Executive summary from Episode 3: OT Protection & Tabletop Exercising, of a 4 part OT Resilience Webinar Series.
When an OT cyber incident occurs, the difference between a contained disruption and an operational failure is not the quality of your detection tooling, it is the quality of your preparation. Episode 3 of the OT Resilience Blueprint 2026 series addresses the often-neglected space between detection and recovery. The response planning, tabletop exercising, vulnerability management, and governance frameworks that determine how effectively an organisation can protect uptime, safeguard safety, and maintain business continuity under adversarial conditions. Dominic Carroll, Director of Portfolio Marketing at e2e assure, is joined in this episode by Simon Hodgkinson – former Global CISO at BP, where he held board-level accountability for IT and OT security across one of the world’s largest energy companies.
The Financial Reality of OT Downtime
The financial stakes of OT cyber incidents are no longer abstract. A recent Dragos report projects up to $31 billion in global financial risk from OT security incidents over the next twelve months, even before business interruption insurance claims are factored in. North America and Europe (including the UK) remain the primary regional targets for adversarial activity against industrial infrastructure. For organisations in manufacturing, energy, utilities, and critical national infrastructure, the risk is a business risk with board-level consequences. Operational disruption, regulatory exposure, reputational damage, and in the most severe cases, safety incidents with life-safety implications. The CISO and head of OT security who can frame this risk in terms their executive and board can act on are the ones most likely to secure the resources needed to address it.
Tabletop Exercises: Start at the Top
The most common mistake organisations make when designing OT cyber exercises is scoping them as purely technical exercises: run by the security team, for the security team. The organisations that derive the most value from tabletop exercises start at executive level, because that is where the consequential decisions will need to be made in a real incident. Who has the authority to sever the connection between IT and OT networks? Under what conditions should production be halted? Who communicates to regulators, customers, and the public – and when? These are governance questions that often get overlooked. And organisations that have not rehearsed the answers to them will be making critical decisions under extreme pressure, with incomplete information, in the middle of an active incident. The Colonial Pipeline incident is an illustrative example here. The pipeline was shut down not because of a direct attack on OT systems, but because the operator lacked the visibility and confidence to know whether their OT environment was safe to continue operating. That decision cost hundreds of millions of dollars.
“In my experience, the best way to start a tabletop exercise is at the very top of the house – at executive level – because cyber is just a business risk, whether it is in the IT side of the house or the OT side.”
— Simon Hodgkinson, Former Global CISO, BP
OT Vulnerability Management: A Different Risk Calculus
There is no Patch Tuesday in the OT world. Vulnerability management in operational technology environments requires a fundamentally different approach to prioritisation. One that accounts for asset criticality, operational dependencies, safety implications, and the maintenance windows that are often the only safe opportunity to apply updates. The webinar sets out a practical framework: MISP threat intelligence feeds into MITRE ATT&CK for ICS mapping, which informs operational decisions based on active exploitation status, sector-specific targeting, attack chain position, and existing countermeasures. The output is is a set of prioritised interventions: network segmentation changes, targeted threat hunts, detection engineering updates, and firmware updates scheduled within safe maintenance windows. This intelligence-led approach to vulnerability management is what separates organisations that reduce risk from those that generate compliance paperwork.
“Who would make the decision to sever the connection between OT and IT? Most organisations I talk to would say they would need to get the incident call together, get senior execs involved. By then it is too late.”
— Simon Hodgkinson, Former Global CISO, BP
CAF 4.0 Objective D: Response, Recovery, and Lessons Learned
The UK Cyber Assessment Framework 4.0 Objective D provides the regulatory scaffold for OT response and recovery planning. It requires organisations to maintain documented, tested, and regularly exercised response and recovery plans – with clear lines of authority, defined escalation paths, and integration with business continuity frameworks. Critically, it distinguishes between response planning that covers known threats and planning that addresses emerging or novel attack scenarios. For OT environments, this means exercises that go beyond ransomware scenarios. Instead addressing supply chain compromise, firmware implants, and the specific challenges of restoring industrial control systems to a known-good state without triggering safety events. CAF 4.0 also requires post-incident analysis to drive structured, prioritised improvements, not lessons-learned documents that are filed and forgotten.
“You cannot separate IT and OT in today’s digital world. You create the segmentation so you are able to sever it if you need to — but the reality is there is enormous telemetry coming out of those environments that you want to use to optimise processes.”
— Simon Hodgkinson, Former Global CISO, BP
Watch the Full Episode
Episode 3 includes Simon Hodgkinson’s detailed account of running OT-focused executive cyber exercises at BP — including the discovery that a critical segmentation capability had never been tested under real conditions. It also covers a live walkthrough of vulnerability mapping using MITRE ATT&CK for ICS, and a detailed review of CAF 4.0 Objective D requirements. If you are responsible for OT resilience, incident response planning, or business continuity in a critical infrastructure environment, this session is essential viewing.
► Watch Episode 3 on demand: OT Security in Practice: Connecting IT and OT Monitoring for Critical Infrastructure