Network tabletop exercises don’t include engineering and plant operations
The tendency to overlook engineering and operations during cyber incident response seems almost built-in. You see it during training and exercises.
I was on a panel session at the March 2015 Advisen Risk Conference in San Francisco. This was an IT and insurance conference discussing a tabletop exercise where an auto manufacturer’s assembly line slowed down to 50% because of malware. The tabletop roles were from IT, legal, HR and communications. There was no “plant operations” role and consequently no input from the engineering or operations perspectives.
On July 30, 2025, I participated in a ransomware tabletop exercise where a ransomware attack affected a large manufacturer, shutting down production. I was the only engineer participating in the exercise. The participating roles for the tabletop exercise were the CEO, CTO, CFO, CISO and legal counsel. There was no manufacturing role in the script even though it was manufacturing that was shut down. There were four groups participating. The groups assumed a “golden back-up” would restart the manufacturing systems. However, for this exercise, a “golden backup” didn’t exist. That led to indecision as to what should happen next.
Get your subscription to Control's tri-weekly newsletter.
In November 2024, I participated in the 2024 American Petroleum Institute’s (API) Cybersecurity Conference. One of the speakers in our session presented what it would take for a petrochemical facility to recover from a cyberattack. It was a very complex process to safely restart even with a “golden backup” because of equipment operational considerations.
Summary
If engineering and operations are left out of cybersecurity training and exercises, it’s no surprise that they’d also tend to be overlooked during the pressure of an actual incident. The complexity in manufacturing and industrial control systems is not understood by network security. Simply restarting IT and OT networks from a “golden backup” is not sufficient to safely restart a manufacturing or industrial facility. There is a need for both an “engineering” role and participation from engineering and operations representatives in tabletop exercises that address plant operations.