OT cyber incident reports

Identifies documents containing references to ot cyber incident reports in international contexts. This information type is classified as personally identifiable information under applicable data protection regulations.

Type

regex

Engine

boost_regex

Confidence

medium

Confidence justification

structural regex with domain-specific anchors and constrained context replaces phrase-only marker. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Mixed

Jurisdictions

global

Regulations

GDPR

Data categories

pii

Scope

wide

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?is)\b(?:OT\s+cyber\s+incident|ICS\s+incident|industrial\s+cyber|SCADA\s+compromise|incident\s+report|containment\s+measures|attack\s+timeline|operational\s+technology|industrial\s+control\s+system|critical\s+infrastructure|threat\s+actor|indicators\s+of\s+compromise)\b

Corroborative evidence keywords

ot cyber incident reports, cyber, incident, reports, critical, infrastructure, systems, SCADA, PLC, DCS, HMI, Modbus, Modbus TCP, Modbus RTU, DNP3, OPC-UA, OPC Classic, IEC 61850, IEC 60870, IEC 60870-5-104 (+38 more)

Proximity: 300 characters

Should match

• OT cyber incident — Primary topic phrase match
• ics incident — Case-insensitive topic phrase match
• industrial cyber — Alternative topic phrase match
• SCADA compromise — Additional topic phrase match

Should not match

• unrelated generic text without domain phrases — No relevant topic phrases present
• placeholder value 12345 — Random text should not match topic-specific regex
• ot cyber incident report — Generic word pair from old broad template should not match

Known false positives

• Common words and phrases related to ot cyber incident reports appearing in policy documents, training materials, HR templates, or compliance guidelines without actual personal data. Mitigation: Require corroborative evidence keywords within the proximity window to confirm sensitive data context rather than general discussion.
• In English (as the primary international business language), similar terminology used in formal or administrative contexts (education, professional documentation) that does not constitute sensitive data collection. Mitigation: Layer with additional contextual signals such as structured identifiers, form fields, or database column headers to distinguish sensitive records from general references.
• High-frequency pattern matches in large document corpora due to broad regex anchors. Expected match rate is significantly higher than specific identifier patterns. Mitigation: Tune confidence thresholds for bulk scanning. Consider using this pattern primarily as a pre-filter with secondary validation.

References

• https://www.legislation.gov.au/C2018A00029/latest/text
• https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism
• https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response