Cyber Security Tabletop Exercise for SOCI-Regulated Critical Infrastructure

Sector: Critical Infrastructure | Capability: Cyber Security | Timeframe: 2024

Cyber Security Tabletop Exercise Overview

In 2024, Calexi staff have delivered a full-day cyber security tabletop exercise for a privately owned, SOCI-regulated water utility operating as a large enterprise critical infrastructure provider.

The exercise was designed to test the organisation’s cyber incident response capability, with particular emphasis on OT–IT coordination, communications pathways, and regulatory reporting obligations under the Security of Critical Infrastructure (SOCI) framework.

This preventative activity formed part of the organisation’s broader commitment to reducing operational and regulatory risk before a real incident occurred.

Challenge: OT–IT Coordination and SOCI Reporting Under Pressure

Water utilities operate at the intersection of digital systems and physical consequences. A cyber incident affecting IT systems can rapidly propagate into operational technology (OT) environments, with real-world impacts on service continuity, safety, and regulatory compliance.

The organisation identified several specific concerns:

• Potential breakdowns in communication and information flow between IT and OT teams
• Uncertainty around escalation triggers and decision authority
• Lack of structured communications templates and incident reporting playbooks
• Ambiguity around what constitutes a reportable incident under SOCI
• Risk of cascading operational failures arising from containment actions

While IT and OT functions operated within the same organisation, they were culturally siloed. There was limited prior opportunity to test how these teams would coordinate under realistic incident conditions.

If left unaddressed, these weaknesses could have resulted in cascading system failures, disruption to water services, and significant regulatory action in the event of environmental or compliance breaches would be highest. In such a scenario, delayed or ineffective response could have resulted in severe operational, reputational, and national security impacts.

Scenario Design: Realistic IT-to-OT Compromise Simulation

Calexi staff have developed and facilitated a practical, engineering-grounded scenario based on real-world threat activity.

The scenario drew upon hardware profiles and threat indicators from a recent advanced persistent threat campaign targeting a similar water organisation in the United States. The incident model involved:

• Initial compromise of IT systems
• Lateral movement into OT environments
• Containment actions with potential operational consequences
• Complex trade-offs between isolation, availability, and safety

Participants were required to consider OT system isolation decisions, containment measures, and rectification strategies, while simultaneously assessing the potential for cascading operational failures.

The scenario was deliberately structured to force interaction between cyber security specialists, OT representatives, engineers, and executives.

Exercise Structure and Facilitation Approach

The exercise was conducted over a full day and included pre-briefing preparation and a structured post-exercise review where lessons learned were captured internally by the organisation.

Initially, the cyber security team and executives were separated into different rooms to simulate realistic information asymmetry. As communication delays and misunderstandings emerged, the groups were brought together to restore shared situational awareness.

This design choice surfaced one of the most visible breakdowns:

Communication delay leading to fragmented decision-making and reduced operational awareness.

Calexi staff facilitated the exercise, translated between IT, OT, and executive perspectives, and used organisational policies and industry knowledge to represent additional roles without requiring broad operational disruption.

This approach allowed the cyber team to identify gaps in incident response processes before consuming the time of operational teams unnecessarily.

SOCI Compliance and Regulatory Reporting Validation

A critical element of the exercise was testing mandatory reporting timelines, escalation pathways, and legal and board notification triggers under SOCI obligations.

Participants experienced uncertainty in several areas:

• When an incident becomes a reportable incident
• What level of detail is required in regulatory reporting
• Who is responsible for initiating formal notifications
• How reporting integrates with operational containment

It became clear that the organisation lacked structured communications templates, reporting playbooks, and predefined report formats. These were identified as priority remediation actions following the exercise.

This element positioned the activity not just as a cyber security tabletop exercise, but as a practical SOCI compliance tabletop exercise.

Outcomes: Critical Infrastructure Cyber Resilience Uplift

While no formal report was produced, the organisation captured lessons learned through a structured post-exercise review.

The activity resulted in a significant uplift in organisational understanding of:

• OT–IT interdependencies during cyber incidents
• Escalation and reporting triggers under SOCI
• The operational consequences of IT-driven containment actions
• Communication pathways required to maintain shared situational awareness

The exercise highlighted previously unknown risks and clarified the need for structured playbooks, reporting templates, and clearer coordination procedures.

For a critical infrastructure water operator, these insights materially strengthened cyber resilience and reduced the likelihood of regulatory exposure during a real incident..

What This Means for Critical Infrastructure and Industry

This cyber security tabletop exercise demonstrates a pattern common across critical infrastructure sectors:

• IT containment decisions can unintentionally disrupt OT operations
• Cultural silos between cyber, engineering, and operations create blind spots
• Regulatory reporting uncertainty increases risk under pressure
• Communications breakdowns amplify technical incidents

For SOCI-regulated organisations, tabletop exercises provide a controlled environment to test cyber response, business continuity alignment, and regulatory compliance before real-world consequences occur.

A well-designed OT–IT tabletop exercise enables organisations to:

• Strengthen cross-functional coordination
• Validate incident response and regulatory reporting pathways
• Identify cascading failure risks
• Improve executive confidence during high-pressure incidents

In critical infrastructure environments, cyber incidents are not purely digital events. They are operational, regulatory, and reputational events. Exercises that integrate IT, OT, and executive decision-making provide one of the most effective mechanisms for proactive risk reduction.

Why Business and Industry Organisations Use Tabletop Exercises

A well-designed cyber security tabletop exercise directly supports business continuity and Business and industry organisations use cyber security and business continuity tabletop exercises to:

• Reduce operational and financial risk
• Improve executive confidence in incident response decision-making
• Validate regulatory and assurance requirements
• Strengthen coordination between technical, operational, and leadership teams
• Demonstrate due diligence to boards, regulators, and insurers

Most organisations believe they are prepared. Few have tested reporting thresholds, escalation pathways, and board notification triggers under pressure.

That gap only becomes visible in simulation or during a live incident.

Related Services

Run a Cyber Resilience Tabletop for Your Executive Team.

Strengthen decision-making, reporting clarity, and cross-functional coordination before a real incident tests it.