Control Systems Under Pressure: Strategies for Running Effective OT Tabletop Exercises
About This Session
In this session, we’ll explore how to design and execute effective tabletop exercises specifically for OT environments. OT incident response is fundamentally different from IT, and tabletop scenarios must reflect the realities of SCADA architectures, limited staff, tool constraints, and the nuances of OT forensics. This session will present strategies that are pivotal for organizations to maximize the impact and effectiveness of their OT incident response tabletop exercises.
We’ll explore:
1. Designing Realistic OT Tabletop Exercise: How to build injects and flow to effectively test an organization’s OT incident response capabilities, not just documentation. OT tabletop exercises require specific response strategies that are very different from the IT world. Injects must take into account operational limitations and unique OT architecture, from control systems to remote access constraints.
2. Including IT in the Exercise: Some organizations choose to isolate their OT tabletops. Others see the OT to IT data flows as critical business processes and chose to test them together. These data integrations become not only a required resilience component but also a potential attack vector, particularly where custom code or custom-written connectors exist.
3. The Role of Third-Party Vendors: The OT vendor landscape requires organizations to adapt incident response in ways that IT doesn’t. In this part of the session, we'll discuss the proprietary nature of OT hardware and software and the impact that these vendors can have on IR cybersecurity practices.
Insights are drawn from over 25 years of experience handling both IT and OT breaches, offering actionable takeaways to help teams build tabletop exercises that surface real gaps and improve resilience.
Key Takeaways:
- Consider OT business processes and IR tools capabilities as part of exercise design.
- Evaluate the OT to IT data flow so that critical business processes are included in the test. Identify threats to business continuity and attack vectors.
- Understand the roles and risks of third-party vendors in the OT space, particularly special remote access requirements and proprietary administration tools that have the potential to be used nefariously.
We’ll explore:
1. Designing Realistic OT Tabletop Exercise: How to build injects and flow to effectively test an organization’s OT incident response capabilities, not just documentation. OT tabletop exercises require specific response strategies that are very different from the IT world. Injects must take into account operational limitations and unique OT architecture, from control systems to remote access constraints.
2. Including IT in the Exercise: Some organizations choose to isolate their OT tabletops. Others see the OT to IT data flows as critical business processes and chose to test them together. These data integrations become not only a required resilience component but also a potential attack vector, particularly where custom code or custom-written connectors exist.
3. The Role of Third-Party Vendors: The OT vendor landscape requires organizations to adapt incident response in ways that IT doesn’t. In this part of the session, we'll discuss the proprietary nature of OT hardware and software and the impact that these vendors can have on IR cybersecurity practices.
Insights are drawn from over 25 years of experience handling both IT and OT breaches, offering actionable takeaways to help teams build tabletop exercises that surface real gaps and improve resilience.
Key Takeaways:
- Consider OT business processes and IR tools capabilities as part of exercise design.
- Evaluate the OT to IT data flow so that critical business processes are included in the test. Identify threats to business continuity and attack vectors.
- Understand the roles and risks of third-party vendors in the OT space, particularly special remote access requirements and proprietary administration tools that have the potential to be used nefariously.
Speaker
Christopher Walcutt
Chief Security Officer - DirectDefense
Christopher Walcutt is a former network architect with 25 years of experience in security, risk, and compliance leadership. His expertise is predominantly in the energy, utility, smart grid, and manufacturing sectors, specializing in industrial controls architecture, management consulting, and breach and incident handling. He has provided services to a wide variety of enterprise clients, including some of the world’s largest energy, engineering, manufacturing, and water companies, and has advised CISO’s offices and Boards of Directors globally.
Chris served in leadership roles at Constellation Energy, SunGard, and Black & Veatch, where he was responsible for cybersecurity and management consulting for NERC CIP, NRC, smart grid, and NIST compliance.
Chris served in leadership roles at Constellation Energy, SunGard, and Black & Veatch, where he was responsible for cybersecurity and management consulting for NERC CIP, NRC, smart grid, and NIST compliance.