Incident Tabletop Exercises for Critical Infrastructure in Ukraine
Tabletop exercises—structured discussions in which organizational leaders and technical responders work through a simulated incident scenario without live technical execution—are a cornerstone of incident response preparedness testing. Unlike live-fire cyber exercises, tabletops focus on decision-making processes, inter-organizational communication, and governance procedures rather than technical defensive skills. For Ukraine's critical infrastructure operators, tabletop exercises facilitated by CISA and other partners have been essential tools for identifying institutional coordination failures that technical capabilities alone cannot address.
CISA Facilitation in Ukraine
The US Cybersecurity and Infrastructure Security Agency has been one of the primary international partners facilitating tabletop exercise programs for Ukrainian critical infrastructure sectors. CISA brought its considerable experience running critical infrastructure exercises in the United States and adapted methodologies to the Ukrainian context—accounting for active hostilities, simultaneous physical and cyber attack scenarios, and the compressed decision timelines characteristic of wartime operations.
CISA-facilitated tabletops in Ukraine have addressed several distinctive scenarios including: coordinated cyber attacks coinciding with missile strikes on power infrastructure; ransomware attacks on hospital systems during mass casualty events; and cascading failures across interconnected energy, water, and financial systems. These scenarios are not hypothetical for Ukrainian participants—they reflect documented attack attempts or realized incidents that require systematic response improvements.
Energy Sector Scenarios
Energy sector tabletops represent the highest-priority exercise domain given that Ukraine's power grid has been under systematic physical and cyber attack. Scenarios have tested operator responses to simultaneous cyber attacks on energy management systems coinciding with physical substation damage, requiring coordination between grid operators, Ukrenergo national grid management, emergency generators for critical facilities, and international energy partners providing support through European grid connections.
A key finding from energy sector tabletops has been the ambiguity problem: when a power substation goes offline, real-time determination of whether the cause is cyber attack, kinetic damage, or equipment failure requires different response procedures with different specialist involvement. Tabletops have driven development of multi-hypothesis initial response protocols that initiate parallel response tracks for each possible cause simultaneously, rather than sequentially investigating causes before responding.
Multi-Ministry Coordination Testing
Critical infrastructure incidents cannot be managed by a single ministry or agency alone—they require coordinated action across the energy operator, cybersecurity agency, national grid operator, military command, police, and potentially multiple government ministries. Tabletop exercises specifically designed to involve participants from multiple ministries have repeatedly identified coordination failures: unclear authority for particular decision types, communication bottlenecks during crisis periods, and pre-existing inter-agency conflicts that slow information sharing.
Tabletop Exercise Program Characteristics
| Exercise Type | Participants | Duration | Scenario Focus | Primary Findings |
|---|---|---|---|---|
| Executive tabletop | Ministry leaders, CEOs | Half day | Strategic decisions | Decision authority gaps |
| Functional tabletop | IR team leads, ops leaders | Full day | Coordination procedures | Communication breakdowns |
| Technical deep-dive | SOC analysts, engineers | Full day+ | Technical response steps | Playbook gaps, tool misuse |
| Cross-sector exercise | Multi-sector representatives | Full day | Cascading failures | Cross-sector communication |
| Wartime-adapted | Mixed civilian-military | Full day | Physical+cyber combined | Civilian-military coordination |
Healthcare and Emergency Services Scenarios
Hospital and emergency services operators have participated in tabletop exercises addressing ransomware attacks during mass casualty influxes—scenarios that became tragically relevant following Russian missile strikes on civilian targets. These exercises have driven procedural changes including pre-planned paper-based fallback procedures for all critical hospital systems, designated roles for cyber incident coordination that do not conflict with direct patient care responsibilities, and relationships with neighboring hospital systems for patient transfer coordination during IT outages.
After-Action Integration and Improvement Tracking
The value of tabletop exercises depends heavily on the quality of after-action processes that translate identified weaknesses into implemented improvements. Ukraine's SSSCIP has developed a standardized after-action reporting format used across critical infrastructure tabletop programs, creating a consistent registry of identified gaps, assigned owners for each remediation action, and follow-up verification timelines. This systematic approach contrasts with earlier ad-hoc exercise programs where identified weaknesses were documented in reports that were not systematically tracked to closure.
International facilitating organizations including CISA and the EU Agency for Cybersecurity receive anonymized versions of after-action reports, enabling them to calibrate subsequent capacity-building investments to address the most systematic and recurring gaps identified across the exercise program.
FAQ
- What is the difference between a tabletop exercise and a live-fire exercise?
- A tabletop exercise is a structured discussion where participants talk through how they would respond to a scenario, without activating technical systems or deploying teams. A live-fire exercise deploys actual technical infrastructure, attack tools, and defense teams in a simulated environment. Tabletops test decision-making and coordination; live-fire tests technical skills and tool capabilities.
- Who should participate in critical infrastructure tabletop exercises?
- Effective tabletops require the actual decision-makers who would be responsible in a real incident—not just technical staff. This includes executives and senior officials with authority to direct spending, activate emergency procedures, communicate with government, and make decisions about system shutdown. Technical staff participation is also important for scenario realism, but executive participation drives governance improvements.
- How often should critical infrastructure tabletop exercises be conducted?
- Best practice recommends at least one tabletop per year for critical infrastructure operators, with higher-risk sectors or operators with recent real incidents conducting multiple exercises. Ukraine's active threat environment has justified more frequent exercises in some sectors. CISA guidance recommends exercises at sufficient frequency to incorporate lessons from real incidents and technology changes.
- What is the most common finding in Ukrainian critical infrastructure tabletops?
- Consistently across sectors, the most common finding is unclear decision authority—situations where multiple organizations or individuals believe they should be making a particular decision, leading to delay or conflict, or situations where no one believes they have authority to act, causing inaction. Clarifying decision authority in advance through agreed coordination frameworks and legal authorities is a primary tabletop outcome.
- Are exercise scenarios based on real Ukrainian incident case studies?
- Yes. CISA and other facilitators use real Ukrainian incident case studies (suitably anonymized or in cases already public) as the basis for exercise scenarios. This grounding in actual attacks means Ukrainian participants are not practicing responses to hypothetical threats but rather systematically working through the response to incidents that have actually occurred in their sector.
Sources
- CISA — "Tabletop Exercise Packages (TEPs) for Critical Infrastructure," cisa.gov
- ENISA — "National Cyber Exercise Methodologies," enisa.europa.eu 2023
- SSSCIP Ukraine — "Critical Infrastructure Cyber Exercise Program," 2023
- Carnegie Endowment for International Peace — "Ukraine Critical Infrastructure Resilience After 2022," 2023
- Biden Presidential Policy Directive 41 — "US Cyber Incident Coordination" (framework used in exercise design)
Cyber Operations Analysis: Incident Tabletop Exercises for Critical Infrastructure in Ukraine
The Russia-Ukraine conflict has generated the most comprehensively documented state-sponsored cyber operations in history, with Incident Tabletop Exercises for Critical Infrastructure in Ukraine representing a significant dimension of this digital warfare environment. Cyber attacks have targeted Ukrainian government systems, critical infrastructure, financial institutions, and military communications since well before the physical invasion began in February 2022. Understanding the technical characteristics, attributable actors, and strategic effects of cyber operations related to Incident Tabletop Exercises for Critical Infrastructure in Ukraine provides essential context for assessing both immediate operational impacts and broader implications for cyber conflict doctrine.
Russian state-sponsored threat actors including Sandworm (GRU Unit 74455), APT28/Fancy Bear (GRU Unit 26165), Cozy Bear/APT29 (SVR), and Turla (FSB) have conducted sustained campaigns against Ukrainian and allied targets with objectives spanning espionage, sabotage, and influence operations. Incident Tabletop Exercises for Critical Infrastructure in Ukraine intersects with this threat actor ecosystem in specific ways, whether through the deployment of particular malware families, targeting of specific sectors, or employment of novel techniques that reveal evolving adversary capabilities and intentions.
Ukraine's cyber defense architecture, significantly strengthened with Western assistance through programs including the EU's Cyber Resilience for Ukraine project and bilateral cooperation with US Cyber Command, has demonstrated growing resilience against Russian operations. The Ukrainian Computer Emergency Response Team (CERT-UA) has published hundreds of threat intelligence advisories, contributing to global understanding of Russian cyber tactics, techniques, and procedures (TTPs). Incident Tabletop Exercises for Critical Infrastructure in Ukraine informs this evolving defensive picture, highlighting areas where Ukrainian defenses have proven effective and where vulnerabilities remain.
The strategic calculation surrounding cyber operations related to Incident Tabletop Exercises for Critical Infrastructure in Ukraine involves complex trade-offs between operational effect, attribution risk, and escalation management. Russia's decision to employ destructive wiper malware, distributed denial-of-service attacks, and infrastructure-targeting operations reflects a calibrated use of cyber as a coercive instrument alongside physical military operations. The international response—including intelligence sharing, cyber defense assistance, and potential offensive cyber operations by allied nations—shapes the cost-benefit calculations of Russian cyber strategists.
Lessons for Global Cybersecurity Policy
The cyber dimensions of the Russia-Ukraine conflict represented by Incident Tabletop Exercises for Critical Infrastructure in Ukraine have generated critical lessons for national cybersecurity strategies worldwide. The importance of pre-positioning defensive measures before conflict onset, the value of international cyber defense cooperation frameworks, the role of private sector cybersecurity companies in supporting national defense, and the limitations of cyber operations as a strategic coercive tool have all been illuminated by Ukrainian experience. These lessons are reshaping cybersecurity investment priorities, information sharing architectures, and incident response frameworks across NATO and partner nations.
Frequently Asked Questions
What are the main Russian cyber attacks on Ukraine?
Russia has conducted sustained cyber operations against Ukraine since at least 2014, with a major escalation in February 2022. Key campaigns include the NotPetya attack (2017), attacks on energy infrastructure, the Viasat hack at war's start, and continuous operations against government, military, and civilian targets throughout the full-scale invasion.
How has Ukraine defended against Russian cyber attacks?
Ukraine's cyber defense has benefited from pre-invasion preparation, Microsoft and Western tech company assistance, CERT-UA operations, and the support of allied intelligence services. Ukraine developed significant cyber resilience by distributing government data to cloud infrastructure before the invasion.
What is the role of cyber warfare in the Ukraine conflict?
Cyber warfare in the Ukraine conflict operates alongside conventional military operations. Russia uses cyber attacks to disrupt infrastructure, spread disinformation, and support physical strikes, while Ukraine has developed offensive cyber capabilities to target Russian systems, including oil and gas infrastructure and military networks.
Who are the main cyber actors targeting Ukraine?
Russian state-affiliated cyber groups targeting Ukraine include Sandworm (GRU), APT28 (GRU), APT29 (SVR), Turla (FSB), and various GRU units. Ukrainian cyber forces, international volunteer hacker groups (IT Army of Ukraine), and allied intelligence cyber units operate on the Ukrainian side.
What can other countries learn from Ukraine's cyber defense?
Ukraine's cyber defense offers critical lessons: distributed cloud infrastructure reduces vulnerability to physical and cyber attacks, international information sharing accelerates threat response, pre-conflict preparation matters enormously, and the integration of civilian tech expertise with military cyber operations creates strategic advantages.