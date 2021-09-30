In September 2020, the National Association of Regulatory Utility Commissioners, with the support of the US Department of Energy, published a Cybersecurity Tabletop Exercise Guide.

Public utility commissions (PUCs) are responsible for ensuring adequate, safe, and reliable utility services at reasonable rates. As such, they need to know that jurisdictional utilities’ cybersecurity risk management plans and practices—put in place to mitigate cybersecurity vulnerabilities, counter malicious cyber threats, and rapidly respond and recover from successful attacks—are comprehensive and effective. Exercises are useful for this purpose.

Exercises provide opportunities for participants to demonstrate and assess capabilities in specific areas of interest, including cybersecurity risk management. They also facilitate coordination and help clarify organizational roles and responsibilities.

This Tabletop Exercise (TTX) Guide steps PUCs through the process of creating and executing an exercise specifically designed to examine capacities and capabilities to plan for, respond to, and recover from a cybersecurity incident involving critical energy infrastructure. It complements other resources in NARUC’s Cybersecurity Manual, particularly Understanding Cybersecurity Preparedness: Questions for Utilities, and the Cybersecurity Preparedness Evaluation Tool.1 Coupled with the TTX Guide, these tools comprise a structured, process-driven approach to identifying, assessing, and testing the efficacy of utilities’ cyber risk management plans and practices. This knowledge helps commissions identify cybersecurity gaps, spur utilities’ adoption of additional mitigation and response strategies, and encourage improvements.

Part I details the steps to plan and execute a TTX. Part II reviews the steps required to conduct a seminar-based exercise.2 TTXs are discussion based, typically led by a facilitator who guides participants through one or more scenarios for the purpose of testing the thoroughness and efficacy of relevant plans, processes, and procedures. This format is well suited for commissions’ objective assessment of utilities’ cybersecurity preparedness as well as their own cyber incident response capabilities. Seminars, which are also discussion-based exercises, typically examine a single procedure within a larger plan or a single step in a multistep process.