Sector-Specific Incident Response Playbooks

Overview

When the alert fires at 2am, nobody wants to be drafting a playbook from scratch. xCIRT maintains a library of sector-specific incident response playbooks — each one written for the operational realities of a particular sector and a particular incident type — that operators can adopt, tailor, and put to work immediately.

These are not generic IT playbooks with “OT” pasted on the front. They are built around the assets, regulators, and decision rights that actually exist in each sector.

Playbook library (initial set)

• Electricity — OT-aware ransomware crossing IT/OT, control-system command-injection events, SCADA HMI compromise, and IIoT botnet activity.
• Water and gas — Telemetry-system tampering, remote-access compromise on field assets, and unauthorised setpoint changes on control systems.
• Ports — Compromise of cargo-management and terminal-operating systems, and OT exposure via remote-vendor access.
• Rail — Signalling-adjacent IT compromise, network-segmentation failure between corporate and operational rail networks, and depot-level OT compromise.
• Aviation — Compromise of ground systems with operational impact, and OT exposure via vendor and contractor access.

Each playbook covers detection cues, containment options (with safety considerations), eradication, recovery, and SOCI/CIRMP-aligned reporting.

How operators use them

• Fixed-price licence — Bring the playbooks into your IR programme, tailored to your estate.
• Subscription updates — Quarterly revisions reflecting new threats, regulatory changes, and post-incident learnings.
• Tabletop drills — Optional add-on: xCIRT-facilitated tabletops using your playbooks against your team.

Outcomes

A practical, sector-correct foundation for incident response — drafted by responders who understand the sector, kept current as the landscape moves, and yours to put under your IR programme.