GaboonGrabber Scenario: SteelCorp Manufacturing Crisis
Scenario Details for IMs
Opening Presentation
“It’s Wednesday morning at SteelCorp Manufacturing, and the production floor is running at maximum capacity to meet Friday’s critical delivery deadline. The largest contract in company history depends on this schedule, with $200K daily penalties for delays. But since yesterday, several computers controlling production scheduling and vendor coordination have been running slowly, and supervisors are reporting issues with new ‘vendor efficiency software’ that appeared after responding to what seemed like legitimate supply chain optimization updates.”
Initial Symptoms to Present:
- “Production scheduling computers experiencing 30% performance degradation”
- “Supervisors report new ‘vendor coordination software’ requesting system access”
- “Plant staff received ‘supply chain optimization’ emails Tuesday evening”
- “Industrial control system displays showing intermittent connectivity warnings”
Key Discovery Paths:
Detective Investigation Leads:
- Email analysis reveals sophisticated spoofing of major manufacturing vendor communications
- File system investigation shows “VendorOptimizer.exe” and “SupplyChainTool.exe” on production systems
- Network forensics reveal unauthorized connections between office IT and operational technology networks
Protector System Analysis:
- Process monitoring detects unusual activity on systems connected to industrial controls
- Memory analysis shows injection attempts targeting production scheduling software
- Safety system integrity checks reveal potential access to critical control systems
Tracker Network Investigation:
- Network traffic analysis shows data flows from production planning systems to external servers
- DNS logs reveal queries to domains mimicking legitimate manufacturing vendor sites
- Communication pattern analysis shows coordinated targeting during peak production periods
Communicator Stakeholder Interviews:
- Plant supervisors admit installing vendor software quickly to optimize production efficiency
- Operations staff explain pressure to approve anything that might prevent production delays
- IT coordinator reveals expedited software approval due to “critical production requirements”
Mid-Scenario Pressure Points:
- Hour 1: Production line supervisor reports scheduling system glitches affecting shift coordination
- Hour 2: Major client calls demanding production status update and Friday delivery confirmation
- Hour 3: Operations director threatens to override any IT restrictions that slow production
- Hour 4: Safety system alerts indicate potential issues with environmental monitoring
Evolution Triggers:
- If containment affects production systems, daily output drops below contract requirements
- If OT network compromise occurs, worker safety systems become unreliable
- If response takes longer than 6 hours, production schedule cannot meet Friday deadline
Resolution Pathways:
Technical Success Indicators:
- Team identifies social engineering exploitation of production pressure and vendor trust
- Operational technology systems protected while maintaining production safety and efficiency
- Network segmentation prevents spread between IT and OT environments
Business Success Indicators:
- Production schedule maintained without compromising worker safety or system security
- Major client relationship preserved through effective crisis management and communication
- Contract delivery commitments met despite security incident challenges
Learning Success Indicators:
- Team understands how production pressure creates industrial cybersecurity vulnerabilities
- Participants recognize critical importance of OT/IT security integration
- Group demonstrates coordination between production operations, safety systems, and cybersecurity
Common IM Facilitation Challenges:
If Production Impact Is Ignored:
“Your security analysis is thorough, but the production floor just reported that scheduling delays might force overtime shifts, and Linda is demanding to know why ‘IT problems’ are affecting the contract delivery.”
If Safety Systems Are Overlooked:
“While you’re investigating network issues, the environmental monitoring system just displayed a safety alert. How do you ensure worker safety while responding to the cybersecurity incident?”
If Business Pressure Is Underestimated:
“The major client just called threatening contract cancellation if delivery is delayed. Sarah needs to know: can production continue safely, or do we risk losing our biggest customer?”