WHAT YOU ACTUALLY GET FROM AN OT TABLETOP EXERCISE
Plans don't fail in incidents. Assumptions do.
Most industrial organisations have an incident response plan. Very few have ever stress-tested it against a realistic OT cyber scenario with the people who would actually execute it. A tabletop exercise does not validate your plan — it reveals the gap between the plan you think you have and the capability you actually possess.
A Tabletop Is Not a Rehearsal — It Is a Discovery Process
The word 'exercise' implies a test of an existing capability. In OT environments, tabletop exercises rarely work that way — because the capabilities being tested often do not yet fully exist. What a tabletop actually does is surface, in a low-stakes setting, the organisational, technical, and communication failures that would compound an actual incident.
These failures are almost never about missing technical knowledge. They are about unclear decision authority — who can authorise isolating a compromised PLC when doing so will stop production? They are about communication breakdown — does your operations team know how to reach your ICS-specialised incident response retainer at 3am? They are about assumption collisions — what your security team thinks 'isolate the affected segment' means and what your control systems engineer knows it would actually do to process continuity are frequently very different things.
A well-designed OT tabletop exposes all of this in a conference room, with time to discuss and document. An undiscovered assumption collides with reality during an actual incident, with no time to recover.
The most valuable output of an OT tabletop exercise is rarely documented in the formal report. It is the moment in the room when two senior stakeholders realise they had fundamentally different assumptions about who owns a critical decision — and they resolve it before an incident forces the issue.
How OT Tabletop Exercises Have Matured
NERC's GridEx II brought large-scale grid security simulation to the energy sector, demonstrating for the first time the communication and coordination failures that emerge at scale when IT, OT, and operations teams must respond together.
Tabletop exercise design shifted from generic IT-style cyber scenarios to consequence-grounded OT scenarios that incorporate process safety, production loss, and regulatory notification timelines — making exercises far more operationally relevant.
Virtual tabletop delivery became mainstream, proving that effective OT crisis simulations could be conducted across geographically distributed teams — and revealing new coordination challenges introduced by remote-only participation.
Organisations began combining tabletop decision-making exercises with live technical injects from red team operators, creating hybrid exercises that stress-test both the response capability and the detection and containment tools simultaneously.
Regulatory pressure formalised tabletop exercise requirements for critical infrastructure sectors, shifting exercises from discretionary best practice to a documented compliance obligation with defined frequency and scope requirements.
The Five Concrete Deliverables a Good Tabletop Produces
A professionally facilitated OT tabletop exercise produces five concrete deliverables that have lasting value beyond the exercise day itself.
First, a decision authority map — clarity on who can authorise which response actions, at what point in an escalating incident, and under which conditions they can act without waiting for further approval. This resolves the single most common failure mode in OT incident response: decision paralysis caused by unclear ownership.
Second, a communication failure inventory — the specific handoff points where information was lost, delayed, or misunderstood during the scenario. These become direct inputs to a communication plan update that specifies notification paths, escalation triggers, and out-of-band communication methods for when primary systems are compromised.
Third, a capability gap list — actions the response team needed to take during the scenario that they discovered they could not execute: isolating a specific PLC without vendor support, rolling back a historian to a known-good state, or safely operating a process in manual mode during a control system incident. These gaps drive targeted investment decisions.
Fourth, a tested scenario timeline — a realistic reconstruction of how long each response phase would actually take given real-world constraints. Response plans routinely assume that containment and recovery will take hours; exercises frequently reveal that the realistic timeline, given vendor engagement, regulatory notification, and operational decision cycles, is measured in days.
Fifth, organisational alignment — a shared understanding, across IT, OT, operations, legal, communications, and executive leadership, of what an OT cyber incident actually looks like and what it demands of each function. This alignment cannot be produced by a written plan. It requires the shared experience of working through a scenario together.
Why Tabletop Exercises Fail to Deliver Value
A poorly designed or poorly facilitated tabletop exercise wastes time, produces a superficial report, and leaves stakeholders with false confidence. These are the failure modes most commonly observed in OT exercise programmes.
Wrong Participants in the Room
Tabletops populated exclusively by security team members miss the cross-functional coordination failures that are the most valuable finding. Effective OT exercises require process engineers, operations supervisors, legal, communications, and executive decision-makers alongside the security team.
Scenarios That Do Not Reflect Real Threat Actors
Generic IT ransomware scenarios applied to OT environments fail to surface OT-specific challenges. Effective OT tabletop scenarios are grounded in actual adversary TTPs — Volt Typhoon pre-positioning, Industroyer-style protocol attacks, or supply chain compromise of an OT vendor — not repackaged IT scenarios.
No Consequence Injection in the Scenario
Scenarios that stop at 'the SCADA system is compromised' without exploring the process consequence — what happens to the physical process, the safety systems, the regulatory posture — never force participants to grapple with the decisions that will actually be hardest during a real incident.
Findings That Are Never Actioned
Exercise reports that sit unread and unimplemented are worse than no exercise at all — they consume budget without improving capability and create a paper record of known gaps that were not addressed. Findings must be converted to tracked remediation actions with owners and deadlines.
Exercises Treated as a Compliance Checkbox
Organisations that run annual tabletops because a framework or regulator requires it, rather than because they want to improve response capability, consistently design exercises that minimise discomfort rather than maximise learning. The result is a superficial pass with no meaningful output.
High-Value vs. Low-Value Tabletop Exercises
High-Value Exercise
- Cross-functional participants including operations, engineering, legal, and executive leadership
- Scenario grounded in real OT adversary TTPs and facility-specific consequence scenarios
- Injects that force difficult decisions: isolate vs. maintain, notify vs. contain, shut down vs. risk further compromise
- Post-exercise report with tracked findings, owners, and 90-day remediation deadlines
- Annual cadence with scenario variation to avoid rehearsed responses
Low-Value Exercise
- Security team only, with no operational or executive participation
- Generic ransomware scenario copied from an IT response playbook
- No process consequence injects — scenario stops at the IT/OT boundary
- Report delivered, filed, and never actioned
- Same scenario repeated annually to ensure a comfortable result
Building an OT Tabletop Programme That Improves Over Time
A single tabletop exercise is valuable. A recurring programme with escalating scenario complexity and tracked finding closure is transformative. Design for the programme, not just the event.
Design and Scope
Define the scenario, identify participants, and establish the baseline against which improvement will be measured. Scenario design should be grounded in consequence analysis and real threat actor TTPs relevant to your sector.
Execute and Capture
Run the exercise with a skilled facilitator who maintains realism, prevents comfortable deferrals, and captures decision points and gaps in real time. Observers document findings throughout.
Remediate and Repeat
Convert findings into tracked remediation actions, assign owners, and establish the next exercise cycle with an escalated scenario that tests the gaps identified in the first exercise.
Questions Worth Sitting With
Before scheduling — or skipping — your next tabletop exercise, sit with these.
If your most experienced OT engineer was unavailable during a real incident, would the rest of your team know what decisions they were authorised to make independently?
Has your executive team ever been in a room together working through a realistic OT cyber scenario — and do they understand what they would actually be asked to decide?
Are your tabletop exercise findings tracked to closure, or do they accumulate as a growing library of known but unaddressed gaps?
Does your current scenario challenge your team, or does it confirm what they already know how to do?
When an incident occurs at 2am on a weekend, does your team have a practiced, shared mental model of the first four hours — or will they be reading the plan for the first time?