Effective ICS/OT T T X Design and Facilitation

“You do not get to pick if you are a good target or not. That’s not your right to have." -Mike Hoffman

In the webinar, Effective ICS/OT TTX Design & Facilitation, presenter Mike Hoffman (2024) provided security practitioners with practical and professional advice on how to design, implement, and facilitate effective tabletop exercises. A tabletop exercise, abbreviated as TTX, is a simulated walkthrough conducted by an organization to test an incident response plan against hypothetical events to ensure the organization remains prepared if an incident were to materialize and take place (Hoffman). The importance and value of conducting annual tabletop exercises has been proven both in literature and through increasing regulatory requirements (Hoffman). In the Five ICS Cybersecurity Critical Controls whitepaper, published by SANS, having a tested incident response plan is listed as the first critical control (p. 6, 2022). Additionally, around the world, increasing government regulations are beginning to mandate that organizations must test their incident response plan annually (Hoffman).

At a high level, an incident response plan for an organization should include six stages: (1) – preparation, (2) – identification; (3) – containment, (4) – eradication; (5) – recovery, and (6) – lessons learned (Hoffman). When developing an incident response plan, Hoffman cautioned security practitioners against making the incident response plan excessively long or overdetailed. Instead, Hoffman encouraged security practitioners to consider the threat landscape unique to the organization, and to design an incident response plan that will counter expected threats targeting the organization and the industry it operates within. Once an incident response plan has been developed, a security practitioner must then examine and review the current security architecture in place, at a high level, for the tabletop exercise to be effective (Hoffman). Instead of focusing on specific hosts in the environment, Hoffman advised security practitioners to determine the different types or groups of hosts within their environments, and to consider how adverse events would impact those types of assets as collective groups. Once completed, security practitioners can then overlay the organization’s security architecture against the organization’s incident response plan in order to identify gaps in protection, and to build and extend detection capabilities as deemed necessary (Hoffman).

In order to produce a realistic scenario for a tabletop exercise, Hoffman encouraged security practitioners to gather knowledge on internal processes and the threats that would target them. With this information, security practitioners can then determine how production operations would be impacted by a threat event (Hoffman). When developing a scenario, Hoffman suggested for security practitioners to begin by writing scenarios where a lower-level system becomes compromised due to poor asset control or poor organizational USB hygiene. By selecting a lower-level system to start from, operations leaders and engineers will be able to fully participate in the tabletop exercise and understand their role in the incident response process (Hoffman). To ensure that tabletop exercises remain focused and effective, each exercise should be limited to a maximum length of three hours (Hoffman). In total, the tabletop exercise should include no more than 6 to 10 injects, with 15 to 20 minutes allocated to each inject to ensure the conversation remains effective (Hoffman). When working through the slide deck, all participants should have the ability to respond and discuss actions to remediate the adverse threat, leveraging all policies, procedures, and tools available. (Hoffman). To avoid a conflict of interest, the designers of the tabletop exercise should not participate (Hoffman).

Resources cited:

Hoffman, M. (2024, November 06). Effective ICS/OT TTX Design and Facilitation [Webinar]. SANS.

https://www.sans.org/webcasts/effective-ics-ot-ttx-design-facilitation/

Lee, R., & Conway, T. (2022, October). The Five ICS Cybersecurity Critical Controls [White paper]. SANS.

https://www.sans.org/white-papers/five-ics-cybersecurity-critical-controls/