Practice. Lives Depend on It: The Importance of Industrial Control System Incident Response Tabletops

According to the SANS State of ICS/OT Security 2025 Report, one in five industrial organizations faced a cybersecurity incident in 2025. Nearly 40% of incidents disrupted ICS/OT operations, and almost 20% of facilities required over a month to fully recover. Mature ICS/OT organizations mitigate this by adopting Control #1 of the Five ICS Critical Controls: a dedicated, engineering-informed, ICS/OT incident response tabletop, exercised quarterly.

The SANS survey data is a clear indicator that the operational impact of ICS/OT cyber incidents is escalating. What stands out is not only the frequency of events, but the depth of disruption inside engineering environments. Nearly 40% of real-world incidents affect ICS/OT operations. These are incidents that cascade into safety, production quality, workforce scheduling, and upstream and downstream supply chains.  

The long recovery windows reported by almost 20% of affected facilities illustrate that industrial environments face a fundamentally different recovery curve than IT systems. Physical processes, engineering safety parameters, vendor coordination, and regulatory requirements must be considered at every step. That’s why Control #1 of the SANS ICS Cybersecurity Critical Controls prioritizes ICS/OT dedicated tabletops that are engineering informed and a requirement for all ICS/OT cybersecurity programs, regardless of sector. 

Who Should Be at the Table 

As part of my field work, I am very passionate about high value ICS/OT incident response tabletop exercises! From crafting the threat-intel driven scenario, on-site doing plant walkthroughs with the engineering and security staff, facilitating the exercises, capturing the teams’ wins, and providing a practical prioritized after-action report. There is value the entire way through! 

The SANS survey findings reinforce what those working directly with industrial systems have known for years: preparedness for an ICS/OT cybersecurity incident is best when the right people are involved. That is, the IT support network staff and of course the production teams in engineering. In fact, when engineers, operators, and field technicians are actively included or leading ICS/OT tabletop exercises, organizations are almost twice as likely to demonstrate real engineering readiness against cyber threats that can affect safety and the business.  

Engineering, operations, and maintenance personnel bring insight that IT-driven scenarios can’t replicate. For example, a scenario that appears “contained” from a traditional operating system endpoint perspective may still maintain unacceptable physical consequences such as unexpected engineering setpoint variations, or legitimate industrial network commands or protocols being abused. ICS/OT tailored tabletops anchored in real engineering behavior help clarify roles during industrial incidents, helping teams avoid the operational confusion that frequently prolongs engineering recovery.

Engineering Knowledge: Key To Protecting the Business 

The engineering staff who work hands-on with HMIs, PLCs, and control loops understand how a cyber event can disrupt processes, jeopardize reliability, and introduce safety risks. Having engineering front and center of ICS/OT cybersecurity efforts shifts tabletop exercises from traditional IT driven discussions to, engineering-aligned practices, appliable then to the majority of the business that does not operate like IT support networks. 

Industrial control system tabletops will always fall short when engineering is not totally involved throughout the planning and execution of an ICS/OT incident response exercise. Because in any organization that depends on ICS or OT, the operational technology isn’t just part of the business—ICS/OT is the business. 

Mature Facilities: ICS/OT IR Exercise Frequency 

As ICS/OT IR exercise frequency increases—quarterly for 25% of facilities who have matured—teams that practice regularly build stronger cross-functional coordination across engineering, operations, and cybersecurity. This pays off immediately in OT and engineering workflows: lessons learned from each scenario turn into concrete updates to OT dedicated incident response playbooks aligned with The Five ICS Cybersecurity Critical Controls. Like improved engineering alarm thresholds, secure architecture changes on OT firewall, improvements on remote access control lists, and focus on ICS/OT-aware threat detection with ICS Network Visibility, and rapid industrial incident response. 

Quarterly ICS/OT incident response tabletop exercises reinforce realistic IR muscle memory across engineering, operations, IT, cybersecurity, safety, and leadership teams. Regular cadence allows teams to test new realistic scenarios, and new changes to their defences, showing ICS/OT security program maturity, and highlight new areas to adapt procedures as environments, personnel, and threats continue to change.  

Leadership Expectations: Safe and Winning Characteristics 

Facilities that clearly define IT–OT cybersecurity and engineering responsibilities during tabletops, and routinely validate their ICS/OT IR plans, are consistently more prepared for real industrial-grade cyber incidents. The teams respond faster, reduce production recovery time, minimize financial impact, and maintain safety. Practices that stand up in both audits and real-world industrial incidents. 

Leadership plays a decisive role in reinforcing the cultural and operational expectations required for effective ICS/OT response. The facilities that outperform peers are not merely those with more tools—they are the ones where leaders support and enable repeated practice by prioritizing time for it. Leadership-backed tabletops also clarify governance boundaries, reducing the ambiguity in roles and responsibilities that slows response and inflates recovery time, costs and jeopardizes physical safety at site. When leaders expect engineering-informed cybersecurity planning and insist on validating ICS/OT IR plans, teams respond with tighter coordination and more decisive action during real events. 

Leveling Up with SANS Training 

SANS is a trusted training partner to help ICS practitioners level up their security posture.  

• ICS418: ICS Security Essentials for Leaders: Consider how to design and run cross-functional ICS/OT cybersecurity tabletops 

• ICS310: ICS Cybersecurity Foundations: Align foundational control system language and roles  

• ICS515: ICS Visibility, Detection, and Response: Prepare IT and ICS/OT teams for industrial threat detection, network visibility and industrial incident response  

These courses also align directly with the survey’s observation that organizations struggle most when teams lack shared vocabulary, with defined roles and responsibilities during industrial incidents. Leveling up begins with creating that shared foundation that is, in this case, ICS/OT specific. When IT, OT, engineering, and operations teams train against the same principles and rehearse against realistic engineering-driven tabletop scenarios, they develop a converged understanding of physical process risk, adversary tradecraft seen in ICS/OT environments that go beyond traditional IT attacks, and focus on the decision points that matter most, that prioritize the safety of people and the engineering process. This is what enables faster threat detection, safer containment, and engineering focused recovery. 

Download your copy of the SANS State of ICS/OT Security 2025 Report here.