Critical infrastructure mainly performs its role through an industrial control system (ICS). Organizations conduct cyber exercises between red and blue teams, focusing on offense and defense. Practical exercises require explicit attack scenarios and corresponding defense strategies. However, systematic guides for deriving cyberattack scenarios or defense strategies still need to be improved. This paper proposes a guide for establishing realistic attack scenarios and defense strategies for cybersecurity exercises in ICS environments. Attack scenario generation is divided into four steps: generating attack references, deriving attack sequences, mapping threat information, and mapping vulnerable implementation patterns. Deriving a defensive strategy consists of two steps parallel to developing an attack scenario: deriving containment and eradication. The methodology we propose guides exercise planning based on a knowledge base, thereby assisting exercise planners in generating various scenarios and deriving clear defense strategies. We showed that a clear exercise plan could be established through a case study.