Proactive Cybersecurity: Tabletop Exercises in OT

In today's cybersecurity landscape, threats are becoming increasingly sophisticated and persistent, affecting organizations of all sizes and sectors. Operational technologies (OT) have become a primary target due to their crucial role in critical infrastructure and industrial processes. To address this challenge, Tabletop exercises have emerged as essential in preparing for and responding to cybersecurity incidents.

Why are Tabletop exercises important in OT?

Many organizations already have cybersecurity plans documented in manuals, but they have never been tested, and decision-makers are not fully aware of them because they have never been put into practice.

A Tabletop exercise is an interactive simulation that tests an organization's ability to respond to a cyberattack in a controlled environment. This type of exercise is conducted in a conference room where participants, including business leaders and key personnel, face a hypothetical cybersecurity scenario. Throughout the exercise, detection and response plans to incidents are evaluated, as well as the effectiveness of decision-making and communication during a crisis.

Tabletop exercises allow organizations to assess their level of preparedness for cyberattacks. By simulating incidents in a safe environment, they can identify gaps in response plans and areas that require improvement.

Six Key Steps for an Effective Tabletop Exercise in OT

To better understand how this Tabletop practice unfolds in an industrial environment (OT) and to conduct an objective evaluation of response capabilities, the following six key steps are described:

1. Know the Organization and Its Industry. The beginning of a cyberattack Tabletop exercise involves thoroughly studying the industry to which the organization belongs and the context in which it operates. For example, if it is an automotive manufacturer, it is necessary to know this sector as well as possible, the overall market behavior, challenges, and opportunities, profitability, and the influence of political, social, and economic factors on it.

Having an overview of the company's financial performance and the impact a cyberattack would have on manufacturing, production lines, and business areas, and which products are the best-selling and the applicable penalty if they are not delivered on time due to an interruption, is vital.

This phase also considers the main tactics used by cyberattackers to launch a threat to a specific industry, whether it is manufacturing, automotive, food, or energy, for example. It should be noted that each sector has characteristic attack vectors that threat agents have studied carefully.

2. Understand the Environment. An OT environment is managed very differently from an IT environment, but they converge at a critical point: understanding the environment in which they operate is essential. Therefore, it is necessary to precisely know the existing critical systems; otherwise, they can become the weakest points of industrial environments.

What would happen if one of those critical systems is compromised? The response must consider the impact an attack would have on the operation and the availability of industrial systems.

3. Create Realistic Scenarios. Thinking like the enemy is very useful when creating scenarios as close to the organization's reality as possible. Reviewing documented cases of cyberattacks directed at OT environments in the industry where the company operates will be vital, as they can provide a broader picture of how cybercriminals act, and which tactics are most used to successfully carry out their attacks.

Thinking like an attacker will also allow structuring a Tabletop exercise according to existing scenarios in which an organization operates daily.

4. How the Attack Will Be Executed. Even though it is a drill, consider that a threat can arrive at any time and know how different actors will respond if it materializes at any given moment.

For the Tabletop exercise, it is first necessary to define how the threat will reach the organization, whether through a well-designed phishing attack directed at OT personnel or another vector.

This exercise includes creating fake social media profiles that will report on the cyberattack and observing how the internal and external communication area handles the crisis. This must be done very carefully, as in the real world, not reporting an attack or doing it incorrectly can result in non-compliance and penalties.

How to respond to inquiries and calls from customers, suppliers, media, and authorities to legal, communication, and senior management areas is an aspect that should be closely observed in this practice. These stakeholders will be under high stress, and attention should be paid to their reactions and responses, providing crisis management and media relations training if necessary to give them the necessary tools to act at any given moment.

Additionally, it should be evaluated how employees will share information about the attack and whether they are revealing confidential information. It is, therefore, a critical communication strategy for the organization that goes beyond merely technological aspects.

5. Recreate the Worst-Case Scenario. In Tabletop exercises in industrial environments, the worst-case risk scenarios should always be considered. Could there be human losses or injuries? Would the environment be affected? Would an essential service to society such as health, transportation, or electricity be interrupted? Was the supply chain interrupted, putting the supply of essential products at risk?

Posing the most catastrophic scenario allows for a better understanding of how the organization responds, particularly when key members are subjected to high levels of stress.

6. The Client Is Also Part of the Equation. Such a comprehensive job should not exclude the organization's clients, as the commitment to them is to understand and meet their needs and prevent them from being affected in the process. Hence the importance of effectively managing communication with them during a crisis and considering them in the Tabletop strategy design.

It should not be overlooked that in a real scenario, the client will demand damage repair and will be attentive to how the organization responds.

Continuous Improvement 

Tabletop exercises help organizations strengthen their incident detection and response strategy and are linked to a continuous improvement cycle. In fact, it is recommended to conduct two exercises a year with different possible scenarios.

One of its advantages is that it does not require significant investment since there are no sophisticated technical components involved. As it is not a technological exercise but transversal, it involves various areas, not just IT, in its purpose of evaluating the organization's detection and response capabilities.

Finally, due care and due diligence throughout the Tabletop exercise development should be emphasized to execute each phase carefully and effectively for the organization.