A tabletop Exercise (TTX) is an interactive discussion-based session that provides a low-consequence environment for teams to test their ability to respond to a simulated cybersecurity incident. TTXs offer an opportunity to identify gaps within procedures and processes while educating participants on how best to respond. Insane Cyber customizes each exercise to fit the customer's environment and threat landscape.  

Types of Tabletop Exercises

The scope of an exercise can range from single teams to hundreds of people across the organization. The most common exercise types are outlined below. Multiple types can be combined into a hybrid exercise testing responders and leaders. 

• Operational and Technical Exercise: This type of exercise is targeted at the operational and technical teams responding to a cybersecurity incident. It is focused on the process and mechanics of detection and response. Incident Response Plans (IRP), Emergency Action Plans (EAP), and Continuity of Operations Plans (COOP) are often the primary procedures that are being tested in these exercises. 

•  Crisis Management Exercises: These exercises test the organizational ability to respond to an industrial cybersecurity crisis. Business and operational continuity, as well as decision-making, communication, and cross-functional teamwork, are often the focus. Crisis Management Plans (CMP) and IRP(s) are often the main drivers in this type of exercise. This type of exercise usually includes team leads, incident responders, and plant managers.  

• Executive Exercise: These exercises involve senior leadership within an organization. The focus is to provide leadership teams, including the C-suite and board members, with an opportunity to test how they will lead an organization through a crisis-level industrial event. Decision-making, communication, legal, and compliance are often the focus of these exercises. The 2023 Securities and Exchange Commission (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules have resulted in senior leadership needing to understand how best to respond.  

Components of a Tabletop Exercise

A TTX traditionally consists of the following parts but can be customized based on the customer's needs and scope. 

• Planning Meetings: The development and execution of a TTX require cooperation between the facilitation team and organizational planners. At a minimum, there are four meetings, starting with the kick-off meeting, which defines the objectives, audience, and type. The second and third meetings are planning meetings, which review the customer-provided material and exercise structure. The final meeting is a project closeout meeting that covers the after-action report and improvement plan. 

• Information and Documentation Review: Understanding the industrial environment and response program is a prerequisite for developing an exercise scenario. The type of exercise will drive the requested information.  

• Threat Landscape: A threat landscape is developed using open intel sources that profile the customer's vertical and environment. This information is used to develop a scenario that fits the organization's threats.  

• Exercise Material: Industrial TTXs are discussion-based exercises supported by scenario background, information injections, and content artifacts. The scenario timeline is often made up of multiple events or injections, allowing participants to work through a scenario that usually spans days, weeks, or even months.  

• Exercise Execution: The facilitator's primary role is to provide a low-stress educational environment to the participants as they work through the scenario. The facilitator will use the exercise material to provide information and context and answer questions. A facilitator leads the participants through the phases of incident response and recovery. The exercise facilitation usually takes 2 to 4 hours but can last multiple days for large exercises such as those that take place as part of NERC GridEx.  

• After-action Report: This report summarizes the scenario and how the participants responded as a team. It also identifies gaps and provides high-level recommendations.  

• Improvement Plan: This optional report outlines how the organization can address the identified gaps using technology, people, and processes tailored to the environment.  

Common Deliverables  

The execution of the exercise is the primary deliverable for a TTX. A well-facilitated exercise will engage and challenge participants as they work through the scenario. The exercise material will provide the outline, timeline, and supporting artifacts, but the facilitator will bring it to life.  

The Insane Cyber team has developed and executed over fifty industrial exercises with participants ranging from single teams with five members to 300 participants from across a Fortune 50 organization. The team has experience working with various industrial organizations, from utilities to manufacturing to transportation. Regardless of the participants, be they operators, field personnel, responders, executives, board members, or public agencies, our facilitation team knows how to contextualize industrial cybersecurity events to provide a relevant TTX.  

After the engagement, the After-Action Report (AAR) and Improvement Plan (IP) provide the organization with tangible deliverables. The AAR summarizes what happened, identifies gaps within the response, and offers high-level recommendations. The IP takes those recommendations and provides a tailored improvement plan that aligns with the organization's program and capabilities. 

Top 10 Tips for Getting the Most out of a Tabletop Exercise 

1. Reference a plan: Response processes should be established before conducting a TTX. This can be a standard simple incident response plan (IRP), but it is best if it's tailored to the business and operations. As the organization gains maturity the TTX can grow in complexity and scope to test more processes and procedures.  

2. Include the right participants: The scope and type of the TTX will drive who should be involved. As a rule of thumb everyone who would be involved in a cyber security incident should be included. This should include those impacted such as operations, engineering and production management if its OT focused. If an organization is just starting in their OT cyber security journey a smaller group size is better.  

3. Set the correct tone: Creating a no fault low stress environment allows participants to test ideas and actions to help identify improvements.  

4. Make it relevant: Focusing on the likely scenarios such as ransomware and the likely impact on operations and business.

5. Make it interactive: A TTX should involve all of the participants. Incident response is a team activity that requires multiple people and teams to work together. A facilitator should drive participation by asking questions and probing for actions.    

6. Make it realistic: Anything is possible from aliens invading the Denver airport to drones delivering malware via a fake AP on a data center roof, but with limited time it is best to focus on what is most likely to happen. This also does require understanding how process work on the operations side. For example if a process has a mechanical over pressure value then a cyber attack wont be able to interrupt that.  

7. Pick the right facilitator:  Facilitators lead the storyline and provide context around the injects. Creativity, process understanding and thinking on your feet are critical to making a good scenario into a great exercise that challenges participants throughout the IR process.  

8. Allow for enough time: Schedule enough time to work through the scenario. Usually, for 10-20 participants with 5-10 injects, you want to allow for 2-3 hours of play. Account for time at the beginning for the intro and end for lessons learned.  

9. Focus on process improvement: The primary goal of an exercise is to improve response processes. Focusing on lessons learned and identifying issues is key. It does not cost a lot to do something that does not work in an exercise. 

10. Focus on learning and building bridges: Exercises are a great opportunity to build bridges and share knowledge between teams.