US cybersecurity experts determined that Russian hacking group Dragonfly targeted the United States and European utilities with a cyber espionage campaign from 2015 � 2017. This government sponsored group was able to successfully infiltrate core control systems. Cold War espionage methodologies such as �sleeper cells� are now being executed in the cyber domain. Industrial firms including power and water providers have proven to be susceptible to attacks and disruptions that could be used during a significant geopolitical conflict. Antiquated industrial control devices now connected to the internet make utilities in even the most advanced countries susceptible to everyone from hacktivists to cyber criminals to nation states. In these times, the question has shifted from �can they?� to �when will they?�. Using Indiana�s groundbreaking cybersecurity exercise Crit-Ex as an example, we explore exactly how vulnerable of utilities really are and how insights into incident response and resiliancy are discovered through complex training and exercises.