Tabletop exercise insights
- While identifying potential OT/ICS vulnerabilities, the tabletop exercise allows you to strengthen internal communication, agree on OT/ICS security ownership and further develop relationships.
- For organizations that rely on digital assets, it’s in their best interest to take steps to proactively prevent a cyber event before it happens.
- You’re only allowed to pen test the ICS environment during downtime when everything’s turned off or offline, making it difficult for OT systems.
The safety and integrity of operational technology (OT) environments is being challenged today like never before. Industrial control systems (ICS) across industries are inherently vulnerable to cyber intrusions, human error and other irregular activity that can compromise data, disrupt plant productivity and trigger costly downtime.
What’s more, these risks are not typically in the purview of information technology (IT) departments, leaving the onus of securing these essential digital assets squarely on OT personnel. So how do you achieve an optimal state of digital safety and peace of mind that your industrial manufacturing equipment is protected?
The journey starts with a tabletop exercise — a step-by-step methodology that demonstrates how a realistic attack may occur within your unique ICS environment based on your organization’s most vulnerable areas of risks. The exercise calls for collaboration between all stakeholders including the C-suite, risk management, IT and OT/ICS security teams. It’s ideal to have your executives take part in this process to give leadership a better understanding of OT risks and a realization that IT is not equipped to cover all the bases.
What is a tabletop exercise?
While identifying potential OT/ICS vulnerabilities, the tabletop exercise also allows you to strengthen internal communication, agree on OT/ICS security ownership across the organization and further develop relationships. The key is getting all the right stakeholders in the room together to identify gaps and vulnerabilities.
The tabletop exercise can include IT giving a comprehensive description of their cybersecurity strategy but you must also focus on the plant floor and ICS ownership to confirm who’s responsible for process integrity and safe operation there.
Tabletop participants can expect to gain tangible and intangible value from the exercise including reduced operational and financial impacts to the organization. The IT and OT teams will increase their understanding of potential threat vectors while also building communication skills as they learn under the tutelage of ICS digital safety experts in a workshop environment.
For organizations that rely on digital assets, it’s in their best interest to take steps to proactively prevent a cyber event before it happens. This is achieved through meeting industry standards for digital safety with a tabletop exercise serving as the starting point.
The tabletop exercise assesses your organization’s ICS defense posture with real-world injects based on first-hand experience. It provides custom threat scenarios based on the most concerning risks and delivers actionable recommendations to prevent adversaries from disrupting your most critical industrial assets and processes.
This is achieved through a three-phase system consisting of planning and creation, execution and follow-up. ICS are tested and strengthened through the evaluation of the cyber incident response process and tools, identifying and correcting cyber defense gaps, thereby reducing operational and business risks.
OT cybersecurity tabletop exercises are key to demonstrating vulnerabilities and encouraging alignment across the organization on how to best secure and protect ICS. The exercise includes a customized proactive consequence and intelligence-driven cyber event prevention plan based on your unique environment.
An onsite interactive facilitated session is held with C-suite, risk, IT and OT participants, challenging them with technical scenarios that include a series of “moves” and expected player actions. These are based on customized events and artifacts with realism and depth, and includes a tabletop session action plan and observation letter.
Pen testing vs. tabletop exercises
Penetration testing, also known as pen testing or so-called “ethical hacking,” is not a viable means of identifying ICS vulnerabilities. Here’s why — you’re only allowed to pen test the ICS environment during downtime when everything’s turned off or offline. These tests have been proven to be too disruptive on operating/production control systems, and they don’t provide an accurate look at your control systems and what’s going in and out.
When you insert a true intrusion detection system within the control systems environment, it will alert you if you have a control system that’s reaching out through the internet and if there’s any data coming in. It will provide visibility on any internet activity and detect whether your systems are currently being accessed.
Pen testing can probe enterprise- or business-class computer systems, but only during times when the plant is offline. You cannot scan the network while the plant is in production, which is why it is ill advised to rely upon pen testing as a tool to gain ICS visibility.
As a rule of thumb, IT strategy and IT tools do not apply to industrial control systems because they’re disruptive, incompatible and lack sensitivity to process integrity. Take, for instance, something as simple as modifying a programmable logic controller (PLC). If there’s an operator accessing a PLC to make a change, is that allowed? Maybe it’s valid. However, IT tools would not even recognize the activity, which would go unnoticed and undocumented in the OT environment. The change could be costly. Another disruptive activity is IT scanning OT networks and devices, which in many cases have the same unplanned and unscheduled downtime effect.
Who owns OT cybersecurity?
The bottom line is your OT personnel must take ownership of ICS digital safety. IT should not be expected to have control over nor should they be given full control of the safety and security of your plant floor ICS infrastructure. IT is not trained on OT/ICS equipment safety or process integrity, which is the revenue-generating part of the business. Control must remain with the OT team. However, OT teams need to know how to properly inspect and secure their control systems and may need outside support just as IT does with securing the enterprise network.
If there’s a ghost in the machine, this process and these tools will tell you what happened with a record and audit log. A cybersecurity tabletop exercise will point you in the right direction and provide a roadmap for how to safeguard your ICS and become a digitally dafe organization.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.