As cyberattacks targeting industrial control systems (ICS) and operational technology (OT) surge, Dean Parsons, SANS Certified instructor and CEO of ICS Defense Force, warns that generic cybersecurity tabletop exercises (TTXs) are no longer sufficient. Instead, industrial organizations are being urged to adopt ICS- and OT-specific incident response exercises, particularly those aligned with the Five ICS Cybersecurity Critical Controls. Far from routine compliance tasks, these targeted TTXs are emerging as high-impact security investments that strengthen operational resilience, enhance safety, and sharpen response capabilities across critical infrastructure sectors.
Parsons highlighted that ICS/OT cyber defense can’t just be theory; it must be practiced. He identified several key benefits and returns on investment for ICS/OT cybersecurity tabletop exercises, offering near-immediate value. These include validation of readiness, improved situational awareness, stronger team coordination, and actionable outcomes.
“TTXs benchmark current defenses against real-world scenarios, revealing gaps in ICS/OT network visibility, threat detection, industrial-grade incident response, and engineering asset recovery,” Parsons wrote in a Tuesday SANS blog post. “They reinforce the effectiveness of existing controls and incident response plans. However, the real value is ensuring that engineering teams are deeply involved, and in many cases, are leading the way to make sure the scenario is engineering-focused.”
He added that ICS/OT TTXs create shared understanding across engineering, cybersecurity, operations, and safety teams. “They converge IT and OT teams, build trust, clarify roles, and enhance communication, especially in high-stakes, multi-team incident response efforts.”
Parsons detailed that ICS-focused TTXs identify concrete improvements: enhancing network segmentation, tuning threat detection, updating access controls, or deploying protocol-aware network monitoring solutions. These exercises often lead to smarter investments and faster remediation timelines.
The post noted that to ensure ICS/OT tabletop exercises are relevant, high-impact, and deliver maximum return on investment, they must be engineering-focused. Scenarios should incorporate the most targeted and mission-critical assets, such as data historians, engineering workstations, human-machine interfaces (HMIs), programmable logic controllers (PLCs), and safety instrumented systems (SIS). These assets are core to industrial operations and are frequently targeted by adversaries. Including them in tabletop exercises ensures scenarios reflect the current threat landscape and strengthen defenses around the most vulnerable systems.
In conclusion, Parsons wrote, “ICS/OT cyber defense can’t just be theory; it must be practiced. ICS/OT-specific TTXs are where that practice begins. Start small. Involve the right teams, especially engineering. Target your most critical assets. Turn findings into action. And repeat the process at least annually. Key site, by key site.”
In May, the SANS Institute rolled out a course to train professionals in safely assessing vulnerabilities in OT environments. ICS613: ICS/OT Penetration Testing & Assessments will debut in beta August 25–29 in Sandy, Utah, as an in-person-only offering. The beta run of the course will deliver critical hands-on training for cybersecurity professionals working in industrial environments.
