CSIRT

What is a CSIRT?

CSIRT stands for Computer Security Incident Response Team. It is a specialised team within an organisation responsible for handling, investigating and coordinating security incidents in IT and/or OT (Operational Technology).

The terms CSIRT and CERT are often used interchangeably — functionally they mean the same thing.

---

🎯 What does a CSIRT do?

A CSIRT helps organisations to:

• 🔍 Detect security incidents (such as Ransomware, data breaches, DDoS)
• 🚨 Respond to incidents: containment, mitigation and recovery
• 📈 Analyse root cause and impact (forensic investigation)
• 🧰 Advise on preventive measures
• 📢 Communicate with internal and external parties (such as NCSC and vendors)

---

🛠️ Typical CSIRT tasks

Task	Examples
Incident response	Isolating systems, restoring backups, blocking attacks
Threat intelligence	Analysing CVEs and IOCs (Indicators of Compromise)
Logging & Monitoring	Analysing SIEM logs, detecting suspicious activity
Coordination	Liaising with vendors, IT departments or external CERTs
Reporting	Lessons learned, recommendations and policy updates

---

🏭 CSIRT in an OT environment

In industrial networks, a CSIRT typically works alongside OT management to:

• Detect and contain attacks on SCADA, PLCs or RTUs
• Evaluate or adjust Defense in Depth measures
• Verify the zones and conduits model for deviations
• Collaborate with OT vendors and engineering teams

🔧 Many critical infrastructure organisations (such as energy, water and transport) have an OT-specific CSIRT or a hybrid team with OT expertise.

---

🔄 Difference between CSIRT and CERT

Characteristic	CSIRT	CERT
Term	More formal, often internal	Historical term, often public-facing
Use	Mainly in larger organisations	Also for sectors or countries
Activities	Identical: incident detection and response

---

📌 In summary

A CSIRT is an essential team for digital resilience that detects, analyses and manages incidents. In both IT and OT networks, it helps minimise damage and strengthen the security architecture.