Have You Ever Tested Your OT Security Response?

It’s one thing to have a process. It’s another to know it works.

We’ve all seen the news and probably thought,  What would we do if that happened to us? “Who’s got this?”

If you work in manufacturing or industrial environments, you know what I mean. We spend so much time talking about tools, dashboards, and alerts, but when something really happens—or when we run a test—the real challenge isn’t the technology. It’s the people and the process.

So here’s a question worth asking:

Have you ever actually simulated an OT vulnerability?
Do you know who should respond, and how fast?

If the answer is “not recently” or “I think so,” that’s your sign to run a simulated test.

Why Testing Matters More Than Talking About It

Most teams assume they’re ready until they run a drill. That’s when you find the surprises:

• Alerts that never reached the right person.
• outdated Escalation lists.
• Documentation that sounds great but doesn’t match reality.

Testing doesn’t just check whether your tech works; it shows whether your workflow holds up under pressure.

Who Should Be Involved (and Why)

The Alert Responder

They’re the first to see it. Their job? Acknowledge the alert, start the clock, and kick off the response plan. Testing this role is a quick reality check: Do alerts route correctly? Does everyone know what to do first?

The Security Analyst

The detective. They dig in, figure out what’s real, what’s noise, and what’s urgent. During a test, you’ll quickly learn if they have the right visibility and data — or if they’re spending too much time chasing logs.

The Site Champion

This is your plant expert. They know the impact side, what’s running, what can’t stop, and what “patching” really means on a live line. If you’re not including them in your drills, you’re missing half the picture.

The OT or IT Leader

The traffic controller. They make sure leadership gets the right level of visibility, not panic. In a test, they help connect the dots — are the right people looped in? Are communications clear?

Using Standards to Guide You

You don’t have to invent your own testing approach. That’s what frameworks are for: they give you structure, benchmarks, and clarity on what “good” looks like.

A few worth knowing:

• NIST 800-82: The go-to guide for industrial control system (ICS) security. It encourages running tabletop exercises safely.
• ISA/IEC 62443: Lays out who should do what and how to verify it’s done right.
  CMMC: Even at Level 1 or 2, you’re expected to prove your procedures work, not just describe them.
• NIST CSF: Its “Respond” and “Recover” categories map ideally to testing your detection and escalation processes.

Real-World Examples and Resources to Help You Start

Not sure where to begin? You don’t need to start from scratch. There are already great examples and resources you can use to run OT security response tests right now.

Here are some of the best:

• CISA Tabletop Exercise Packages (CTEP): Free, ready-to-run tabletop exercises built by the U.S. Cybersecurity and Infrastructure Security Agency. They include OT-relevant scenarios, objectives, and facilitator guides. 👉 https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
• SANS Institute — ICS Tabletop Exercise Guidance: Straightforward advice on designing and running effective ICS-focused tabletop drills. 👉 https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-run-them
• NIST SP 800-82 Revision 3: The industry standard for OT cybersecurity. Contains a section on building and testing incident response capabilities. 👉 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

Use these as your foundation; they’ll save you time, provide structure, and help you benchmark your program against proven best practices.

Final Thought

Technology is excellent, but in OT environments, it’s still the people who make the call that keep production running safely.
Before the next real incident hits, run the test yourself. Use a framework. Involve your teams. Make it part of your rhythm.
Because when something really happens, you won’t have time to practice, you’ll do what you’ve prepared for.