React Less. Defend More.

Table Top Exercise (TTX)

Mitigate the impact of cyber-attacks by being prepared for all eventualities.

Tabletop Exercise (TTX) Overview

A cyber security Tabletop Exercise (TTX) is a test of your organisation’s ability to respond to a cyber attack. It helps you evaluate how effective your cyber Incident Response (IR) plans are. It also shows you how aware the organisational stakeholders are of their roles and responsibilities in case of a cyber incident. A TTX is typically a verbally-simulated scenario that mimics a real cybersecurity incident which could have a damaging impact on your business continuity.

A TTX is conducted by experienced cyber experts who create real-world cyber-attack scenarios for your organisation. During the exercise, participants are forced to think and make decisions like they would when an actual incident occurs. Participants typically include members of the executive management, IT and OT teams and those identified within your IR plan.

Industrial Tabletop Exercise TTX
Purdue Model and Table Top Excercise

Why Conduct an OT Tabletop Exercise?

Any organisation that is serious about OT business continuity and mitigating the impact of cyber-attacks needs to ensure they are prepared for all eventualities. Conducting regular TTX is an effective means of achieving this overall preparedness. Furthermore, regulators worldwide are becoming more stringent about compliance standards and are making it mandatory for organisations, especially those in critical national infrastructure to test IR plans regularly through TTX. Testing IR plans regularly also has several other advantages, regardless of regulatory requirements, such as the following:

  • A good OT TTX workshop when played out in front of key stakeholders and participants can act as an eye-opener for many. Some business executives and people in key positions may have never imagined a scenario or thought their way through it until they’ve been exposed to it during a TTX workshop.
  • As people are put under intense pressure and are forced to think how they would in a real crisis, decision-making becomes faster as the worst-case scenario has already been practised. There is no room for disagreements or disputes on what the next steps should be, when an attack takes place, as all of the steps would have been rehearsed during the TTX workshop.
  • TTX can make it clearer to senior management whether any specific members of staff have to be re-trained for a cyber crisis or with respect to their IR responsibilities in case of an attack.
  • TTX workshop facilitates better inter-departmental coordination and communication as the exercise involves all key stakeholders sitting together and working their way out of a crisis. This has positive long-term implications for teamwork and cross-departmental collaboration.
  • TTX are a cost-effective way of ramping up an organisation’s security defences without creating any disruption to business IT and OT systems.
  • A formal report is prepared at the end of a TTX workshop. This report clearly lists the strengths and weaknesses of the IR processes, the group’s collective capability to respond and more. This output can then become a solid blueprint on which the organisation can build its capabilities both tactically and strategically.

Key Benefits of Conducting an OT Tabletop Exercise

TTX scenarios for OT have several benefits for your organisational cyber maturity. These include:

  • Demonstrating if your incident response plans are correct or incorrect.
  • Clarifying roles and responsibilities to all stakeholders including third parties.
  • Making it easier for security teams to get business buy-ins on future cybersecurity decisions and budgets.
  • Highlighting areas that need improving and staff members who may need more training.
  • Facilitating improved inter-departmental coordination and communication.
  • A cost-effective means to improve OT cyber resilience over the long term (strategic remediations).
  • A blueprint for enhancing cyber defences over the short-term (tactical remediations).

Deliverables from our OT Tabletop Exercise Service

As part of this service offering, OTIFYD delivers a facilitated TTX workshop and formalised report that includes:

  • TTX methodology;
  • Executive summary;
  • Description of the current situation, risk exposure and potential consequences to the organisation;
  • Description of real-world cyber scenarios considered and used during TTX;
  • TTX workshop findings and observations;
  • Remediation recommendations with associated priorities.  

Additionally, the following items will also be provided:

  • High-level presentation for executive-level stakeholders.

Table top exercises help organisations outline the steps they might take during a cyber attack. By discussing the scenario in advance, CISOs and other risk experts can identify flaws or gaps in the organisation’s response and make adjustments.

In summary:

  • Demonstrating whether your Incident Response Plans are any good or not.
  • Clarifying individual roles and responsibilities to the Board and the Executive.
  • Making it easier for the IT/OT Security teams to get business buy-ins on future cybersecurity decisions and budgets.
  • Highlighting areas that may need work and staff members who may need more training in incident response.
  • Facilitating improved inter-departmental coordination and communication.
  • A cost-effective means to improve cyber resilience over the long term.
  • A blueprint (the executive summary) for enhancing cyber defences over the next few months.

To stay abreast of the current threat landscape and to best prepare and arm your team, performing a TTX at least once a year will ensure that existing staff awareness is always refreshed and that new staff receives comprehensive training on your IR processes.

Most TTX’s are led by a facilitator who guides the conversation and captures lessons learned. Depending on the tabletop exercise’s objectives and scope, they may require a few hours or multiple days.

The typical format for table top exercises involves:

  • Testing preplanned actions in response to scenarios;
  • Group discussions to review the effectiveness of strategies and tactics, led by a skilled facilitator;
  • Introduction of additional challenges to the presented scenarios to widen the scope of cybersecurity problem-solving.

Injects are used to drive the simulation and exercise. They are instigated by the facilitator and not normally known to the group taking part. In an OT context an inject may see a supporting OT system compromised or another unexpected event take part during the incident. The aim is to test how the group dynamically work together to resolve the injected event.

The first thing you should consider is whether a table top exercise is acceptable for your business. It’s only worthwhile to begin the process if you already have an Incident Response plan in place. Table top exercises are helpful for testing strategies, but they don’t tell you anything if everyone engaged is just improvising. You’ll also need institutional buy-in for the process: there’s no use in doing the exercise if management refuses to allow you to adjust plans and policies based on the outcomes.