The convergence of Operational Technology (OT) and Information Technology (IT) expands the attack surface, yet existing standards exhibit a critical gap in incident response data collection: OT standards lack explicit guidance on required data items, while IT frameworks overlook OT’s real-time constraints and resource limitations. To address this, we propose AIR—a technology-agnostic, real-time incident reporting framework. AIR introduces a novel, 25-element universal reporting structure spanning technical, managerial, and compliance dimensions, designed for seamless integration with legacy systems. Its structured modeling approach organizes elements into seven functional groups and dynamically activates reporting points by mapping to mainstream OT standards (e.g., IEC 62443). Validated via retrospective analysis of the Ukrainian power grid cyberattack, AIR establishes the first systematic, traceable mapping from high-level security requirements to actionable reporting fields. This significantly enhances cross-organizational situational awareness and coordinated response efficiency, laying the foundation for standardized OT incident reporting.

Operational technology (OT) networks are increasingly coupled with information technology (IT), expanding the attack surface and complicating incident response. Although OT standards emphasise incident reporting and evidence preservation, they do not specify what data to capture during an incident, which hinders coordination across stakeholders. In contrast, IT guidance defines reporting content but does not address OT constraints. This paper presents the Agnostic Incident Reporting (AIR) framework for live OT incident reporting. AIR comprises 25 elements organised into seven groups to capture incident context, chronology, impacts, and actions, tailored to technical, managerial, and regulatory needs. We evaluate AIR by mapping it to major OT standards, defining activation points for integration and triggering established OT frameworks, and then retrospectively applying it to the 2015 Ukrainian distribution grid incident. The evaluation indicates that AIR translates high-level requirements into concrete fields, overlays existing frameworks without vendor dependence, and can support situational awareness and communication during response. AIR offers a basis for standardising live OT incident reporting while supporting technical coordination and regulatory alignment.