Tabletop & Operational Exercises

Test decisions, communications, and operations before the incident.

Systems Risk Advisory designs and facilitates tabletop and operational exercises for utilities, local governments, and critical infrastructure organizations that need to test response plans, leadership decisions, technical coordination, field operations, and recovery priorities.

Plan an Exercise Review Incident Response Planning

Why it matters

Plans improve when people test them under realistic pressure.

A plan can look complete and still fail when staff do not know who has authority, who to call, what systems can be isolated, how manual operations will work, or how public communication should be handled.

Exercises reveal gaps before a real incident does. They help leadership, operations, IT, OT, emergency management, vendors, public information staff, and field crews understand how they will coordinate when information is incomplete and time matters.

Built for infrastructure operations

Systems Risk Advisory designs exercises around essential functions, control systems, field sites, vendor support, communications, public confidence, and recovery sequence. The goal is not theater. The goal is better readiness.

Questions this service helps answer

Can your team use the plan when conditions are unclear?

A good exercise should expose decision points, assumptions, and coordination gaps in a controlled setting.

  • Who has authority to activate the plan and make response decisions?
  • Can staff contact the right people if email, phones, or normal systems are unavailable?
  • Can operators continue essential functions if SCADA visibility is degraded?
  • Do leadership, IT, OT, operations, and emergency management share the same assumptions?
  • Are vendor roles, mutual aid, public information, and regulatory contacts clear?
  • Can the organization explain what is known, what is unknown, and what is being done?
  • Are recovery priorities and return-to-service decisions defined before pressure is high?
  • Do lessons learned become assigned improvements rather than meeting notes?

Exercise types

Exercises matched to your risks, staff, and operating environment.

Exercises can be short executive discussions, multi-department tabletop exercises, OT-focused scenarios, or operational exercises that include field staff and manual workarounds.

Executive tabletop exercises

Test leadership decisions, authority, public messaging, legal and insurance coordination, regulatory contacts, and governing body communication.

Cyber incident exercises

Use ransomware, account compromise, data loss, vendor compromise, or phishing scenarios to test escalation, containment, communications, and recovery decisions.

OT and SCADA exercises

Test response to loss of visibility, anomalous telemetry, remote access concerns, vendor support limitations, engineering workstation issues, or control system disruption.

AWIA ERP validation exercises

Help water utilities test whether Emergency Response Plans support realistic response actions, communications, continuity, and recovery priorities.

Physical security exercises

Test response to unauthorized access, suspicious activity, damage to critical assets, chemical area concerns, remote site issues, or cyber-physical incidents.

Operational continuity exercises

Test manual operations, backup communications, staffing limits, power dependency, chemical supply issues, restoration sequence, and continuity of essential services.

What gets tested

The exercise should test decisions, not only procedures.

Many plans describe tasks, but incidents require decisions. Exercises should test whether people understand roles, authorities, escalation paths, constraints, dependencies, and tradeoffs.

For critical infrastructure organizations, the most important test is whether the team can protect essential functions while response, investigation, communication, and recovery activities are underway.

Common test areas

  • Incident recognition, activation, and escalation
  • Leadership authority and operational decision-making
  • Internal, external, public, and elected official communications
  • IT, OT, SCADA, vendor, and field crew coordination
  • Manual operations, backup communications, and continuity actions
  • Recovery priorities, validation, return-to-service, and improvement tracking

How engagements work

A practical exercise development process

Define objectives

Clarify what the exercise must test, who should participate, what plans will be used, and what decisions matter most.

Build the scenario

Develop a realistic scenario, timeline, injects, expected discussion points, and facilitation plan tied to the organization.

Facilitate the exercise

Guide participants through decisions, communications, assumptions, constraints, and response actions without turning the exercise into a lecture.

Capture improvements

Document observations, strengths, gaps, corrective actions, owners, priorities, and follow-up steps in an after-action report.

Deliverables

Clear outputs that support improvement after the exercise.

An exercise should produce more than discussion. It should produce a practical record of what worked, what needs improvement, who owns the next steps, and what plans or controls should change.

  • Exercise planning call and objectives
  • Scenario narrative and exercise timeline
  • Injects, discussion prompts, and expected issues
  • Facilitator guide and participant materials
  • Observation forms or scorecards
  • Hotwash facilitation
  • After-action report
  • Improvement plan with recommended actions, owners, and priorities
  • Optional leadership briefing

Scenario options

Realistic scenarios for utility and infrastructure teams.

Scenarios should match the organization and its operating environment. They should be credible enough to create useful discussion without relying on extreme or theatrical events.

Ransomware and continuity

Business systems unavailable, backups uncertain, public services continuing, and leadership facing communication and recovery decisions.

SCADA visibility loss

Operators see abnormal conditions, remote visibility is degraded, vendor support is delayed, and manual operations may be required.

Vendor access concern

A vendor support account, remote access tool, or integrator pathway raises questions about containment, operations, and third-party coordination.

Physical intrusion at a remote site

Staff discover unauthorized access, damaged equipment, unknown cyber impact, and public safety or service continuity concerns.

Water quality or process concern

Operations, public health, communications, sampling, SCADA data, and leadership decisions must be coordinated quickly.

Power, communications, or staffing disruption

Backup power, alternate communications, field response, manual operations, and recovery sequence are tested under constraints.

Related resource

Use short tasks to strengthen readiness before an exercise.

The Volume 1 Companion Toolkit helps utilities track practical cybersecurity tasks for remote access, passwords, MFA, and account security. These areas often appear in cyber incident and tabletop exercise scenarios.

Download the Volume 1 toolkit

Use the toolkit to assign owners, record findings, and prepare for more focused cyber and OT readiness discussions.

Get the Toolkit

Related services

Exercises work best when they connect to plans, assessments, and resilience goals.

Incident Response Planning

Define cyber incident authority, containment, communications, OT coordination, and recovery decisions before an exercise.

OT/ICS & SCADA Security

Identify control system access, vendor pathways, segmentation, recovery, and manual operations issues that should be tested.

Ready to test readiness before the next incident?

Systems Risk Advisory can help design and facilitate a tabletop or operational exercise that tests decisions, communications, coordination, manual operations, and recovery priorities.

Plan an Exercise View All Services