In many cyber incident tabletop exercises, the absence of roles representing engineering and plant operations is striking. For example, during a manufacturing slowdown caused by malware, the exercise participants included IT, legal, HR, and communications—but ignored those who understand how the plant actually runs. In a more recent ransomware simulation I attended, I was the only engineer present; other roles included CEO, CTO, CFO, CISO, and legal counsel. The script assumed a "golden backup" would restore production, but when it didn’t exist, the group quickly became indecisive, revealing a glaring flaw in preparedness.

This recurring oversight is not just a training shortcoming—it’s a dangerous blind spot. Control system complexities—such as safely restarting industrial equipment—are poorly understood by network-centric teams. Simply restoring IT and OT systems from backups doesn’t guarantee a successful or safe operational recovery. Without engineering and operations input, organizations risk incomplete recovery strategies that could endanger both safety and productivity during real-world cyber incidents.

‍

Source: https://www.controlglobal.com/blogs/unfettered/blog/55307798/unfettered-blog-network-tabletop-exercises-dont-include-engineering-and-plant-operations