What Is an OT Incident Response Tabletop Exercise? Why Every Industrial Operator Needs One
An incident response plan sitting in a shared drive is not the same as an incident response capability. The difference between the two is revealed under the pressure of a real incident, when the plan meets the reality of a process running at full capacity, a vendor who cannot be reached, and a management team asking for answers before the security team has any.
A tabletop exercise, also called a TTX or IR tabletop, is the method for closing that gap before a real incident forces it open. It is a facilitated, scenario-based exercise in which the response team works through a simulated attack scenario using existing plans, tools, and decision-making frameworks, without any real systems being affected. What emerges is a clear picture of where the plan is solid, where it has gaps, and where the team's assumptions about what would happen do not match what would actually happen.
For OT environments, this exercise is not optional. NERC CIP-008 requires covered entities to test their cyber security incident response plan annually. TSA Pipeline Security Directives require covered pipeline operators to test OT-specific response plans. Beyond regulatory requirements, a tabletop exercise is the only way to find out whether your OT incident response plan actually works before you need it.
What a Tabletop Exercise Is, and What It Is Not
A tabletop exercise is a discussion-based, facilitated scenario. No systems are touched. No networks are scanned. No actual malware is deployed. The participants sit in a room or join a call, and the facilitator presents a scenario that unfolds in stages. The team discusses what they would do, who would make which decisions, who would communicate with whom, and what tools and information they would need.
What a tabletop exercise is not:
- A red team exercise: no active exploitation occurs
- A penetration test: no systems are accessed or tested
- A training course: participants are expected to bring existing knowledge; the exercise tests that knowledge, it does not impart it
- A compliance checkbox: a poorly designed exercise with scripted answers satisfies the regulatory requirement but does not build the capability
Why OT Tabletop Exercises Are Different from IT Tabletop Exercises
IT incident response tabletops test well-understood response flows: identify, contain, eradicate, recover. The containment step typically means isolating a host. The eradication step means removing malware. The recovery step means restoring from backup.
In OT, every one of these steps has an additional dimension: operational consequence. Isolating a PLC to contain an incident may stop a running process. Eradicating malware from an HMI may require taking it offline and restoring from backup, which requires the process to be shut down first. Recovery from a ransomware attack that encrypted PLC project files requires vendor engineering software, licensing, and a tested restoration runbook, not just a file restore from tape.
OT-specific tabletop exercises test these dimensions explicitly. They include operations leadership in the scenario, not just the IT security team. They force decisions about whether to continue running the process or shut down proactively. They test communication flows between the security team, operations, the safety team, the vendor, and executive leadership.
Common OT Tabletop Scenarios
|
Scenario |
Industry Application |
Key Decision Points Tested |
|
Ransomware encrypts historian and engineering workstations; PLCs unaffected but isolated from supervisory control |
All sectors |
Isolated operation decision; backup restoration timeline; vendor contact escalation; regulatory notification |
|
Unauthorized PLC logic modification detected by passive monitoring during night shift |
Manufacturing, Oil and Gas, Utilities |
Shutdown vs continue decision; forensic investigation without disrupting production; IT/OT boundary investigation |
|
Vendor remote access credentials compromised; unknown access to SCADA server |
Pipeline, Utilities, Pharma |
Vendor access revocation; assessing what was accessed; process integrity verification; TSA or NERC notification |
|
Phishing attack compromises IT network; lateral movement attempt toward OT detected at IT/OT boundary |
All sectors |
IT/OT boundary response coordination; OT team notification; escalation decision; containment without OT disruption |
|
Process anomaly detected that could be cyberattack or equipment failure |
Refining, Chemical, Pharmaceuticals |
Distinguishing cyber from physical failure; safety team involvement; shutdown decision; parallel investigation tracks |
How to Run an OT Tabletop Exercise
Phase 1 — Preparation
Effective preparation takes two to four weeks before the exercise date. This phase covers: selecting the scenario based on the most realistic threat profile for the organization's sector and current security posture; confirming participant list (operations, IT, security, safety, executive leadership, legal, communications); distributing the current OT incident response plan for participants to review; and agreeing on the scenario parameters and any constraints the facilitator needs to apply.
Phase 2 — Scenario Injection
The exercise begins with the facilitator presenting the initial scenario: a brief description of the starting conditions. Participants are given the same information they would have in a real incident at that moment, which is typically limited and ambiguous. The facilitator then injects additional scenario developments at defined decision points, simulating how a real incident unfolds over time.
Phase 3 — Discussion and Decision Points
At each scenario inject, the facilitator asks the team to discuss what they would do. This is where the plan gaps emerge: who makes the decision to shut down a process? What is the notification threshold for executive leadership? Who contacts the vendor? What is the escalation path if the primary contact is unavailable? What information would operations need before agreeing to a shutdown? The facilitator documents the discussion without scripting the answers.
Phase 4 — After-Action Review
The after-action review, conducted immediately after the exercise while the scenario is fresh, identifies three categories of output: what worked, what needs improvement, and specific action items with owners and timelines. The action items are the deliverable that makes the exercise valuable. Backup and recovery runbooks that the exercise reveals are untested, communication trees with gaps, or shutdown decision authorities that are unclear all become action items assigned to specific owners before the next exercise.
Who Should Be in the Room
The participant list for an OT tabletop exercise should include more than the IT security team:
- OT engineering and operations leadership: the people who own the running process and make operational decisions
- IT security team: for IT/OT boundary scenarios and corporate network involvement
- Process safety team: for scenarios affecting safety-critical systems
- Executive representative: to test communication and decision-making at the leadership level
- Legal and communications representative: for regulatory notification and external communication scenarios
- Key vendor contacts (optional): for scenarios involving vendor remote access or specialized recovery
Regulatory Requirements for OT Tabletop Exercises
NERC CIP-008-6 requires Bulk Electric System operators to test their cyber security incident response plan at least once every 15 months. The test can be a tabletop exercise, a functional exercise, or an actual incident response, with documentation of the test and any identified improvements.
TSA Pipeline Security Directive SD02D and its successors require covered critical pipeline operators to develop and test OT cybersecurity incident response procedures. NERC CIP compliance documentation requirements mean that the tabletop exercise needs to be formally documented with participant list, scenario summary, findings, and action items.
Frequently Asked Questions
How long should an OT tabletop exercise take?
A well-structured OT tabletop exercise runs three to four hours for a single scenario with full discussion. Half-day formats allow for a more complex scenario with multiple injects. Full-day formats can include two scenarios covering different attack types. The after-action review adds 30 to 60 minutes. Exercises shorter than two hours rarely generate the depth of discussion needed to surface meaningful gaps.
Who should facilitate an OT tabletop exercise?
The facilitator should be someone who understands both OT security and industrial operations, can interpret the process context of decisions being made, and can inject realistic scenario developments without revealing answers. Internal facilitation works if someone with this combined background is available. External facilitation from an OT security firm brings additional value because an external facilitator can challenge assumptions, introduce threat intelligence that the internal team may not have, and provide a more objective view of the gaps the exercise reveals.
What is the most common finding from OT tabletop exercises?
The most consistently revealed gap in OT tabletop exercises is unclear decision authority for the shutdown or continue decision. When an incident affects a running process and the security team recommends isolating a device that would stop production, who has the authority to approve that action? In most organizations, this decision is not explicitly documented in the incident response plan. The exercise reveals that the security team, operations leadership, and executive management all have different assumptions about who owns this decision. Clarifying it before a real incident is the highest-value outcome of an OT tabletop exercise. See the OT incident response service for how we structure this within a broader IR program.
Can we conduct an OT tabletop exercise remotely?
Yes. Remote tabletop exercises, conducted over video conference with shared scenario documents, are effective and increasingly common for distributed teams with personnel at multiple sites. The facilitator needs to be more deliberate about ensuring all participants are engaged, and the technical discussion of scenario injects is slightly harder to manage remotely. For exercises involving operations and safety leadership who are co-located at a facility, a hybrid format with those participants in the same room and remote participants joining by video tends to work well.
|
Ready to strengthen your OT security posture? We help industrial operators build practical OT security programs that work within real operational constraints. Book a free consultation to discuss your environment. |