Who Owns OT Risk?
What Red Team Tabletops Actually Find

The scenario is straightforward: a ransomware infection is spreading through your IT network and indicators suggest it may be approaching your OT environment. The Red Team facilitator pauses the simulation and asks a simple question. Who has the authority to isolate the OT segment? The room goes quiet. People look at each other. Someone mentions the CISO. Someone else says it's an operations call. A third person suggests waiting for legal. The facilitator writes it down.

When a Red Team runs a tabletop exercise in an industrial environment, most participants expect to work through technical scenarios. What they often don't expect is that the most significant findings have nothing to do with firewalls or detection tools.

A Red Team tabletop tests decision authority, escalation paths and IT-OT coordination under time pressure. It examines who has organizational standing to make calls when minutes matter. And it creates the specific conditions where accountability gaps stop being theoretical. Under simulated pressure, the structure on paper is tested against the one that actually exists in practice.

These two structures are rarely identical.

According to SANS Institute's 2025 ICS security report, regulated industrial sites experience roughly the same number of incidents as their peers but suffer about 50% fewer financial and safety impacts. The difference, SANS concluded, comes down to structure and accountability. The gap isn't how often attacks happen. It's what happens after they do.

Across IT-OT tabletop exercises, five accountability gaps appear with enough consistency to treat them as structural patterns rather than exceptions.

• 1

  Undefined Incident Ownership at the IT-OT Boundary

  When an attack is IT-side but the consequences are operational, nobody owns the intersection. IT security stops at the IT boundary. OT engineering teams don't typically think in security terms. The tabletop reveals who bridges that gap, and often discovers the answer is nobody. Adversaries move freely through the gaps accountability structures create. The tabletop shows organizations exactly where those gaps are in their own structure.

• 2

  No Established Authority to Isolate OT Segments

  NIST SP 800-82 recommends that organizations define authority for operations to isolate a compromised system from the process control network if safety is at immediate risk, guidance that many organizations paper over in practice with distributed C-suite responsibility rather than a documented, exercised authority structure.

• 3

  Vendor Access With No On-Call Accountability

  Third-party remote access exists in almost every industrial environment. What's frequently missing is a designated contact for incidents, a revocation process and confirmed escalation coverage. The Verizon 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled to 30%. When a vendor connection becomes the threat vector, undefined accountability makes a fast response nearly impossible.

• 4

  Unclear Escalation Paths From OT to Executive Leadership

  The tabletop exposes this when a simulated critical finding requires an executive decision and nobody knows who to call. This pattern isn't hypothetical. In the 2021 Colonial Pipeline incident, DHS was not alerted through any planned notification process. Following the JBS attack that same year, DHS leadership learned about the incident when the White House Situation Room called them, not the other way around. In both cases, escalation paths to federal partners failed because they hadn't been defined.

• 5

  Nobody Empowered to Approve Emergency Changes

  Change control in OT environments is deliberately slow, for good safety reasons. Emergency response is not. These two realities rarely get reconciled in advance. As Dragos documented in its 2026 OT Cybersecurity Year in Review, access can persist after detection because removing it requires coordination with operations, not just technical cleanup. That coordination requires authority that isn't always assigned.

Compliance tabletops validate that a plan exists. Red Team tabletops test whether that plan actually works when pressure is applied.

A Red Team tabletop puts real people in a room, applies realistic time pressure and injection events they didn't anticipate, and observes what actually happens. According to Security Risk Advisors, clear thinking is often the first thing to exit the building during a crisis. The tabletop creates that stress deliberately, where the lessons surface as findings rather than incident costs.

The structural changes that tabletop findings drive are specific: a single incident ownership role at the IT-OT boundary, documented OT isolation authority with named individuals, 24/7 vendor access contact and revocation procedures, and pre-approved emergency change categories that bypass full change control during active incidents.

These aren't aspirational recommendations. They're the direct output of what the tabletop exposed.

According to IBM's 2024 Cost of a Data Breach report, organizations that regularly test IR plans average $3.26 million in breach costs. Those without average $5.29 million, a 58% difference. Tested accountability isn't just a governance exercise. It's a financial outcome.

SANS 2025 found that organizations testing IR plans more frequently are far more likely to conduct executive-level tabletops, and that this broader testing discipline correlates strongly with improved readiness and faster incident response. The vCISO translates those findings into governance work, mapping accountability gaps and closing them through structural changes the organization can sustain. The exercise is how you know if the map matches the territory. The vCISO work makes closing it stick.

Organizational accountability is the first thing the Red Team tests. The second is the one that surprises organizations most: whether their security maturity is actually what they believe it is. The answer, almost universally, is more complicated than the internal assessment suggested. That's where we go next.