OT/ICS Tabletop Scenarios

NIST-aligned incident response scenarios based on real-world OT attacks. Each follows the SANS ICS tabletop exercise methodology.

NIST Incident Response Phases

PREP

Preparation

DETECT

Detection & Analysis

CONTAIN

Containment

REMOVE

Eradication

RECOVER

Recovery

LESSONS

Post-Incident Activity

CRITICALWater Treatment

Oldsmar Redux: Water Treatment Ransomware

A ransomware attack targets a municipal water treatment facility, threatening public water supply and safety.

25 min2-6 players7 phases

CRITICALPower Grid

Ukraine 2.0: Power Grid Disruption

A coordinated attack targets power distribution substations, causing widespread outages.

30 min2-6 players6 phases

CRITICALOil & Gas

Colonial Pipeline: Refined Fuel Disruption

Ransomware attack targets pipeline operations, threatening fuel supply to major metropolitan area.

30 min2-6 players5 phases

CRITICALPower Grid

Power Grid: Dark Start (ICS4ICS)

A sophisticated ransomware attack cripples the regional power grid. Coordinate the response using full ICS4ICS protocols.

45 min2-6 players6 phases

HIGHManufacturing

DNS Service Disruption

External users cannot access websites. High volume UDP traffic is consuming bandwidth.

30 min2-6 players5 phases

CRITICALManufacturing

Internal Worm Outbreak

A zero-day worm spreads via USB/SMB, installing DDoS agents. Widespread infection before AV update.

40 min2-6 players5 phases

MEDIUMManufacturing

Rogue Wireless Access Point

A rogue wireless access point is detected on the corporate network. Physical and logical search required.

30 min2-6 players4 phases

Based on SANS ICS Tabletop Guidelines

Preparation

Define participant roles
Review IR procedures
Set ground rules

During Exercise

Stay in character
Discuss decisions openly
Note gaps in procedures

After Exercise

Conduct hot wash
Document lessons learned
Update playbooks