What happens when a cybersecurity incident leads to a financial and regulatory nightmare?

This was the premise of a tabletop exercise designed by Shira Dankner, director of security services at NineStar Connect, to test the crisis response procedures of the Greenfield, Indiana-based electric cooperative’s board of directors.

As part of that drill, the cyberattack led to the co-op being audited. Its funding was frozen, forcing the board to wrestle with how to keep the co-op operating. Then social media blew up with members accusing the co-op of losing their data. A class-action lawsuit against the co-op was pending as were personal lawsuits against the board.

The last scenario injected into the exercise escalated the distress six months later with morale at an all-time low, staff leaving and the co-op’s hiring pool drying up.

The high-stakes nature of the exercise helped sustain the directors’ participation and achieve the goal of participants learning system vulnerabilities, defensive strategies and what decisions they may have to make under extreme pressure, Dankner said.

The drill “had to be something they cared about,” she said. “Everyone has to have something to do to pay attention.”

That was one of several valuable insights that Dankner and Cole Oursler, director of information services at Mountain View Electric Association, shared with participants at NRECA’s recent Co-op Cyber Tech.

Tabletops can test a co-op’s emergency plan activation, critical processes, communication channels and decision-making under stress, the veteran co-op exercise administrators said.

Dankner and Oursler underscored the importance of setting up tabletops with a specific goal to be tested, then determining how to test that goal and deciding who should participate in the exercise.

“Without a clear objective of the tabletop, it can be fruitless,” said Oursler.

A tabletop’s goal will help determine who should participate from the co-op and even representatives from the FBI and federal, state and local emergency personnel.

“You’ve got to know the goals, the method, the people,” said Oursler. “Who are the right people? Should legal counsel and member services be in the room? One of your greatest keys to success is having the right people in the room.”

Methods for a tabletop can range from a story with injections of nerve-wracking developments and roleplaying to a card game like NRECA’s Backdoors & Breaches.

Exercises can also borrow from actual cyberattacks, like Volt Typhoon, the infamous China-linked state-sponsored actor that threatened utilities and other businesses.

“Use a real-world event,” said Dankner. “Never waste a crisis.”

Dankner and Oursler’s other tabletop do’s and don’ts included:

• Give yourself enough time—about three to six months—to prepare the exercise.

• Tap NRECA’s Cyber Champions for help.

• Communicate the expectations and rules of participation well in advance.

• Ensure that the exercise is a safe place to make decisions without judgment.

• Encourage participants to take their own notes.

• Be ready to inject scenarios to reduce tension in the room.

• Leave time for a post-exercise discussion.

Dankner and Oursler told the group that tabletops are not about winning but learning where your co-op’s vulnerabilities lie so they can be addressed.

Dankner recommended asking participants three questions: What did you learn, what went well and what can be improved?

“The whole point is to find gaps,” she said.