2026-04-10 –, Track 2
Your incident response playbook has been battle-tested through countless IT security incidents. You know the drill, isolate compromised systems, preserve evidence, rebuild from known-good baselines. But in operational technology environments, these same best practices can be catastrophic.
This talk examines the dangerous assumptions that IT security teams make when responding to OT incidents in critical national infrastructure. Through real-world scenarios, we'll explore why standard IR practices, from immediate network isolation to credential resets, need fundamental rethinking when dealing with industrial control systems. Learn what happens when you try to "pull the plug" on a system controlling safety mechanisms, why forensic imaging a 15-year-old PLC isn't an option, and how to navigate the tension between investigation needs and operational reality.
This session will challenge your assumptions and provide practical frameworks for adapting your IR methodology before an incident puts them to the test.
James is a Chartered Incident Response Professional with extensive expertise in Digital Forensics and Incident Response (DFIR). Certified by SANS, he brings over nine years of specialised experience to the field, having conducted both criminal and civil forensic investigations across public and private sectors.
James spearheads the strategic development of Bridewell's proactive and reactive incident response services, driving team growth and service innovation across critical national infrastructure, finance, hospitality, defence and government clients. His leadership encompasses strategic planning, team development, and service line expansion for UK and US markets.