In this session, we’ll explore how to design and execute effective tabletop exercises specifically for OT environments. OT incident response is fundamentally different from IT, and tabletop scenarios must reflect the realities of SCADA architectures, limited staff, tool constraints, and the nuances of OT forensics. This session will present strategies that are pivotal for organizations to maximize the impact and effectiveness of their OT incident response tabletop exercises.

We’ll explore:

1. Designing Realistic OT Tabletop Exercise: How to build injects and flow to effectively test an organization’s OT incident response capabilities, not just documentation. OT tabletop exercises require specific response strategies that are very different from the IT world. Injects must take into account operational limitations and unique OT architecture, from control systems to remote access constraints.

2. Including IT in the Exercise: Some organizations choose to isolate their OT tabletops. Others see the OT to IT data flows as critical business processes and chose to test them together. These data integrations become not only a required resilience component but also a potential attack vector, particularly where custom code or custom-written connectors exist.

3. The Role of Third-Party Vendors: The OT vendor landscape requires organizations to adapt incident response in ways that IT doesn’t. In this part of the session, we'll discuss the proprietary nature of OT hardware and software and the impact that these vendors can have on IR cybersecurity practices.

Insights are drawn from over 25 years of experience handling both IT and OT breaches, offering actionable takeaways to help teams build tabletop exercises that surface real gaps and improve resilience.

Key Takeaways:

- Consider OT business processes and IR tools capabilities as part of exercise design.

- Evaluate the OT to IT data flow so that critical business processes are included in the test. Identify threats to business continuity and attack vectors.

- Understand the roles and risks of third-party vendors in the OT space, particularly special remote access requirements and proprietary administration tools that have the potential to be used nefariously.