Preparedness must be Rehearsed to build Resilience

Critical Infrastructure Fails Without Real-World Drills:

In critical infrastructure, preparedness is not a document. It is a capability. And a capability only exists if it is rehearsed under realistic conditions. Water utilities, energy operators, industrial manufacturers and public service providers depend on OT environments where downtime has real societal impact. Pumps stop. Pressure drops. Production halts. A well-written incident response plan (IRP) does not prevent this. A tested IRP does.

Across sectors, many organisations create detailed IRPs but rarely test them under stress. Annual tabletop exercises alone do not expose operational blind spots. ENISA’s “ICS Threat Landscape” shows that escalation during OT incidents is most often caused by operational uncertainty, unclear roles and delayed decision-making and not missing documentation. When people freeze, outages grow.

Documentation does not equal Readiness…

NIS2 makes this distinction explicit. Article 21 mandates that operators of essential services must not only document their security and incident response measures but also regularly test, assess and evaluate them.

A document stored on SharePoint does not constitute readiness. Testing reveals whether the team can act under pressure, even when core IT systems are degraded.

NIST SP 800-84 reaches the same conclusion: exercises expose hidden dependencies, validate assumptions and strengthen coordination. In OT environments, where support systems are limited and stakes are high, ambiguity equals downtime.

Why OT Makes Preparedness Harder:

IT can often fall back on automation, SIEMs, identity infrastructure and centralised communication channels. OT cannot. OT systems frequently run legacy firmware, have years-long patch cycles, and require deterministic uptime. OT incident response must therefore consider scenarios where:

• Authentication systems are unavailable

• Remote access must work during isolation

• Logging tools cannot connect to central servers

• Communication channels degrade

• Manual control becomes necessary

CISA’s “Best Practices for ICS” stresses that IRPs for OT must be tested in realistic conditions because coordination between IT and OT teams often breaks down during real incidents unless rehearsed in advance.

Muscle Memory Determines Outcomes:

Preparedness drills create “muscle memory”—a concept borrowed from aviation and emergency medicine. Under stress, people do not rise to the occasion; they fall to the level of their training.
Exercises strengthen:

1. Speed: isolation and containment occur faster

2. Clarity: roles are known without referencing documents

3. Access: fallback access methods are validated

4. Communication: alternative channels are tested

5. Recovery: teams transition from manual mode to normal faster

The Most Overlooked Scenario = Network Isolation

Many operators assume that if they must isolate the network (“island mode”), remote access and vendor support can simply continue later. In reality, most organisations never test:

• Vendor access during isolation

• Two-factor authentication without IT infrastructure

• Logging when SIEM and IAM are down

• Vendor troubleshooting when the plant is offline

• How remote access should work without exposing OT to the internet

ENISA’s “Remote Access Security in OT” specifically recommends that organisations exercise remote access under isolation conditions because 3rd-party access is a common weak point during incidents.

Hidden Dependencies Emerge Only Under Stress:

Exercises consistently reveal unexpected IT/OT interdependencies. Real incident reports show cases where operators believed OT was isolated, only to discover:

• Firewall rule changes required Active Directory

• VPN concentrators could not authenticate offline

• PLC tools required online licensing

• SCADA logging depended on corporate SQL clusters

• Vendor support halted entirely when IAM failed

CISA repeatedly flags unidentified interdependencies between OT and IT as a leading cause of prolonged outages.

Exercises Reduce Downtime:

Research from the U.S. Department of Energy and MITRE finds that organisations conducting regular cross-functional exercises reduce downtime during real incidents by 30–50%.
In critical infrastructure, this improvement directly influences public safety, environmental protection and economic continuity.

Is there a Recommended Exercise Cadence?

Across ENISA, NIST and industry best practice, the following cadence is common for operators of essential services:

• Quarterly tabletop exercises

• Biannual technical/functional exercises

• Annual live exercises involving real equipment

• Extra drills after major architecture or system changes

For water, energy, manufacturing and transport operators, this level of testing aligns with risk expectations under NIS2.

Rounding up:

A preparedness plan that is not rehearsed is an illusion. Critical infrastructure demands incident response capability that functions when systems are degraded, when authentication fails, and when networks must be isolated. Documentation does not deliver resilience alone – you need drills too.

Testing your plan is the only way to ensure continuity when your infrastructure is under real pressure and society depends on your uptime.

Author: Emilie Lerche Fenger

Date: November 18, 2025

📎 Resources:

1. NIS2 Directive full legal text
   https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32022L2555

2. European Commission overview of NIS2
   https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

3. ENISA Cyber Threat Landscape overview
   https://www.enisa.europa.eu/topics/cyber-threats/threat-landscape

4. NIST SP 800 84 Test Training and Exercise Programs overview
   https://www.nist.gov/privacy-framework/nist-sp-800-84
   Direct PDF
   https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

5. NIST SP 800 82 Guide to Industrial Control Systems Security
   https://csrc.nist.gov/pubs/sp/800/82/r2/final

6. CISA Industrial Control Systems portal
   https://www.cisa.gov/topics/industrial-control-systems

7. CISA fact sheet Securing Industrial Control Systems
   https://www.cisa.gov/sites/default/files/publications/Securing_Industrial_Control_Systems_Fact_Sheet_S508C.pdf