The OT Security Academy

An industry guide to starting your tabletop exercises

Written by Tomomi Aoyama | November 16, 2023

Omny's Co-founder and Head of Product, Tomomi Aoyama, says that cybersecurity training within heavy asset industries is necessary and only growing in necessity by the day. But the exercises themselves don't have to be as complicated or time-consuming as you might think.

For an industrial operation, training for safety purposes, such as in the event of a fire, is likely well-ingrained. But there’s room for improvement when it comes to training for cyber incidents, according to Tomomi Aoyama.

“You cannot expect people to handle a cyber-related emergency in an industrial environment without being prepared,” she says. “Cybersecurity teams need to implement regular exercises into your routine to simulate the attack and practice how you will handle the fallout.”

Many companies shy away from elaborate cyber training exercises, as it can be a time- and resource-consuming endeavor, it’s challenging to do more than once a year. That’s why Aoyama encourages us to make the best use out of – tabletop exercises.

The power of the tabletop cyber exercise

“There’s a lot to be gained with tabletop exercises when it comes to cyber preparedness. All you need for this is a room, a facilitator, and a note taker. And then, simply set aside some time to talk through a scenario of your choice,” explains Aoyama. “It doesn’t have to be more complicated than that.”

The SANS white paper on “the Five ICS cyber security Controls” suggests two main types of scenarios for tabletop cyber security exercises: intelligence-driven scenarios and consequence-driven scenarios. Here’s a guide to each type and what you can learn from them.

Intelligence-driven scenario 

This is the best place to start for industrial organization. In this type of exercise, begin by finding a case study of a cyber-attack that is frequently occurring in your industry. Use this as the framework for your exercise scenario. A ransomware attack is a good example of something that can happen in any industrial domain these days.

Select your participants according to your objectives. Is your goal to test critical decision making with your executive teams? Maybe you need to test your security incident response team’s functionality in the event of the absence of your usual incident commander. Or, perhaps you want to coordinate the response with the operations team. A tabletop exercise is an excellent format to train these cross-functional coordinations.

Discuss within the group who in the organization would notice the attack first, how and when they would report the incident, what actions can operations and cyber teams take based on what information,  and how you would minimize its impact and recover from it. 

Aoyama’s tip: It’s impossible to protect 100% of your operation. With the right resources and capabilities, adversaries will always find a way to achieve their objectives.  So, don’t spend additional time deciding whether the exact type of malware or technique can harm your system. Rather, it’s about seeing beyond the techniques, and discussing what can your organization do when the same tactics are used against your organization. 

Consequence-driven scenario 

Once you are well-versed in handling intelligence-driven scenarios, it’s time to start incorporating  consequence-driven ones. This type of scenario is more tailored to your own specific business processes, as a way to practice for your own worst-case scenarios. 

Assess a ‘nightmare’ outcome of a cyber-attack, such as a full system failure or severe environmental damage. If you have done a Crown Jewel Analysis (CJA) already, the report would be a great place to start. If not, you can start by asking your operations team about their ‘worst day’ scenario. Select the scenario that you deem most important for your business continuity for this exercise.

Then, test your business continuity plan against the scenario. If you don't have a dedicated plan for cyber, what part of your business continuity plan can be reused?  

Aoyama’s tip: While companies are quick to adopt intelligence-driven scenarios, many forget about the consequence-driven scenario. Creating a consequence-driven scenario requires intimate knowledge of your operations and system interdependencies. It’s hard to gather that knowledge but a very rewarding task as you will understand how things can go horribly wrong due to cyber events. 

Narrow the scope and exercise more often

A cyber-security exercise doesn’t have to be big, complex, or resource intensive. Aoyama says it can become a bi-weekly event or even part of a routine meeting. It’s all about how you scope the expected outcome.

“While you do need a cross-functional, company-wide exercise, it’s not realistic to organize large scale exercises so often. But threats are changing and growing all the time, and we need to keep testing our preparedness constantly. That’s why tabletop exercises are a great option to activate the learning loop,” she adds.

Aoyama also mentions the concept of ‘micro tabletop exercises’ as an option for time pressured organizations. This is a way to scope the scenario to a specific scene, and exercise with a limited number of stakeholders. 

“A once yearly cyber exercise is the very minimum baseline to hit. But if you are looking to take a more proactive approach, then tabletop exercises are the solutions,” Aoyama says. “These exercises are an opportunity to learn, see your gaps, understand your procedures and prepare your organizations  for when the worst happens.”

 

While you are practicing your tabletop exercises, take in some new knowledge from our team of industrial cybersecurity experts. Subscribe to the blog using the link below.