Top 5 ICS Incident Response Tabletop Exercise Scenarios and How to Run Them

Top 5 ICS Incident Response Tabletop Exercise Scenarios for 2025

How prepared is your organization to respond to an industrial control system (ICS) cyber incident? How resilient is it against ransomware that could impact safety and operations? Does your organization have the ability to detect advanced persistent threats that use modern attack methodologies against your critical infrastructure?

Regularly conducted incident response tabletop exercises are part of a mature ICS Security Program that can identify weak points in security efforts and enable proactive defense to address this range of threats.

ICS Incident Response Tabletops Explained

ICS incident response tabletops are much like the pre-game practice drills that sports teams, like hockey teams, run before a game. Like pre-game drills, ICS incident response scenarios are designed to test all that will be needed once the game begins. In this case, however, the game is the serious business of cybersecurity, and it requires ICS defense capabilities, safety processes, and cyber preparedness. These proactive initiatives test the effectiveness of an ICS Security Program prior to an attack. Tabletops are paper-based, and they are conducted in roundtable discussions guided by an Incident Response Plan, knowledge of the engineering processes, and an understanding of the existing ICS security defenses. Weak points are identified and assigned to be addressed immediately in order to strengthen the program.

The question is, how will your industrial organization respond once the “game” begins?

The Benefits of the ICS Incident Response Tabletop

ICS incident response tabletops provide a high return on investment in several important areas.

• Validation: The tabletop exercises validate readiness by comparing the defense controls against existing controls. Areas of improvement are identified in industrial incident response plans, security, and safety playbooks. Simultaneously, tabletops help train new and established team members on the industrial process and ICS-specific security.
• Situational Awareness and Team Building: Reviewing threat intelligence with the teams involved will educate them about adversary capabilities and attack techniques. Regularly performing tabletops will establish and strengthen cross-departmental relationships needed for incident response events that could span multiple industrial sites across large geographic regions.
• Practical Defense Actions: Tabletop exercises can identify gaps in such critical areas as threat detection, data source collection, log correlation, network segmentation changes, access control updates, security and safety process changes, and the communication of roles and responsibilities. Effectiveness in all of these areas is key for a mature program. Tabletop actions will directly improve overall response time, reduce impacts on the engineering process, and increase safety.

Planning and Running ICS Tabletops

• Planning: Planning time will vary depending on team size, the scenario, resources, etc., but it typically can take anywhere from a few days up to 30 days. Even a planning phase of just 2 to 5 days is enough to provide value in the outcome. Spend time up front properly selecting realistic scenarios for your environment and selecting the right teams. Include as many team players and observers as is practical.
• Tabletop Goals: Are you testing newly deployed technology, training new team members, or using recent threat intelligence and sector events to validate or update your ICS Incident Response Plan? Or are your tabletops driven by compliance requirements? Set the goal and adhere strictly to timelines and frequency. Adhering to safety requirements will also be a goal in ICS.
• Frequency: Some compliance programs suggest that tabletops be run every 15 months (for example, the NERC-CIP-008-6 Table R2 – Cyber Security Incident Response Plan Implementation and Testing). It is common practice to run a tabletop annually, and the exercise can be aligned with budget cycles.
• Designate a Facilitator: A facilitator will keep things on track to ensure that the scenario is completely walked through and tested against the ICS Incident Response Plan. A facilitator can also ensure that everyone involved is engaged to maximize discussion, that notes are recorded, and that actions are assigned to individuals.

ICS Teams

Include all teams that are practical to involve. Invite observers to listen to the discussions for training purposes. Start with the following:

• Safety: Include the on-site safety and emergency response team.
• Physical Security: Include the on-site facility physical security team.
• Compliance: Ensure that legal and regulatory compliance requirements are met.
• Cybersecurity: Since cybersecurity drives the scenario, participants must understand the defenses and the Incident Response Plan, the technologies and the industrial operations process, protocols, critical assets, the network layout, etc.
• Engineering: Include process control and field device technicians.
• Operator: These are the persons who control the process via remote and embedded HMIs, etc.
• Management: Management and director-level stakeholders for all teams involved need to have an awareness and understanding of ICS cybersecurity risk, impacts, protections, budget, resourcing, etc.

Scenario Selection and Exercise Execution

• Scenarios for ICS: Select one of several suggested scenarios outlined in this document to get you started. Scenarios should be based on closing known gaps already identified in the program and on significant industry events that have occurred in your sector. Such a threat-centric approach leverages ICS threat intelligence specific to your sector.
• Run Time: Run time will vary depending on the size of the teams involved and the complexity of the scenario selected. A typical tabletop for ICS can run from 2–3 hours to 1–2 days. Longer and more involved incident response exercises such as Hybrid or Live can run for several days.
• Closing Gaps: Designate a person to take notes of related action items to be assigned to specific individuals. These actions might include investigations, enabling security features, completing assigned training related to a role, using a new ICS security tool, changing a network design (for example, aligning to Purdue), implementing new processes or technologies, etc.
• Mini-Project, Action Tracking: Some ICS programs run tabletops as a small project internally or with an external third party. With either approach, it is common to see project managers dedicated to ensuring that tasks are completed on time and with an appropriate budget. Tracking tasks can follow the SMART (Specific, Measurable, Achievable, Realistic, Timely) objectives.

ICS Scenarios – Include Critical and Targeted Assets

There are many critical engineering ICS assets to protect, including physical systems and digital systems, and they usually span several geographic areas. Threat intelligence indicates these assets have been targeted in observed ICS attacks. At a minimum, the following critical ICS assets should be included in your scenarios:

• Data Historian: This database stores operational process records. It can be abused to pivot from a compromised asset in IT to one in the ICS network(s).
• Engineering Workstation: This workstation has access to software to program and change PLCs and other field device settings/configurations. Be aware of its location and of normal and abnormal access attempts to and from it. Pay attention as well to data exfiltration connections from the engineering workstation.
• Human Machine Interface (HMI): The HMI is a visual interface between the physical process and operators that is used to review and control the process. Remote access, if required, should have secure, heavily controlled, and monitored multi-factor authentication.
• Programmable Logic Controllers (PLCs): PLCs connect the physical hardware in the real world and run logic code to read the state or change the state of the engineered process. An example is Safety Instrumented Systems (SIS) safety controllers.

The Top 5 ICS Incident Response Tabletop Scenarios for 2025

Each of the following scenarios includes updates reflecting 2025 best practices, threat intelligence insights, and cross-domain coordination based on lessons learned across ICS sectors:

• Scenario 1: Living off the Land: Native Industrial Control System Protocol Abuse Engineering teams observe anomalous ICS protocol activity (e.g., unusual scanning rates or unexpected commands using OPC, IEC-104, Modbus/TCP, or DNP3). The CRASHOVERRIDE malware framework remains relevant and evolving.
• Scenario 2: Human Machine Interface Hijack: On-Screen Suspected Activity Operators report mouse movement on an HMI without active user control. Updated discussions include whether secure jump hosts are required and how MFA logs are monitored.
• Scenario 3: Physical Access to Cyber Access Event An attacker cuts through the physical fence and gains access to the network. More scenarios now integrate drone surveillance or adversary use of AI-generated audio for social engineering on-site personnel.
• Scenario 4: Ransomware on IT or ICS/OT Networks The ransomware scenario now assumes encrypted HMIs and unavailability of historian services. Many facilities are planning response plans that isolate historian data to reduce pivot risks.
• Scenario 5: Network Pivot from IT to OT via Data Historian This scenario includes increased emphasis on segmented AD environments, enforcement of separate credential vaults, and MFA monitoring on all historian-access paths.
• Bonus Scenario: Contaminated Transient Device Transient device threats persist, but exercises now include simulation of improperly wiped contractor laptops and the inclusion of kiosk scanning stations at Purdue Level 3 as a safeguard.

ICS Incident Response Tabletop Summary

Regular incident response tabletop exercises are part of a mature ICS Security Program. They work proactively to identify weak points in ICS defense efforts, build strong relationships among several teams, and are commonly driven by proactive defense or compliance requirements.

How to Start Your ICS Incident Response Tabletops

Select one of the presented realistic ICS Incident Response Tabletop Scenarios for your next exercise. Mature the process by creating your own scenario based on your ICS threat landscape by leveraging ICS threat intelligence, internal or external gap assessments, compliance reports, etc. Involve as many teams as practical, including Safety, Process Controls Engineering, Operators, ICS Network Architects, ICS Security, Plant Management, etc. Discuss, learn, take action, and repeat. ICS Defense Is Doable!

Want to Build Deeper ICS Incident Response Skills?

ICS security requires hands-on capabilities that bridge cybersecurity, engineering, and physical safety disciplines. These skills are developed through real-world labs in ICS515: ICS/OT Active Defense and Incident Response, which covers modern tabletop design, field device integrity checks, and threat detection strategies.

Note: AI-assisted content.

Continued Reading

• The Big Picture of the Security Incident Cycle
• Stay Ahead of Ransomware: Communication During Cyber Incidents
• What is Incident Response?
• FOR508: Advanced Incident Response Training