Tabletop exercise covering OT incident
Demonstrate that the organization conducts tabletop exercises simulating OT-specific incidents, validating that participants understand roles, communication protocols, and technical response procedures unique to operational technology environments.
Description
What this control does
A tabletop exercise covering operational technology (OT) incident response is a structured, discussion-based simulation where key personnel walk through their response to a realistic OT-specific security scenario, such as ransomware affecting SCADA systems, HMI compromise, or PLC manipulation. Unlike traditional IT tabletop exercises, OT scenarios must address safety implications, physical process impacts, regulatory reporting requirements, coordination with engineering and operations teams, and manual failover procedures. Conducting these exercises ensures that incident response plans account for the unique constraints of OT environments, including uptime requirements, real-time process dependencies, and the potential for physical harm or environmental damage.
Control objective
What auditing this proves
Demonstrate that the organization conducts tabletop exercises simulating OT-specific incidents, validating that participants understand roles, communication protocols, and technical response procedures unique to operational technology environments.
Associated risks
Risks this control addresses
- Incident responders unfamiliar with OT protocols (Modbus, DNP3, OPC-UA) fail to correctly identify or contain lateral movement within industrial control networks
- Delayed or improper coordination between IT security teams and OT engineering leads to unsafe manual operations or uncontrolled process shutdown
- Failure to engage external stakeholders (regulators, utilities, emergency services) during critical infrastructure incidents results in regulatory penalties or public safety incidents
- Inadequate understanding of OT network segmentation and access controls allows attackers to persist across air-gapped or logically isolated production zones
- Lack of tested backup and recovery procedures for HMI, historian, and engineering workstation systems results in prolonged operational downtime
- Inability to distinguish between cyber-induced operational anomalies and legitimate equipment failures delays threat detection and escalation
- Uncoordinated public communications during an OT incident exposes proprietary process information or undermines stakeholder confidence
Testing procedure
How an auditor verifies this control
- Obtain the organization's OT incident response plan, tabletop exercise documentation, and participant list for the most recent OT-focused exercise.
- Verify that the exercise scenario explicitly addresses OT assets such as PLCs, SCADA systems, HMI interfaces, safety instrumented systems, or industrial network devices.
- Review the participant roster to confirm inclusion of OT engineering, plant operations, control system vendors, safety officers, and IT security personnel.
- Examine the exercise facilitator guide and injects to confirm they include OT-specific elements such as process safety decisions, manual control procedures, or vendor coordination.
- Interview a sample of three to five participants to assess their understanding of OT-specific response actions, such as isolating compromised controllers, engaging safety interlocks, or invoking manual operational procedures.
- Review the after-action report or lessons-learned document to identify gaps specific to OT incident response and verify corrective actions were assigned with due dates.
- Confirm that the exercise tested communication paths with external entities relevant to OT incidents, such as industrial control system vendors, regulatory bodies (e.g., NERC CIP, EPA), or mutual aid partners.
- Validate that the tabletop exercise occurred within the past 12 months and that a schedule exists for future OT-specific exercises at least annually.
Where this control is tested