Don't wait for 3am

70% of all cyberattacks in 2024 involved critical infrastructure.

That stark statistic from IBM’s X-Force 2025 Threat Intelligence Index captures the scale of the challenge facing Critical National Infrastructure (CNI) operators today. From healthcare systems to energy networks, transport infrastructure to water utilities, the organisations that underpin modern society are squarely in the crosshairs for a range of threat actors. Recent incidents underscore the urgency. In June 2024, a ransomware attack on Synnovis (a UK NHS pathology provider) resulted in thousands of missed appointments for patients and costs estimated at £32.7 million. In September 2024, Transport for London (TfL) faced a sophisticated cyberattack that cost £30 million, with £5 million spent on response efforts and enhanced cybersecurity measures.

Against this backdrop, we have noticed a marked increase in requests for Tabletop Exercises (TTXs) from critical infrastructure operators and we know this is not coincidental. As the threat landscape evolves and regulatory frameworks tighten, organisations responsible for essential services are recognising that preparation is not just prudent but increasingly mandatory.

What are TTXs and why do organisations do them?

Tabletop Exercises (TTXs) are structured, discussion-based sessions where teams work through a realistic, scenario-driven incident—such as a cyberattack, operational disruption, or multi‑agency crisis—without the pressure or complexity of a live simulation. Instead of deploying systems or running technology, participants sit together and talk through decisions, communication flows, and coordinated actions as the scenario unfolds. This creates a safe, low‑stress environment to explore ‘what if?’ situations, clarify roles and responsibilities, and test the organisation’s crisis management approach.

Organisations run TTXs because they expose the gaps that policies, documentation, and technical controls often miss. They reveal how well teams collaborate under ambiguity, whether escalation paths are understood, and how external stakeholders—suppliers, regulators, emergency responders—fit into the response. Crucially, TTXs build relationships and shared understanding long before a real incident occurs. When a genuine 3am crisis hits, you don’t want key decision‑makers meeting for the first time, debating responsibilities, or discovering that assumptions don’t match reality. By practising scenarios in a controlled setting, organisations improve readiness, strengthen coordination, refine response plans, and build confidence that when things go wrong, people know how to work together effectively.

Why CNI stakeholders benefit from TTXs

For CNI stakeholders, TTXs can illuminate interdependencies that may not be obvious in day-to-day operations.

Gaps and assumptions: In PGI’s experience running such scenarios, CNI stakeholders consistently discover assumptions about partner capabilities or response timelines that do not match reality.

Pressure test response plans: TTXs also provide a safe environment to evaluate incident response plans against evolving threats. While many organisations have excellent plans on paper, it is crucial to regularly review and revisit these to ensure they are pressure-tested against contemporary attack vectors: supply chain compromises, sophisticated social engineering campaigns targeting operational technology and AI-enhanced attack approaches.

Sensitise stakeholders: Most importantly, they help sensitise diverse stakeholders to the operational realities each face, building the shared language and mutual understanding that proves invaluable when real incidents occur.

The regulatory imperative 

The surge in demand for TTXs is being driven in large part by evolving regulatory requirements. The EU's NIS2 Directive, which came into force in October 2024, includes provisions such as Article 9 that detail the adoption of national large-scale cybersecurity incident and crisis response planning, including exercises and training activities. In the UK, similar changes are underway. The Cyber Security and Resilience Bill, introduced to Parliament in November 2025, represents a strengthening of critical infrastructure cybersecurity requirements.

Why now?

Beyond regulatory requirements, PGI has identified several other factors that we believe are driving demand for CNI TTXs:

• The rise of hybrid warfare, with CNI operators now facing coordinated campaigns combining cyber operations with physical disruption, information campaigns and economic pressure. From undersea cable sabotage in the Baltic Sea to attacks on industrial control systems, the threat landscape has fundamentally changed.
• Malicious actors are expected to increasingly leverage AI to accelerate reconnaissance, automate social engineering attacks, and identify vulnerabilities in operational technology at unprecedented speed. The same AI tools that promise to improve defences are being weaponised to lower the barrier to sophisticated attacks on critical infrastructure.
• Attacks increasingly target managed service providers and critical suppliers as entry points to CNI networks. Tabletop exercises now routinely involve third-party stakeholders to assess coordination across complex digital ecosystems.

The ROI case

The global average cost of a data breach was $4.5M (USD) in 2025. When we discuss ROI with clients, the financial case for a TTX can be compelling, with a well-designed exercise costing a fraction of a real incident. Data from IBM’s Cost of a Data Breach Report highlights that organisations that regularly conduct TTXs reduce data breach costs by an average of $2.66 million. Such a modest investment can identify gaps that, if discovered during a real incident, might cost millions in downtime, remediation, regulatory penalties, and reputational damage. The non-financial benefits can be equally substantial: improved stakeholder confidence, enhanced organisational resilience, clearer decision-making frameworks under pressure, and the relationships created between organisations that will need to coordinate during a real crisis.

The PGI TTX approach

• We design exercises based on actual attack patterns and known adversary capabilities, not generic theoretical threats. When simulating attacks on operational technology, we incorporate real tactics, techniques and procedures observed in recent intrusions against industrial systems.
• To create realism in every exercise, relevant injects of information are introduced. Designed to push the scenario forward and force participants to make decisions under realistic pressure. Simulating the unexpected developments that occur during real incidents.
• Rather than dwelling on technical mechanics, we explore critical decision points: When do you notify regulators? How do you coordinate public communications? What criteria determine whether to shut down systems or keep them running?
• Effective exercises require the right participants in the room, ranging from technical teams, executive leadership, communications, legal and, often, external partners including regulators and interdependent infrastructure operators. We collaborate with stakeholders across a range of cyber maturity levels, tailoring scenarios and facilitation approaches to ensure all participants can engage meaningfully and learn from each other's perspectives.
• Through reflective discussions, each exercise concludes with clear recommendations for updating incident response plans, identifying capability or communications gaps, training requirements and a roadmap for ongoing improvement.

Preparing for tomorrow's threats

The threat environment facing CNI will continue evolving with nation-state and other malicious actors becoming more sophisticated in their targeting of operational technology and use of hybrid tactics. The interconnected nature of modern infrastructure means that single points of failure can trigger cascading disruptions across multiple essential services. TTXs offer one of the highest-return investments organisations can make in resilience and provide the evidence of due diligence that regulators increasingly expect, helping organisations demonstrate compliance whilst genuinely improving preparedness.

As PGI continues supporting CNI operators and stakeholders through these exercises, one pattern remains consistent: organisations that exercise regularly, involving the right stakeholders in realistic scenarios, respond more effectively when real incidents occur. In an environment where the question is not ‘if’, but ‘when’ your organisation faces a significant cyber or hybrid threat, that preparation can make all the difference.