U.S.-based midstream oil and gas operator engaged Armexa to evaluate its executive readiness to manage a high consequence cybersecurity incident impacting both Information Technology (IT) and Operational Technology (OT) environments. Through an executive level tabletop exercise, Armexa tested the organization’s incident response governance, decision making, and cross functional coordination under realistic cyber physical conditions. The exercise provided leadership with actionable insight into gaps in incident response execution, regulatory preparedness, and executive decision authority—establishing a clear road map for improving OT cyber incident readiness.
Challenges
While the organization had documented incident response policies and scenario based playbooks, these plans had never been exercised at the executive level nor tested against a cyber incident with material OT, business, and regulatory impact. Key challenges included:
- Limited executive confidence that existing Incident Response Plans (IRP) would function effectively during a real OT cyber crisis
- Misalignment between IT, OT, and safety leadership regarding escalation paths, authority, and priorities
- Uncertainty around regulatory notification requirements and external communications during OT cyber incidents
- Business and reputational risk tied to OT systems supporting billing, commercial transactions, and carbon neutrality commitments
Leadership sought to understand, before a real incident occurred, how decisions would be made under pressure, where governance would break down, and how well the organization could coordinate across disciplines during a high‑severity cyber event.
Our Solution
Armexa designed and facilitated an executive level OT cybersecurity incident response tabletop exercise tailored to the client’s operational, regulatory, and business context.
Scenario Driven Executive Tabletop: Armexa developed a ransomware driven scenario that originated in IT systems and escalated into OT environments, reflecting real world attack patterns. The scenario progressively impacted commercial transaction processing systems, OT telemetry supporting environmental and carbon neutrality reporting, and historical data repositories required for audit, compliance, and regulatory reporting.
Cross Functional Executive Participation: The tabletop brought together executive leadership and leaders from IT, OT, operations, legal, finance, accounting, EHS, regulatory, HR, and communications. Armexa facilitated the exercise across the full incident lifecycle.
Governance Focused Facilitation: Rather than focusing on technical controls, Armexa emphasized governance, communication, and executive decision making.
Outcomes & Impact
Strategic, operational, and long-term benefits included improved executive clarity, identification of governance gaps, actionable remediation recommendations, and improved readiness for high consequence OT cyber incidents.
Strategic Benefits
o Improved executive clarity on incident declaration, decision authority, and escalation thresholds
o Stronger alignment between IT, OT, safety, and business leadership on cyber‑physical risk
o Increased confidence in leadership’s ability to manage high‑consequence OT cyber incidents
Operational Benefits
o Identification of gaps in IRP workflows, escalation paths, and supporting checklists
o Clear understanding of where regulatory notification and external communication processes
required refinement
o Actionable recommendations prioritized based on business and operational impact
Long‑Term Impact
o A clear roadmap for strengthening OT cyber incident response governance
o Foundation for recurring executive tabletop exercises with varied scenarios
o Improved organizational readiness to manage cyber incidents affecting safety, operations, and
regulatory compliance
