In a tabletop exercise scenario for an OT cyber-attack, which outcomes would you evaluate?

• A. Scenario: malware propagates through IT-to-OT boundary, causing process disruption.
• B. Outcomes: detection timeliness and containment only.
• C. Outcomes: communication plan only.
• D. Outcomes: detection timeliness, containment effectiveness, communication plan, decision-making quality, and recovery readiness.

Answer: (D)

In OT tabletop exercises, you assess how well the team handles a cyber-attack across multiple dimensions of response, not just whether the event is detected. The outcomes to evaluate should include how quickly the incident is detected (detection timeliness), how effectively the team can stop the spread and limit impact (containment effectiveness), how information is shared among operators, IT, management, and external parties (communication plan), how leaders and responders make timely, appropriate decisions under pressure (decision-making quality), and how ready the operation is to return to normal safely and verify systems before restart (recovery readiness). Focusing on all of these areas ensures the exercise measures both technical response and organizational coordination, which are both critical in OT environments. If you only consider a single aspect like detection or communication, you miss how these pieces interact to produce a complete, resilient response.