OT/ICS Tabletop Exercise After-Action Report — Sample

About this sample: This document represents the output of the thinking. The value is in the conversations that produced it — the site walk, the stakeholder interviews, the engineering judgements made along the way. What you are reading is the record. The work that matters happened before the first page was written.

Exercise Overview

Exercise Parameters

Client

[REDACTED]

Exercise Format

Full-Stack TTX

Duration

7 Hours

Date

[REDACTED]

Participants

[N] across Ops/IT/Leadership

Scenario

Ransomware — OT Impact

Scenario Summary

Exercise Scenario

The exercise simulated a ransomware attack originating from a compromised vendor remote access session. The scenario progressed from initial detection of encrypted historian servers, through production impact decisions, to regulatory notification obligations and external communications management.

Key inject points included: discovery of encrypted systems, loss of SCADA visibility, management escalation, regulatory notification window, and media enquiry handling.

Participant Performance — Summary

By Response Area

Detection & Initial Response

Partial

Escalation & Communication

Gap

Production Decision-Making

Partial

Regulatory Notification

Gap

Recovery Coordination

Partial

Note: Scores reflect exercise performance against documented procedures. Gaps identified are normal outcomes — the exercise exists to find them safely.

Gap Findings — Section 3.1

Identified Response Gaps

Gap ID	Area	Observation	Priority
TTX-G01	Escalation	No documented escalation path for cyber incidents in OT. Participants unsure who to call and in what order. Decision delayed by [X] minutes.	High
TTX-G02	Regulatory	NIS2 notification obligation not understood by participants. No documented notification procedure. Regulatory contact details not known.	High
TTX-G03	Production	No documented criteria for safe production shutdown decision. Decision made by consensus rather than procedure, causing [X] minute delay.	Medium
TTX-G04	Communications	No pre-approved holding statement for external/media enquiries. Participants improvised — responses inconsistent across leadership.	Medium
TTX-G05	Recovery	PLC and SCADA recovery procedure not documented. Engineering team uncertain of restoration sequence and safe-state verification steps.	High

Facilitator Observation

From the Exercise Floor

Within 20 minutes of the first inject, a critical gap in escalation authority was visible. The operations team knew there was a problem. They did not know who had authority to call an external response. That gap would not have appeared in a document review. It appeared because the scenario put the team under realistic pressure — which is exactly why the exercise exists.

Action Plan — Extract

Gap Closure Actions

Gap	Action	Owner	Target
TTX-G01	Develop and publish OT cyber incident escalation procedure. Test in next exercise.	[REDACTED]	30 days
TTX-G02	Map NIS2 notification obligations. Document process and rehearse with legal/compliance.	[REDACTED]	60 days
TTX-G03	Define production shutdown criteria and decision authority matrix. Embed in OT IRP.	[REDACTED]	45 days

What this enables: The full After-Action Report documents all observations across the exercise, all identified gaps, a prioritised action plan with owners and timescales, and recommendations for the next exercise scenario.