The integration of Industrial Control Systems (ICS) with IT systems has increased the ICS’ exposure to cyber threats.We have seen a tremendous increase in the number of security incidents happened to ICS in the past five years. This requires the ICS to provide effective incident response capabilities to counteract security attacks. Previous research on ICS incident response has been focusing on incident detection and analysis. This paper examines the current ICS incident response procedure from a managerial perspective, identifies the unique characteristics of ICS incident response and proposes a framework to improve incident response capabilities. In particular, it evaluates the benefit of agile values to address specific characteristics of ICS Incident Response. This foundational work sets the scene for future research to apply agile practices into ICS Incident Response.