When something strange ripples through your plant, odd alarms, unstable processes, weird network noise, you don’t want a scattered response. You want a room where the right people see the right data at the right time, and someone clearly owns the next move.
That’s the point of an OT cyber “war room”: a focused command center (physical or virtual) where engineering, operations, and security sit together, stare at the same screens, and make fast decisions without losing control of the plant.
1. Who’s in the OT War Room?
An effective OT war room isn’t “the SOC plus some engineers.” It’s a mix of roles, each with a clear job:
Incident Commander – Owns decisions, priorities, and communication with leadership. Usually, the OT / plant security lead or automation manager.
OT Engineers & Operators – Know the control systems (PLC, DCS, SCADA, HMIs) and the process. They answer: “Can we safely do this?”
SOC / Cyber Analysts – Watch logs, alerts, and network flows. They answer: “What is the attacker doing, and where?”
IT / Forensics Support – Handle endpoint forensics, AD, VPN, email, backups – anything on the IT side that touches OT.
Safety Officer – Watches process safety, permits, and physical risk. Has veto power if an action risks hurting people or equipment.
Comms / PR / Legal (on call or present) – Handle regulators, customers, and public messaging if the incident escalates.
Each chair in that room should have a label and a purpose. No “extra bodies.” No one should be just “observing.”
2. What the Room Actually Looks Like
Forget abstract “collaboration hubs.” Picture this:
A rectangular table, with the Incident Commander in a spot where they can:
See all the wall screens.
Talk to everyone without shouting.
Seats around the table labeled:
SOC Analyst
OT Engineer
IT Forensics
Plant Operations Liaison
Safety Officer
Communications Lead
Incident Commander
On the walls: large shared displays and a whiteboard (or shared digital board) that get used constantly, not just as decoration.
Example wall screens:
Process View
SCADA/HMI dashboards
Current production status, key setpoints, alarms
Network & Security View
OT network map
IDS/IPS / NSM dashboards
Firewall / VPN logs
Event & Asset View
Alarm/event logs
Historian trends
OT asset inventory (PLC, RTU, IED, firmware versions)
Context View
Threat intel feed (if available)
Relevant playbooks/checklists
Video feed from critical areas (optional)
Everything that matters to the plant and the attack path should be visible without tab-hopping.
3. Under the Hood: Tech and Tools
A war room is not just “screens everywhere”; it needs the right tech under the hood. At a minimum, you want high-resolution wall displays plus individual analyst stations, all fed by an OT aware SIEM or security console (or at least solid network monitoring focused on OT segments). Taps or SPAN ports into critical ICS networks provide the traffic for monitoring and forensics, while direct access to the historian, OT asset inventory, and engineering workstations (ideally read only) lets engineers validate what is really happening in the process. On top of that sits a prepared “jump bag”: laptops loaded with OT forensics tools, baseline configurations, and known good backups of control logic and project files.
Finally, the war room must be able to function even if the primary network is compromised, so you build in out-of-band communications like a phone bridge, radios, or a separate messaging channel. If your war room depends entirely on the same network you are investigating, you are already playing from behind.
4. How Decisions Flow (ICS Structure in Practice)
Many mature OT incident programs base their war rooms on an Incident Command System (ICS)-style structure, so decisions aren’t random or emotional.
Roughly, it plays out like this:
Incident Commander
Defines priorities: safety, continuity, containment, recovery.
Has final say: “We isolate that VLAN now” / “We delay patching until we can safely shut down.”
Operations / OT Section Lead
Senior OT engineer.
Translates goals into technical actions:
Isolate a subnet
Move to manual mode
Throttle a process
Load a known-good backup.
SOC / Cyber Section
Explains what the alerts actually mean.
Tracks attacker activity, lateral movement, and persistence.
Planning / Documentation
Keeps an Incident Action Plan (IAP) per shift.
Tracks what was done, when, and why.
Liaison / Comms
Deals with regulators, vendors, and customers.
Draft bulletins, press lines, and post-incident reports.
The loop is simple and brutal:
Set objectives – “Keep Reactor X in safe shutdown; contain malware in OT zone 2.”
Pick tactics – “Isolate HMI network, block suspicious IP, review historians for anomalies.”
Execute and verify – Did we break anything? Did it work?
Reassess – Update the IAP and next objectives.
If nobody can answer “Who is allowed to approve a PLC reboot?”, it won’t be a war room; you’ll have chaos in a conference room.
5. War Room by Industry: How It Changes
The core structure of the war room stays the same across industries, but what appears on the screens changes with the sector.
In manufacturing, the displays typically show conveyor and line HMI dashboards alongside batch or line alarm logs, while the OT lead watches for unexpected stops and nuisance trips that line up with strange network activity; if equipment is tripping for no good process reason, a cyber cause is immediately on the table.
In power and energy environments, screens are more likely to show plant SCADA views, generator and turbine status, and grid telemetry with breaker status, while safety and control engineers pay close attention to any breaker that latches open or any unplanned setpoint changes, knowing that some responses may require manual intervention in the yard coordinated live from the war room.
In pharma and biotech, the wall is dominated by batch control dashboards, sterilization and environmental logs, and recipe management systems, with the team focused on catching unauthorized recipe changes and protecting the integrity of quality data, and legal and compliance are brought in early because product quality and regulatory exposure are critical.
*6. Data as the Truth *
A good OT war room runs on correlating data:
OT engineers ask:
“Did the PLC actually stop that pump, or is it a comms hiccup?”
They pull:
Historian trends
Event logs
PLC / DCS diagnostics
SOC analysts ask:
“Did lateral movement occur before that alarm?”
“Are we seeing known ICS malware behaviors or just noisy scanning?”
They pull:
Network flow / PCAP
Authentication logs
Endpoint telemetry (where available)
At each station, a realistic setup might be:
Split-screen:
Window 1: SIEM / IDS or NSM console
Window 2: OT dashboard / HMI client
Window 3: Asset inventory or historian trends
Verbal call-outs matter:
“Historian shows an unsolicited write to Pump-03 at 10:34. We have an alarm at 10:35. No operator command logged. That’s suspicious.”
That’s how you move from “alert fatigue” to actual, defensible decisions.
*7. Keeping Score - Documenting and Escalating *
A war room should always document. Every major action is proposed, approved, or rejected by the Incident Commander, and then logged in the incident action plan or shared tracker with who did what, when, and why.
The whiteboard or shared screen displays current objectives, key constraints such as “Do not stop Line 3 unless safety requires it,” and clearly defined escalation points. If things escalate, for example, ransomware spreads, safety becomes doubtful, or multiple sites are affected, the Incident Commander triggers the Crisis Management Team at the executive level, or a Unified Command that brings together IT, safety, and business continuity teams. The war room remains the technical nerve center, but decisions now also factor in business risk and corporate strategy.
8. What “Good” Looks Like
A strong OT cyber war room feels like a hybrid between:
An old-school control room (everyone watching the same critical process data)
And a modern SOC (threats, logs, correlations, forensics)
The fundamentals:
One clear leader (Incident Commander).
Defined roles, no passengers.
Big shared displays for the “single source of truth.”
Individual consoles for deep work.
Playbooks and structure, not improvisation.
Tools staged in advance – jump bag, backups, out-of-band comms.
When that’s in place, you’re not just reacting to chaos. You’re running a disciplined operation that can contain cyber events without blindly killing production or risking safety.
Top comments (0)