Operational technology (OT) networks are increasingly coupled with information technology (IT), expanding the attack surface and complicating incident response. Although OT standards emphasise incident reporting and evidence preservation, they do not specify what data to capture during an incident, which hinders coordination across stakeholders. In contrast, IT guidance defines reporting content but does not address OT constraints. This paper presents the Agnostic Incident Reporting (AIR) framework for live OT incident reporting. AIR comprises 25 elements organised into seven groups to capture incident context, chronology, impacts, and actions, tailored to technical, managerial, and regulatory needs. We evaluate AIR by mapping it to major OT standards, defining activation points for integration and triggering established OT frameworks, and then retrospectively applying it to the 2015 Ukrainian distribution grid incident. The evaluation indicates that AIR translates high-level requirements into concrete fields, overlays existing frameworks without vendor dependence, and can support situational awareness and communication during response. AIR offers a basis for standardising live OT incident reporting while supporting technical coordination and regulatory alignment.

翻译：运营技术（OT）网络与信息技术（IT）的耦合日益紧密，这扩大了攻击面并使事件响应复杂化。尽管OT标准强调事件报告与证据保全，但并未明确规定事件期间应捕获哪些数据，这阻碍了利益相关者之间的协调。相比之下，IT指南虽定义了报告内容，却未考虑OT特有的约束条件。本文提出了一种用于实时OT事件报告的不可知论事件报告（AIR）框架。AIR包含25个要素，分为七组，旨在捕获事件背景、时间线、影响及应对措施，并可根据技术、管理和监管需求进行定制。我们通过将AIR映射到主要OT标准、定义集成与触发现有OT框架的激活点，并随后将其回顾性应用于2015年乌克兰配电网络事件来评估该框架。评估表明，AIR能将高层级需求转化为具体字段，在不依赖供应商的情况下覆盖现有框架，并能在响应过程中支持态势感知与沟通。AIR为标准化实时OT事件报告提供了基础，同时支持技术协调与监管一致性。