Everyone Needs AIR: An Agnostic Incident Reporting Framework for Cybersecurity in Operational Technology

TL;DR

This paper introduces AIR, a comprehensive and adaptable incident reporting framework for operational technology that enhances incident documentation, coordination, and compliance during cybersecurity events.

Contribution

The paper presents AIR, a novel, standardized incident reporting framework tailored for OT environments, bridging gaps between IT and OT incident reporting standards.

Findings

AIR maps to major OT standards and frameworks.

Retrospective application to the 2015 Ukrainian grid incident demonstrates effectiveness.

Supports situational awareness and stakeholder communication.

Abstract

Operational technology (OT) networks are increasingly coupled with information technology (IT), expanding the attack surface and complicating incident response. Although OT standards emphasise incident reporting and evidence preservation, they do not specify what data to capture during an incident, which hinders coordination across stakeholders. In contrast, IT guidance defines reporting content but does not address OT constraints. This paper presents the Agnostic Incident Reporting (AIR) framework for live OT incident reporting. AIR comprises 25 elements organised into seven groups to capture incident context, chronology, impacts, and actions, tailored to technical, managerial, and regulatory needs. We evaluate AIR by mapping it to major OT standards, defining activation points for integration and triggering established OT frameworks, and then retrospectively applying it to the 2015 Ukrainian distribution grid incident. The evaluation indicates that AIR translates high-level requirements into concrete fields, overlays existing frameworks without vendor dependence, and can support situational awareness and communication during response. AIR offers a basis for standardising live OT incident reporting while supporting technical coordination and regulatory alignment.