ICS/OT-Specific Tabletop Exercises Matter More Now

With the ever-increasing number of attacks on industrial control systems (ICS) and operational technology (OT), generic cybersecurity tabletop exercises (TTXs) are not enough. Industrial organizations should instead implement ICS/OT-specific incident response TTXs, like the ones that directly align with the 5 ICS Cybersecurity Critical Controls. These exercises shouldn’t just mark off compliance checkboxes. Instead, they must serve as proactive, high return on investment (ROI) security investments that improve operational resilience, safety, and response readiness. Best of all, they are applicable across all critical infrastructure sectors.

So, what are the benefits and returns on investment for ICS/OT cybersecurity TTXs? Here is a list of the top benefits with near immediate value.

Validation of Readiness

TTXs benchmark current defenses against real-world scenarios, revealing gaps in ICS/OT network visibility, threat detection, industrial-grade incident response, and engineering asset recovery. They reinforce the effectiveness of existing controls and incident response plans. Note, however, the real value is ensuring that engineering teams are deeply involved, and in many cases, are leading the way to make sure the scenario is engineering focused.

Situational Awareness & Team Building

ICS/OT TTXs create shared understanding across engineering, cybersecurity, operations, and safety teams. They converge IT and OT teams, build trust, clarify roles, and enhance communication, especially in high-stakes, multi-team incident response efforts.

Actionable Outcomes

ICS-focused TTXs identify concrete improvements: enhancing network segmentation, tuning threat detection, updating access controls, or deploying protocol-aware network monitoring solutions. These exercises often lead to smarter investments and faster remediation timelines.

Designing Effective ICS/OT Tabletop Exercises

To ensure your ICS/OT TTXs are relevant, high-impact, and maximize ROI, they must be engineering focused. Incorporate into the scenarios your most targeted and mission-critical assets, such as:

• Data Historians
• Engineering Workstations
• Human-Machine Interfaces (HMIs)
• Programmable Logic Controllers (PLCs)
• Safety Instrumented Systems (SIS)

These assets are central to industrial processes and frequently targeted by adversaries. Including them in TTXs ensures your exercises mirror the actual threat landscape and help harden your most critical systems against what is targeting your ICS/OT environment today.

Final Thoughts

ICS/OT cyber defense can’t just be theory; it must be practiced. ICS/OT-specific TTXs are where that practice begins. Start small. Involve the right teams, especially engineering. Target your most critical assets. Turn findings into action. And repeat the process at least annually. Key site, by key site.

In ICS/OT security, preparation is protection, and security supports safety.

Level-Up Your ICS/OT Tabletop Game

Ready to take your ICS/OT security skills to the next level? Join me this fall for ICS515: ICS Visibility, Detection, and Response at SANS Orlando Fall 2025 starting October 27 and at SANS San Francisco Fall 2025 starting November 17.

In this hands-on course, I’ll walk you through how to identify your most critical assets—regardless of industry, gain real network visibility without disrupting operations, and detect both known vulnerabilities and stealthy adversary behaviors that threaten your process environment. Let’s strengthen the frontline of industrial defense together.

Be prepared for your next ICS/OT tabletop and so much more!