Skip to content
Knowledge base Updated: February 5, 2026

OT Tabletop Exercises: How to Build an Incident Response Plan in Industrial Environments

You already have an incident response plan for your OT network. Congratulations, you've taken an important step. But will this plan work in the heat of a real crisis? Is it just a theoretical document or a viable tool? The only way to find out is to test it. In this article, we'll show you how to do

Przemysław Widomski Przemysław Widomski

Every serious organization regularly conducts fire drills. Sound the alarm, evacuate to the assembly point, check the attendance list - these activities are not carried out because we expect a fire on any given day. We do this so that at the moment of real danger, no one wastes time reading instructions, but acts instinctively, according to a rehearsed scheme. It’s about building “muscle memory,” which is reliable under stressful conditions.

Simulation exercises play exactly the same role in the world of cyber security. Having an incident response plan (IRP) that has never been tested is like having an evacuation manual locked in a drawer that no one has ever seen. Such a document gives a false sense of security, and in a moment of crisis turns out to be a set of unrealistic assumptions and unclear procedures.

In an operational technology (OT) environment, where the risks associated with “live” testing are enormous, “tabletop” exercises become the ideal solution. It’s a safe testing ground to verify plans, procedures and, most importantly, the ability to collaborate between teams, without generating even one second of downtime and without any risk to the production process.

Shortcuts

Why is having an incident response plan that you have never tested an illusion of security?

An incident response plan, created in the privacy of a conference room, is inherently a theoretical document. It is based on certain assumptions about how an attack will unfold, how systems will behave and how people will interact. Reality, however, is always more complicated. In the heat of a crisis, it turns out that a key contact person is on leave, the procedure for restoring data from backup has never been fully tested, and the IT and OT teams have completely different interpretations of who is responsible for making decisions.

The untested plan is full of such hidden “mines.” Running it for the first time during a real attack is asking for failure. Rather than organizing the response, such a plan introduces additional chaos and frustration when its provisions are found to be unlivable or incomplete. Worse, simply having a plan “on paper” often puts management and executives to sleep, creating an illusion of preparedness that is not supported by reality.

This is why regular testing is an integral part of the life cycle of any mature response plan. Testing allows us to identify and defuse these “mines” under safe conditions before they blow up in our faces at the worst possible moment. The purpose of testing is not to confirm that the plan is perfect, but to find its weaknesses so that it can be improved.

📚 Read the complete guide: OT/ICS Security: Bezpieczeństwo systemów OT/ICS - różnice z IT, zagrożenia, praktyki

What are “tabletop” exercises and why are they an ideal testing ground for OT teams?

A “tabletop” exercise is a form of workshop where key members of an incident response team gather in a room (or virtually) to “talk through” a hypothetical but realistic cyber-attack scenario together. This is not a technical test - no one is touching real systems here. This is a simulation of the decision-making and communication process.

The session is led by a facilitator who presents step-by-step developments within a prepared scenario (e.g., “8:00 a.m.: SOC analyst notices suspicious traffic from SCADA server. What do you do?”). The task of the participants is, based on the IRP plan and playbooks at hand, to discuss and agree on what actions they would take, what decisions must be made and how they would communicate with each other.

It is this non-invasive nature that makes tabletop exercises an ideal tool for OT environments. They allow you to test the most difficult and controversial aspects of a response - such as deciding to stop production - in a completely safe manner, without any risk to physical processes. It’s a laboratory where you can make mistakes and learn from them without paying millions in losses.

What are the four key goals you will achieve with regular crisis simulations?

Conducting tabletop exercises on a regular basis achieves four fundamental goals that go far beyond simply verifying a document. First, the goal is to identify gaps and inaccuracies in the existing IRP plan. Discussion of the scenario mercilessly exposes all weaknesses: unclear procedures, missing contact information or unrealistic assumptions about response times.

Second, the exercises serve to clarify and practice roles and responsibilities. In the heat of discussion, it quickly becomes clear whether everyone understands equally who is responsible for what and who has the final word on key issues. This avoids competency disputes during a real crisis.

Third, and perhaps most importantly, it is an unparalleled tool for building cooperation and trust between IT and OT teams. Solving a problem together at the same table, listening to each other’s perspectives and coming to compromises builds relationships and “muscle memory” of cooperation, which are invaluable in the moment of a real attack. Fourth, and finally, the exercises build awareness and commitment among executives who, by participating in the simulation, can see for themselves the potential consequences of an attack and understand the importance of investing in preparation.

Step one - Definition of objectives: What exactly do you want to test during the exercise?

Any effective tabletop exercise must have a clearly defined goal. Trying to test “everything at once” is doomed to failure in advance and leads to chaos. Before you start writing a scenario, you need to answer the question, “What is the single most important aspect of our plan that we want to verify the effectiveness of this time?”.

Objectives might include, for example, verifying a specific playbook (e.g., “let’s test our ransomware response scenario in the SCADA system”), evaluating communication procedures (“let’s make sure our crisis communication plan works and that everyone knows who to report to”), or testing the decision-making process (“let’s make sure our decision chain for stopping production is clear and efficient”).

A clearly defined objective allows the scenario and discussion to focus on the most important issues. It also allows us to define measurable criteria for the success of the exercise. At the end of the session, we will be able to clearly answer whether we have achieved our goal and what specific lessons we have learned.

Step Two - Creating the Scenario: How do you build a realistic attack story that will engage participants?

A good scenario is the heart of a successful tabletop exercise. Above all, it must be realistic and believable to the participants. Instead of making up fantasy stories about hackers from outer space, base the scenario on real threats to your industry and the specifics of your facility. Use information from threat reports or describe a scenario that happened at another similar company.

The scenario should not be a simple, linear story. It should be divided into several stages (called “injects”), which the facilitator will reveal gradually during the session. Each stage should present the team with new challenges and require specific decisions. The scenario should also include unexpected twists, such as “Your main method of communication has just stopped working. What do you do?”

It is important that the scenario be focused on testing predefined goals. If the goal is to test communication, the scenario should include moments that force intense communication with management, the media or regulators. If the goal is to test decision-making, the scenario should put the team in front of difficult choices, such as between continuing production at risk or incurring huge losses due to downtime.

Step Three - Selecting Participants: Who should be invited so that the simulation reflects a real-life crisis?

The composition of the team participating in the tabletop exercise should reflect as closely as possible the composition of a real, cross-functional incident response team. Isolating the exercise to cyber security specialists only misses the point, because in a real crisis, decisions are never made in a vacuum.

It is absolutely crucial to invite representatives from both the IT world (SOC analysts, network administrators) and the OT world (process engineers, automation engineers, change managers). It is the interaction between these two groups that is one of the most important aspects to test. The participation of executives from the area (e.g., the plant director) is also essential, as they will have to make the final business decisions.

Depending on the scenario, it is also a good idea to invite representatives from other departments, such as the legal department (to assess regulatory obligations), the communications/PR department (to practice communicating with the media), and even the HR department. The more diverse and representative the composition of the team, the more valuable and realistic the conclusions of the exercise will be.

How does a typical tabletop session go and what is the role of the facilitator?

A typical tabletop session lasts from 2 to 4 hours. It begins with a brief introduction, during which the facilitator presents the goals of the exercise, the rules (especially the “safe failure” rule) and introduces the participants. Then, the facilitator presents the first stage of the scenario.

After presenting the situation, the facilitator gives the floor to the participants, asking the open-ended question, “What do you do?” A discussion begins, during which the team, based on their plans and procedures, must jointly determine what steps to take. The role of the facilitator is crucial here. He or she is not a teacher who evaluates the answers, but a facilitator who stimulates the discussion, asks difficult questions (“How do you know this information is true?”) and ensures that the conversation does not get off track.

When the team comes to a consensus on its actions, the facilitator presents the next “inject,” or further developments, often a consequence of the decisions made by the team. This process is repeated several times until the scenario is completed. Throughout the session, the observer (or second facilitator) notes all observations, identified problems and potential areas for improvement.

Why is an atmosphere of “safe failure” the key to a successful exercise?

For a tabletop exercise to provide real value, it must be conducted in an atmosphere of complete trust and openness. The facilitator must clearly communicate at the outset that the purpose of the session is not to evaluate individuals, but to test and improve the process. Participants must feel comfortable to ask “dumb” questions, admit ignorance and question existing procedures without fear of negative consequences.

The “safe to fail” (safe to fail environment) encourages honesty. If the plan is unclear, participants must have the courage to say so. If a procedure is unworkable in practice, they must communicate that. The goal is to find all weaknesses in the simulation stage so that they won’t surprise us during a real incident.

Criticizing and looking for blame during or after an exercise is the easiest way to make subsequent simulations a theater in which everyone will try to appear as good as possible, hiding real problems. Only in an atmosphere of openness and common purpose does an exercise have a chance to become a real tool for learning and development.

Anatomy of a successful Tabletop exercise in OT

PhaseKey ActionTarget1. planningDefining goals, creating a realistic scenario, selecting participants (IT+OT+Business).Ensuring that the exercise is focused, engaging and valuable.2. conductModerated discussion of the scenario in an atmosphere of “safe failure.”Verification of the decision-making and communication process, identification of gaps in the plan.3 SummaryDiscuss key observations and conclusions immediately after the session.Preliminary identification of key areas for improvement.4. postCreate a formal report, assign tasks and deadlines, update the IRP plan.Translate the conclusions of the exercise into concrete, measurable improvements.

What should be the tangible result of any tabletop exercise?

The tabletop exercise must not end when the participants leave the room. The discussion is only a means to an end. The tangible, formal outcome of any such session must be an After-Action Report.

This report should include a brief summary of the scenario and conduct of the exercise. Its most important part, however, is a detailed list of observations, identified gaps and recommendations. For each identified weakness (e.g., “the procedure for contacting the legal department is unclear,” “the team did not know who had the authority to stop production”), the report should include a specific, actionable recommendation (e.g., “create a dedicated list of crisis contacts,” “add a formal decision matrix to the IRP plan”).

Most importantly, each recommendation must have an assigned owner (the person responsible for its implementation) and a deadline for implementation. This is the only way to ensure that the conclusions of the exercise are translated into real actions that actually improve the response plan. The report becomes a roadmap for further improving the organization’s preparedness.

How often should drills be conducted to keep the team realistically ready?

Incident preparedness is not a state that is achieved once and for all. It is a process that requires constant maintenance and improvement. Teams change, new threats emerge, and procedures that are not regularly practiced are forgotten. That’s why tabletop exercises should be a regular, cyclical component of a cyber security program.

It is good practice to conduct a full, formal tabletop exercise at least once a year. This allows for a comprehensive review of the entire plan and the involvement of a wide range of stakeholders, including management.

However, in addition to these large annual exercises, it is also worth introducing shorter, more focused and more frequent sessions for the technical response team itself. These could be, for example, monthly, hour-long meetings in which the team “dryly” discusses one particular playbook or analyzes the course of a real incident that happened in another company. Such regularity keeps procedures “fresh in the mind” and builds a culture of constant preparedness.

How do tabletop exercises differ from technical tests such as “red teaming”?

It is important to distinguish tabletop exercises from other forms of security testing. Tabletop, as already mentioned, is a test of process, people and communication. Its purpose is to verify plans and decision-making procedures. It does not involve any activities on real systems.

Technical tests, on the other hand, such as penetration tests or red team” exercises, are a test of the technology and its configuration. They involve launching a controlled, technical attack on a company’s systems to find and exploit real vulnerabilities. The goal of the pentester is to find security holes. The goal of the “red team” is to simulate the actions of a real criminal group as closely as possible, testing the defense and detection capabilities of the “blue team” (defenders).

Both types of tests are extremely valuable and complement each other. Technical tests check whether our “shield” is sturdy. Tabletop exercises test whether we know what to do when that “shield” is punctured, however. A mature organization should use both approaches.

How does regular exercise help prove the due diligence required by NIS2?

The NIS2 directive requires company boards to implement appropriate risk management and business continuity measures. In the event of an incident, regulators will assess whether a company has done due diligence in its preparations. Simply having an IRP plan may not be sufficient evidence.

Conducting and documenting tabletop exercises on a regular basis is one of the strongest proofs that an organization is approaching its responsibilities in a proactive and mature manner. Formal tabletop exercise reports, along with a list of identified gaps and evidence of closure, show regulators that the company has not only created a plan, but is actively reviewing it, improving it and treating it as a living, key component of its safety management system.

In the event of an audit, the ability to provide a history of regular, comprehensive simulation exercises is a powerful argument that can significantly influence the evaluation of a company’s actions and potentially mitigate the financial and legal consequences associated with an incident.

How can nFlo help you plan and execute realistic tabletop exercises for your team?

At nFlo, we have years of experience in designing and facilitating tabletop exercises for the most demanding industrial clients. We understand the unique challenges of OT security and know how to build scenarios that are not only technically credible, but also engaging and valuable from a business perspective.

Our consultants act as neutral, external facilitators. This helps to create an open atmosphere of “safe failure” in which participants feel comfortable to talk openly about problems. Our job is to stimulate discussion, ask tough questions and ensure that the exercise achieves its goals and provides concrete, useful conclusions. We pay special attention to moderating discussions at the interface between IT and OT, helping both sides understand each other’s perspectives.

After the session, we prepare a professional post-session report, which is not just a simple summary, but a strategic document with clear recommendations, priorities and a roadmap for further improvements. We also support our clients in implementing these recommendations, helping to update plans, create playbooks and organize further, more advanced sessions.

Is your team ready for a real emergency or just a fire drill?

Many companies treat cybersecurity exercises as a routine, annual chore to be “ticked off.” The sessions are predictable, the scenarios are simple, and the conclusions are the same every year. Such a simulation is the equivalent of a fire drill, where everyone calmly walks to the assembly point, knowing it’s just a test alarm.

A real crisis, however, is different. It is chaotic, unpredictable and full of stress. That’s why your goal should be to prepare your team not for a test alarm, but for a real fire. This requires planning exercises that are difficult, challenging and that force participants out of their comfort zone.

Ask yourself: do your exercises to date realistically test your team’s ability to make the most difficult decisions? Do they confront the conflict of priorities between IT and OT? Do they build resilience that is real, not just on paper? If not, it may be time to raise the bar. Because when the real siren wails, it will be too late to learn.

Learn key terms related to this article in our cybersecurity glossary:

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Cybersecurity for Your Industry

Learn more about cybersecurity in your industry:

See also:

Tags:

Incident Response OT/ICS Cybersecurity Network Manufacturing & Industry

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Sales Representative
Przemysław Widomski

Przemysław Widomski

Sales Representative

+48 889 051 990przemyslaw.widomski@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist