a diagram, because real organizations share services, people, and workflows. Identity systems, remote access gateways, patching infrastructure, logging platforms, and even vendor support arrangements can span both domains. That means an intrusion that begins in the corporate network can become an O T risk if credentials are shared, if remote access is reachable, or if a management server bridges zones. Conversely, an O T disruption can become an I T crisis if it affects business operations, regulatory reporting, or customer service. Beginners sometimes hear “segmentation” and assume the problem is solved, but segmentation reduces risk; it does not eliminate dependency. During incidents, these dependencies become visible and sometimes painful. For example, if I T disables a directory service to stop credential abuse, O T may lose authentication for operator stations or remote access workflows. If O T isolates a segment to protect controllers, I T may lose telemetry needed to investigate the entry point. Coordination is therefore about managing dependencies under stress and choosing actions that reduce overall risk rather than optimizing only for one domain. The first coordination skill is simply knowing that the interdependence exists and expecting it to matter when time is short.

Authority is the next nuance, and it is where many incidents go off the rails because people are unsure who can approve actions that affect safety and production. In I T incidents, authority often sits with the security team or I T leadership, and decisions like isolating machines or blocking traffic can be made quickly. In O T incidents, the authority to change control systems or to take operational systems offline often belongs to operations leadership and engineering, because they are accountable for safety and process stability. Beginners should learn that authority must be explicit and pre-defined, not negotiated in the middle of a crisis. If authority is unclear, two dangerous things can happen. I T might take aggressive action that accidentally disrupts control, creating safety risk and operational downtime. Or O T might resist containment actions because they fear disruption, allowing attackers time to expand their presence. A coordinated incident structure defines which decisions require operations approval, which decisions can be executed by I T security, and which decisions require joint sign-off. It also defines escalation paths when disagreement occurs, because disagreement is normal in high-stakes situations. The point is not to eliminate disagreement; it is to resolve it quickly with the right decision-makers and the best available evidence.

Safety priorities are the anchor that should guide coordination, because safety is the non-negotiable outcome in O T, and it must be considered even when cyber risk feels urgent. Safety priorities include maintaining reliable control, maintaining trustworthy visibility, and avoiding actions that could push the process into unsafe states. That does not mean doing nothing; it means doing the right thing in the right order. For example, if a suspicious remote session is detected, I T might want to immediately kill the session and block the account. O T might be concerned that killing a session could interrupt a critical maintenance activity or leave a control change half-applied. Coordination means verifying what is happening, determining whether the process is stable, and choosing a containment action that reduces attacker control without creating an unsafe transition. Beginners should also understand that safety priorities include preventing operators from acting on bad information. If monitoring is compromised, operators may not know what is real, and that uncertainty can be more dangerous than the cyber event itself. In that situation, the safest action might be to switch to manual verification methods or to reduce process complexity until integrity can be confirmed. Coordinated incident response keeps these safety considerations visible so that cyber containment does not accidentally create a physical hazard.

One of the most important coordination nuances is that I T and O T often interpret the same evidence differently because their baselines and concerns are different. A security analyst may see unusual traffic and assume malicious activity, while an operator may see that the process is stable and assume the traffic is harmless. Both perspectives contain truth, but neither is sufficient alone. In O T, stable process behavior does not prove the environment is uncompromised, because attackers may position themselves quietly or manipulate visibility. In I T, unusual traffic does not automatically justify disruptive action, because the same traffic might be part of a maintenance workflow or a vendor support session. Coordination means sharing evidence in a way that both sides can use. For example, security can provide session details and timing, while operations can provide maintenance schedules and process status context. Together, teams can decide whether the activity aligns with authorized work or represents an anomaly that demands containment. Beginners should learn that incident response is not only a hunt for malicious artifacts; it is a structured process of hypothesis and validation. The best outcomes happen when I T and O T treat each other as sources of essential context rather than as obstacles.

Another nuance is the role of vendor and third-party access during incidents, because vendors often sit at the intersection of I T and O T workflows. Remote access tools, support portals, and contractor laptops can be entry points, and during incidents, those pathways may need to be restricted quickly. I T teams may be inclined to disable vendor access broadly, while O T teams may rely on vendor access for troubleshooting, recovery, or even safe operation depending on the system. Coordination means planning for vendor involvement as part of incident response, including how vendor access is approved, monitored, and limited during crises. It also means understanding which vendor activities are safety-critical and which can be delayed. Beginners should recognize that vendors can also be part of evidence gathering, because they may understand proprietary logs or system behaviors that internal teams cannot interpret. However, vendor involvement must be managed carefully to maintain accountability and to avoid introducing new risk through uncontrolled access. A coordinated approach defines how vendor access is granted during incidents, how sessions are recorded, and who supervises. This is not about distrust of vendors; it is about ensuring that a high-consequence environment maintains governance even under pressure. When vendor pathways are managed consistently, the organization can leverage vendor expertise without opening uncontrolled doors.

Communication cadence is another coordination challenge, because incidents create information overload and emotional pressure. I T teams may generate frequent technical updates, while O T teams may need concise, actionable information that maps to operational decisions. Operations leaders need clear statements about whether control integrity is in question and what actions are recommended. Security leaders need clear statements about what constraints exist and what actions are safe. Beginners should understand that effective communication during O T incidents is not about constant talking; it is about structured updates that maintain a shared picture. This often includes establishing a clear channel for incident communications, assigning a person responsible for maintaining a common timeline, and ensuring that decisions are recorded with their rationale. Recording rationale matters because later, when people ask why a risky action was taken or why containment was delayed, the answer should be based on documented evidence and safety considerations, not on memory. Coordination also includes agreeing on terminology, because words like isolate, shut down, and take offline can mean different things to different teams. A shared vocabulary prevents misinterpretation that could lead to harmful actions. In high-stakes environments, clarity is a safety control.

A critical technical nuance that influences coordination is the difference between disconnecting for safety and disconnecting for containment. I T teams often isolate systems to stop attacker movement and protect data. O T teams may disconnect systems to preserve deterministic control, prevent unsafe interactions, or maintain stable operation. These actions may look similar on a network diagram, but their intent and consequences differ. For example, isolating an O T segment might stop attacker lateral movement, but it might also isolate historians or alarm systems that operators rely on. Isolating an engineering workstation might stop further changes, but it might also prevent legitimate control adjustments needed to maintain safe operation during an abnormal condition. Coordination means aligning intent: are we isolating to stop an attacker, to protect the process, or both, and what evidence supports that choice? It also means choosing isolation points that preserve essential control and visibility while limiting risk. Beginners should learn that the safest containment choices often involve narrowing access rather than cutting everything off, such as restricting privileged accounts, disabling unnecessary remote pathways, and enforcing tighter boundary rules. These are still strong actions, but they are more controlled and less likely to create unintended operational consequences.

Recovery is where I T and O T coordination is tested again, because the urge to restore quickly can collide with the need to verify integrity. I T teams may be able to rebuild servers and endpoints quickly, but O T teams need to confirm that rebuilt systems behave correctly in the context of control and safety. That means verifying configurations, validating controller logic versions, and ensuring that alarms and operator displays reflect reality. Beginners should understand that “it boots” is not the same as “it is safe,” and coordinated recovery requires agreement on what verification steps are required before reconnecting systems to sensitive networks. Recovery also includes deciding which services can return first and which must wait, based on criticality. Identity services, remote access gateways, and monitoring systems often need careful handling because they can become re-entry points if compromised, yet they may also be necessary for normal operations. Coordination means balancing those needs, restoring in a controlled order, and maintaining heightened monitoring during the recovery period. It also means continuing to communicate clearly so operations understands what changes were made and security understands what operational constraints remain. A coordinated recovery produces confidence rather than lingering doubt, which is essential for resuming normal production safely.

Ultimately, coordinating I T and O T during incidents is about aligning two legitimate sets of priorities under a single shared goal: safe, reliable operation in the presence of cyber risk. Nuances matter because the same technical action can have different consequences depending on where it is applied and when it is applied. Authority matters because decisions that affect safety must be made by the right people, and those people must be defined before crisis pressure arrives. Safety priorities matter because in O T, cyber response actions must never create physical hazards, and maintaining trustworthy visibility and control is part of safety. When I T and O T collaborate effectively, incidents are handled with evidence-driven pacing rather than panic-driven improvisation. For new learners, the most important takeaway is that success is not measured by how quickly you can block an address or wipe a machine; it is measured by how well you can reduce attacker capability while preserving safe control and restoring trust. That requires shared context, disciplined communication, and respect for each domain’s expertise. When those elements are present, the organization can respond decisively without losing control, and that is exactly what incident management in O T is supposed to achieve.

Episode 85 — Coordinate IT and OT During Incidents: Nuances, Authority, and Safety Priorities
Broadcast by