lock mark cybersecurity internet, protect attacks from a hacker

Network tabletop exercises don’t include engineering and plant operations

Aug. 5, 2025
Cyber incident response often neglects engineering and operations, leading to gaps in recovery strategies for manufacturing and industrial systems

The tendency to overlook engineering and operations during cyber incident response seems almost built-in. You see it during training and exercises.

I was on a panel session at the March 2015 Advisen Risk Conference in San Francisco. This was an IT and insurance conference discussing a tabletop exercise where an auto manufacturer’s assembly line slowed down to 50% because of malware. The tabletop roles were from IT, legal, HR and communications. There was no “plant operations” role and consequently no input from the engineering or operations perspectives.

On July 30, 2025, I participated in a ransomware tabletop exercise where a ransomware attack affected a large manufacturer, shutting down production. I was the only engineer participating in the exercise. The participating roles for the tabletop exercise were the CEO, CTO, CFO, CISO and legal counsel. There was no manufacturing role in the script even though it was manufacturing that was shut down. There were four groups participating. The groups assumed a “golden back-up” would restart the manufacturing systems. However, for this exercise, a “golden backup” didn’t exist. That led to indecision as to what should happen next.

Get your subscription to Control's tri-weekly newsletter.

In November 2024, I participated in the 2024 American Petroleum Institute’s (API) Cybersecurity Conference. One of the speakers in our session presented what it would take for a petrochemical facility to recover from a cyberattack. It was a very complex process to safely restart even with a “golden backup” because of equipment operational considerations. 

Summary

If engineering and operations are left out of cybersecurity training and exercises, it’s no surprise that they’d also tend to be overlooked during the pressure of an actual incident. The complexity in manufacturing and industrial control systems is not understood by network security. Simply restarting IT and OT networks from a “golden backup” is not sufficient to safely restart a manufacturing or industrial facility. There is a need for both an “engineering” role and participation from engineering and operations representatives in tabletop exercises that address plant operations.

About the Author

Joe Weiss | Cybersecurity Contributor

Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]

Sponsored Recommendations

Municipalities are utilizing inline total solids measurements to enhance sludge thickening, lower polymer usage and cut operational expenses.
Carbon dioxide is increasingly recognized as a vital resource with significant economic potential. While the conversion of carbon dioxide into products is still in its infancy...
Discover our wide range of temperature transmitters that convert sensor signals from RTDs and thermocouples into stable and standardized output signals!
An innovative amine absorption-based carbon capture process enables retrofitting of existing industrial facilities to reduce emissions in hard-to-abate sectors, with advanced ...