Tabletop Exercise Workshop: Mobilizing NIMS Incident Command System for ICS/OT Incident Response
Tabletop Exercise Workshop: Oil/Gas/Airport IR Scenario using ICS4ICS
FREE
Scenario Overview: Oil/Gas/Airport OT/ICS Incident Response TTX
UTSI will facilitate a four-part cybersecurity tabletop exercise simulating a cyber-physical incident impacting an airport’s IT and Operational Technology (OT) environment, with specific focus on SCADA systems and oil and gas feeder systems supporting airport fueling operations. The scenario highlights the interconnectivity of airport IT and OT systems, the operational and safety implications of disrupted fuel distribution, and the complexity of coordinating response across multiple stakeholders.
The exercise leverages the National Incident Management System (NIMS) and Incident Command System (ICS), including ICS4ICS coordination, to demonstrate structured yet flexible response models for cyber incidents affecting critical infrastructure. Participants will explore how NIMS principles—particularly scalability and adaptability—complement technical cybersecurity frameworks such as NIST SP 800-61r3, NIST SP 800-82, IEC 62443, and MITRE ATT&CK.
Conducted over three morning sessions and one afternoon session, each day focuses on a distinct dimension of the incident.
April 20-22, 2026 | Georgia Tech Exhibition Hall | MidTown, Main Stage
Mon/Wed: 7:45-8:45am | Tue: 8-10a | Wed Lessons Learned: 2-2:30p
While each session builds up on the last, it’s not necessary to attend all four sessions to gain value from this exercise. Please register even if you can’t attend all sessions.
Open to anyone to observe or participate with registration recommended, but not required, this tabletop exercise is designed to introduce the value of ICS4ICS, a standardized, scalable framework for responding to cyber-physical attacks on critical infrastructure. Participation earns you extra challenge coin points and meets the exercise requirement for Type 4 ICS4ICS credentialing, in addition to 12 hours of FEMA training on the Incident Command System.
Led By:
UTSI, ICS4ICS, ThreatGen, MITRE
Scenario Overview: Oil/Gas/Airport OT/ICS Incident Response TTX
UTSI will facilitate a four-part cybersecurity tabletop exercise simulating a cyber-physical incident impacting an airport’s IT and Operational Technology (OT) environment, with specific focus on SCADA systems and oil and gas feeder systems supporting airport fueling operations. The scenario highlights the interconnectivity of airport IT and OT systems, the operational and safety implications of disrupted fuel distribution, and the complexity of coordinating response across multiple stakeholders.
The exercise leverages the National Incident Management System (NIMS) and Incident Command System (ICS), including ICS4ICS coordination, to demonstrate structured yet flexible response models for cyber incidents affecting critical infrastructure. Participants will explore how NIMS principles—particularly scalability and adaptability—complement technical cybersecurity frameworks such as NIST SP 800-61r3, NIST SP 800-82, IEC 62443, and MITRE ATT&CK.
Conducted over three morning sessions and one afternoon session, each day focuses on a distinct dimension of the incident:
Day 1 – Scenario Framing & Command Structure:
Establishes the operational landscape, introduces the threat scenario, defines roles and responsibilities, and stands up the ICS structure. Emphasis is placed on aligning NIMS/ICS constructs with established cyber incident response frameworks. Includes a guest speaker on NIMS ICS and ICS4ICS coordination.
Day 2 – Technical Incident Response:
Focuses on the end-to-end cyber response lifecycle—identify, detect, respond, and recover—within an airport OT/ICS context. Addresses IT vs. OT considerations, SCADA impacts, fuel supply dependencies, and evolving threat tactics. Includes a guest speaker from MITRE.
Day 3 – Business, Risk, and Governance Impacts:
Examines enterprise-level implications, including operational risk, regulatory and compliance considerations, insurance impacts, public relations, and governance, risk, and compliance (GRC) processes. Includes a guest speaker on cyber insurance.
Day 3 evening- Closeout and Lessons Learned: The exercise concludes with a facilitated report-out and lessons learned session, capturing key observations across operational, technical, and business domains. A closing segment will recognize participant contributions through superlative awards.