Electric utilities don’t get the luxury of “we’ll take it down and rebuild.”
When something smells wrong in an operational technology (OT) environment, you’re balancing safety, continuity, and investigation simultaneously. CIRCIA adds another pressure point for covered entities: certain cyber incidents may require reporting within 72 hours after you reasonably believe a covered cyber incident occurred.
https://www.law.cornell.edu/uscode/text/6/681b
You’re not being asked to solve the whole incident in 72 hours. You’re being asked to produce a defensible first narrative, supported by evidence, while the environment is still changing.
Coverage indicators utilities should document
Most utilities already live in a reporting world.
Depending on your footprint and responsibilities, you may already operate under some combination of:
- North American Electric Reliability Corporation (NERC) reliability standards
- Department of Energy (DOE) reporting expectations
- state public utility commission oversight
- sector-driven incident coordination
Those relationships matter because they often intersect with CIRCIA applicability discussions, especially for organizations supporting Bulk Electric System (BES) cyber systems, transmission operations, or distribution infrastructure with essential service impacts.
CISA’s three-step covered entity framework is still the cleanest way to document your logic, even if your final answer is “likely, but depends on structure.”
https://www.cisa.gov/sites/default/files/2024-05/24-0630-Covered-Entity-Infographic-04242024-508c.pdf
Two utility anchors that help frame “reuse, don’t reinvent” readiness:
NERC CIP-008-6 (incident reporting and response planning expectations for BES Cyber Systems)
https://www.nerc.com/globalassets/standards/reliability-standards/cip/cip-008-6.pdf
DOE OE-417 (Electric Emergency Incident and Disturbance Report program)
https://doe417.pnnl.gov/
If you want one practical deliverable for leadership, build a short coverage memo and keep it updated:
- What operational systems do you run
- What category of infrastructure do you support (BES, distribution, generation, control center operations)
- What you already reported today (and where)
- Which vendors or shared providers hold evidence you may need during incidents
Step-by-step guide:
circia-covered-entity-quick-test
Context across sectors:
circia-healthcare-72-hour-ready
OT vs. IT incidents: why triage works differently
OT response is not “IT response, but in a substation.”
The priorities are different, the constraints are real, and the cost of the wrong containment move can be high.
NIST’s ICS security guidance explains why incident response in OT environments requires its own playbook.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
Here’s what changes in practice:
Safety comes first
Certain actions that are fine in IT can create operational risk in OT. A fast isolate-and-wipe approach can interrupt monitoring, automation, or protective functions, sometimes in ways that ripple.
Availability isn’t negotiable
Utilities must maintain continuous delivery. Even a “small” operational disruption can affect large geographic areas, critical services, and restoration timelines.
Systems are specialized, fragile, and often legacy
You can’t always patch on demand. You can’t always scan aggressively. Some devices have narrow tolerance for change, restarts, or traffic spikes.
Evidence can be easy to destroy by accident
OT logging can be limited. Historians roll over. Devices overwrite buffers. And well-intentioned recovery steps can erase the very artifacts you need to explain what happened.
CISA’s recommended practice for ICS incident response is a strong reality check for coordination between engineering and security teams.
https://www.cisa.gov/sites/default/files/2023-01/final-RP_ics_cybersecurity_incident_response_100609.pdf
CISA’s “Seven Steps” paper is also worth keeping in your runbook, especially for segmentation and remote access discipline.
https://www.cisa.gov/sites/default/files/documents/Seven%20Steps%20to%20Effectively%20Defend%20Industrial%20Control%20Systems_S508C.pdf
One small operational detail that matters: decide in advance who has authority to approve containment actions that could affect operations. In the moment, you don’t want engineering and security negotiating risk in a hallway.
OT evidence capture checklist
In OT, the fastest investigations are usually the ones that don’t start from scratch.
Your goal is to know, ahead of time, what evidence exists, who can pull it, and how quickly you can preserve it without disrupting operations.
NIST SP 800-82 emphasizes the importance of monitoring and logging across control system environments, even when telemetry is constrained.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
A practical OT evidence packet often includes:
Historian data
Time-series data can show abnormal behavior that aligns with suspected intrusion windows, device changes, or operational anomalies.
Alarm and event logs
Control system alerts and sequence-of-events logs can provide early indicators, sometimes before IT tools show anything meaningful.
Engineering workstation logs
Engineering workstations are high-value targets. If a workstation is compromised, configuration changes can follow quickly.
Remote access records
If vendors or remote operators access OT systems, you want session records, authentication logs, and timestamps you can reconcile.
Network telemetry
Even partial visibility helps. Baseline traffic patterns, unusual connections between substations, or unexpected communications can anchor your timeline.
If you need a broader library of ICS recommended practices to help formalize what you collect and how, CISA maintains a strong reference set here:
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
For log retention and integrity concepts that support investigation credibility, NIST SP 800-92 is still one of the clearest foundations:
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-92.pdf
Building a 72-hour narrative for operational impact
CIRCIA’s 72-hour reporting requirement is tied to when you reasonably believe a covered cyber incident occurred.
https://www.law.cornell.edu/uscode/text/6/681b
For utilities, the narrative needs to do more than describe “malware on a system.” It needs to explain the operational impact and stay consistent as facts develop.
Start by documenting four things early:
Service disruptions
Examples include:
- customer outages
- disruptions to grid monitoring or control center visibility
- failures or degradation in operational control systems
Systems affected
Be explicit about scope boundaries:
- OT control systems vs corporate IT
- vendor-managed infrastructure vs utility-owned systems
- control center vs substation vs field assets
Mitigation and containment actions
Time-stamp what you did and why, especially if actions were chosen to protect safety and continuity:
- isolating specific segments
- switching to backup control capabilities
- restricting remote access
- restoring operational services in phases
Restoration status and what you still don’t know
A short sentence that says “scope still evolving” is better than a confident statement you have to walk back later.
CISA’s one-pager on covered cyber incidents is useful for explaining why availability and operational disruptions can be quickly qualified, especially in critical infrastructure environments.
https://www.cisa.gov/sites/default/files/2024-05/24-0630-CCI-One-Pager-20240410-2-508c.pdf
If your teams already use DOE OE-417, the form itself is a helpful writing model. It’s structured around what happened, operational impacts, mitigations, and current status, which maps well to what leaders and regulators tend to ask for.
https://doe417.pnnl.gov/files/DOE-417_Form.pdf
No action needed on your side if you’re reading this as planning material. The win is building a narrative format you can reuse under pressure.
Tabletop scenario: suspected OT intrusion with partial visibility
OT incidents often start with incomplete data. That’s normal. The right test scenario assumes it upfront.
Example tabletop:
- Hour 3: Monitoring identifies abnormal communication between substations.
- Hour 12: Engineers detect unexplained configuration changes in several devices.
- Hour 24: Investigation confirms unauthorized remote access to an engineering workstation.
At this stage, your organization may “reasonably believe” an incident has occurred, and the reporting clock may begin.
https://www.law.cornell.edu/uscode/text/6/681b
Measure outcomes that matter, not just whether the tabletop felt realistic:
Time to operational impact assessment
How long does it take to determine whether power delivery systems are affected?
Time to incident narrative
How quickly can you produce a preliminary summary that leadership can trust?
Evidence packet completeness
Can you assemble historian data, alarms, workstation logs, and remote access records without disrupting operations?
CISA tabletop exercise packages:
https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
Sector-wide exercise context for electric utilities: GridEx (E-ISAC)
https://www.eisac.com/s/gridex
A useful add-on to the tabletop: requires a “decision log” output. One page. Time-stamped. Who approved what, and why. That document saves hours later, especially when you’re trying to reconcile operational decisions with investigation and reporting needs.
Conclusion: operational resilience depends on preparation
Electric utilities operate infrastructure that the public depends on every minute of the day. When cyber incidents affect operational systems, the consequences can touch public safety, economic stability, and trust.
CIRCIA reinforces a practical requirement for covered entities: accelerated reporting timelines and structured early documentation.
https://www.law.cornell.edu/uscode/text/6/681b
Utilities that do best with this aren’t the ones that chase a perfect story on the first day. They’re the ones who can do three things quickly:
- Document coverage logic without hand-waving
- Preserve OT evidence without disrupting operations
- Produce a clear, operationally grounded narrative within the first 72 hours
