During recovery after an OT-based security incident, incident responders should:

Allowing only real-time connectivity to the organizational networks during the recovery phase of an operational technology (OT)-based security incident is a crucial best practice. This approach helps to minimize the risk of further compromise by limiting external connections and ensuring that only the necessary communication is taking place. It helps incident responders maintain tighter control over the network environment, enabling them to monitor traffic more effectively and ensure that any ongoing malicious activities are detected and contained.

In this context, restricting connectivity while focusing on real-time operations allows the organization to assess the integrity of their systems and gradually restore services without exposing them to additional threats. The emphasis on real-time connectivity means that priority is given to essential functions that support recovery efforts and operational continuity, rather than allowing unrestricted access that could introduce vulnerabilities or lead to further incidents. This method also aligns with best practices in incident recovery, which prioritize securing the environment before expanding access or reintroducing more complex functionalities.