GaboonGrabber Scenario: SteelCorp Manufacturing Crisis
Scenario Details for IMs
SteelCorp Manufacturing: Industrial Processor During Critical Contract Delivery
Quick Reference
- Organization: Industrial steel processing facility, 400 employees (80 production workers, 120 supervisors/technicians, 150 support staff, 50 administrative), 24/7 manufacturing operations with SCADA industrial control systems
- Key Assets at Risk: Worker safety systems (gas detection, temperature monitoring, equipment controls protecting 80 floor workers), Production continuity ($500K+ equipment damage risk, 4-6 week halt potential), Critical $15M annual client relationship
- Business Pressure: Friday delivery deadline (48 hours away) for largest contract in company history—$200K per day penalty clauses, 150 worker layoffs if contract terminates, client calling twice daily threatening termination
- Core Dilemma: Halt production for safety system verification protects 80 workers BUT guarantees contract penalties and potential termination, OR Continue production to meet deadline BUT risks worker injury if compromised environmental monitoring fails to detect hazardous conditions
Detailed Context
Organization Profile
- Type: Industrial steel processing and manufacturing facility
- Size: 400-employee facility (80 production workers, 120 supervisors and technicians, 150 support staff, 50 administrative personnel)
- Operations: Steel processing, hydraulic press operations, precision manufacturing, quality control, industrial supply chain coordination
- Critical Services: 24/7 production floor operations, industrial control systems (SCADA), environmental safety monitoring (gas detection, temperature control, air quality), equipment control systems (hydraulic presses, processing furnaces), manufacturing resource planning (MRP) systems
- Technology: Enterprise MRP/ERP system, SCADA industrial control systems, production scheduling software, vendor coordination platforms, IT-to-OT network connections (office systems connected to operational technology), environmental monitoring systems
SteelCorp Manufacturing is a mid-sized industrial steel processor serving construction and manufacturing sectors. The facility performs high-precision steel processing, hydraulic press operations, and quality-controlled manufacturing for industrial clients. Current status: Largest contract in company history requires 50% production increase through Q4, facility running at maximum capacity to meet Friday delivery deadline representing $15M annual client relationship.
Key Assets & Impact
What’s At Risk:
- Worker Safety Systems: Environmental monitoring (gas detection, air quality, temperature alerts) and equipment control systems (hydraulic press operations, processing furnace controls) protect 80 production floor workers—compromise of safety instrumented systems risks worker exposure to hazardous conditions, equipment failures causing injury, OSHA-reportable incidents with criminal liability if injuries occur
- Production Continuity & Industrial Controls: SCADA systems control steel processing parameters, hydraulic operations, and manufacturing timing—operational technology compromise during maximum production period risks equipment damage ($500K+ repair costs), 4-6 week production halt, contract termination and 150 worker layoffs
- Critical Business Relationship: Friday delivery deadline for $15M annual client relationship with $200K per day contract penalties—production halt or delay triggers penalties, potential contract termination, negative industry references affecting 30% of future bid opportunities in construction supply sector
Immediate Business Pressure
Wednesday morning, peak production for critical contract. SteelCorp activated maximum capacity operations for Q4 delivery schedule. All production lines running 24/7 to meet Friday deadline for major construction project. Largest contract in company history—$15M annual relationship with aggressive delivery requirements. Production floor supervisor reports 12 workstations across scheduling and vendor coordination experiencing performance degradation. Staff mention new “vendor efficiency software” appeared Tuesday evening after responding to supply chain optimization emails from apparent major vendor.
Mike Johnson (IT/OT Coordinator) investigating discovers “VendorOptimizer.exe” and “SupplyChainTool.exe” running on production systems—GaboonGrabber trojan actively attempting to access industrial control systems. Carlos Martinez (Plant Manager) admits expediting vendor software approval yesterday to avoid production delays. Linda Zhang (Operations Director) demanding production continue regardless of “IT issues”—Friday deadline represents company survival. Sarah Park (client project manager) calling twice daily, threatening contract penalties. IT discovers malware has accessed SCADA system credentials and is mapping industrial control networks. Environmental monitoring system displaying intermittent connectivity warnings. Hydraulic Press #3 showing abnormal equipment vibrations.
Critical Timeline:
- Current moment (Wednesday 9am): GaboonGrabber identified on production systems, SCADA credentials accessed, Friday delivery deadline in 48 hours
- Stakes: Worker safety systems potentially compromised, $200K daily contract penalties, $15M client relationship at risk, 400 employees dependent on contract continuation
- Dependencies: 80 workers on production floor requiring trustworthy safety monitoring, major construction project downstream depends on SteelCorp delivery (supply chain cascade), environmental monitoring integrity required for OSHA compliance and worker protection, client relationship critical to 30% of company revenue
Cultural & Organizational Factors
Why This Vulnerability Exists:
- Production schedule overrides security verification: SteelCorp organizational culture dictates “operational responsiveness” as key performance indicator—Linda’s directive to “approve anything that prevents delays” created measurable incentive to bypass security review. Monthly operations meetings track approval speed as success metric. Mike admits bypassing normal vendor verification process for anything labeled “efficiency” or “optimization” during production crunch. Result: vendor software installed in hours without security analysis.
- IT/OT coordinator role stretched impossibly thin: Mike manages both information technology (office networks, email, administrative systems) and operational technology (SCADA, industrial controls, safety monitoring). No dedicated OT security expertise, no industrial control system training, minimal resources for manufacturing cybersecurity. Proposed network segmentation between IT and OT systems rejected as “too expensive” and “operationally restrictive.” IT-to-OT connections maintained for “workflow efficiency.”
- Production deadline pressure weaponized by attacker: GaboonGrabber campaign precisely timed for Q4 contract deadline—phishing emails Tuesday evening during maximum production stress. Attacker researched public contract announcements and manufacturing job postings (companies advertise production positions during high-output periods). Social engineering exploited understanding that operations staff approve vendor requests instantly during deadline pressure without security scrutiny.
- Industrial control system security gap: SteelCorp invested in IT security (firewalls, email filtering, endpoint protection) but minimal OT security. SCADA systems have no dedicated monitoring, safety instrumented systems lack integrity verification, environmental monitoring systems assumed trustworthy without validation. Vendor software can access both IT and OT networks through uncontrolled bridging connections.
Operational Context
How This Manufacturing Facility Actually Works:
SteelCorp operates under perpetual production pressure—construction industry contracts demand aggressive schedules with penalty clauses. The $15M client relationship represents largest contract ever secured. Management’s “operational responsiveness” culture means vendor software approval measured in hours not days. IT/OT coordinator is single person responsible for both office networks and industrial control systems—proposed OT security initiatives postponed for “when less busy” (never arrives during contract season). Network architecture reflects operational convenience over security: MRP systems directly connected to SCADA networks so production scheduling can interface with equipment controls. The gap between written policy (comprehensive vendor verification) and operational reality (instant approval during deadlines) created perfect conditions for GaboonGrabber exploitation.
Key Stakeholders
- Carlos Martinez (Plant Manager) - Under extreme pressure to meet production quotas, expedited vendor software approval, represents frontline management caught between safety and deadlines
- Linda Zhang (Operations Director) - Focused entirely on Friday deadline, initially dismisses security concerns as “IT paranoia,” demonstrates operations-first mentality
- Mike Johnson (IT/OT Coordinator) - Managing both IT and OT with inadequate resources, admits to approval bypass under pressure, reveals stretched capacity
- Sarah Park (Major Client Project Manager) - Calling twice daily for updates, threatens contract penalties and termination, represents $15M relationship and industry reputation pressure
Why This Matters
You’re not just responding to a trojan—you’re protecting industrial worker safety systems while preventing the collapse of a company’s largest contract. Environmental monitoring systems that detect gas leaks and temperature hazards cannot be trusted until verified—but verification halts production and guarantees contract penalties. SCADA systems controlling hydraulic presses and processing furnaces may be compromised—continuing production risks equipment damage and worker injury. The client threatens contract termination if Friday deadline is missed—but OSHA requires safety verification before production resumption after monitoring compromise. 150 families depend on this company’s survival. There’s no option that protects workers AND meets the deadline AND preserves the contract. You must choose what matters most under crushing time pressure.
IM Facilitation Notes
- This is operational technology (OT) security, not just IT security: Players often focus on office network containment—redirect to industrial control systems. SCADA compromise means worker safety, not just data theft. Environmental monitoring integrity is life-safety critical.
- Production pressure is authentic manufacturing reality: Don’t let players dismiss Linda’s deadline focus as unreasonable. Construction contracts have penalty clauses. $200K/day is real consequence. Company survival depends on client relationships. This is normal industrial pressure that creates security vulnerabilities.
- Worker safety trumps everything: If players propose “continue production while investigating,” remind them environmental monitoring (gas detection, temperature alerts) potentially compromised. Cannot verify safety systems while using them in active production. OSHA liability if injury occurs.
- IT/OT coordinator role is common challenge: Mike isn’t incompetent—he’s resource-constrained. Many manufacturers have single person managing both IT and OT without proper training or tools. This is systemic industrial cybersecurity problem, not individual failure.
- No winning choice exists: Full safety verification misses deadline and loses contract. Production continuation risks worker injury. Partial approaches balance risk but don’t eliminate it. Force players to make difficult trade-offs with imperfect information and defend their priorities.
Opening Presentation
“It’s Wednesday morning at SteelCorp Manufacturing, and the production floor is running at maximum capacity to meet Friday’s critical delivery deadline. The largest contract in company history depends on this schedule, with $200K daily penalties for delays. But since yesterday, several computers controlling production scheduling and vendor coordination have been running slowly, and supervisors are reporting issues with new ‘vendor efficiency software’ that appeared after responding to what seemed like legitimate supply chain optimization updates.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Production line supervisor reports scheduling system glitches affecting shift coordination
- Hour 2: Major client calls demanding production status update and Friday delivery confirmation
- Hour 3: Operations director threatens to override any IT restrictions that slow production
- Hour 4: Safety system alerts indicate potential issues with environmental monitoring
Evolution Triggers:
- If containment affects production systems, daily output drops below contract requirements
- If OT network compromise occurs, worker safety systems become unreliable
- If response takes longer than 6 hours, production schedule cannot meet Friday deadline
Resolution Pathways:
Technical Success Indicators:
- Team identifies social engineering exploitation of production pressure and vendor trust
- Operational technology systems protected while maintaining production safety and efficiency
- Network segmentation prevents spread between IT and OT environments
Business Success Indicators:
- Production schedule maintained without compromising worker safety or system security
- Major client relationship preserved through effective crisis management and communication
- Contract delivery commitments met despite security incident challenges
Learning Success Indicators:
- Team understands how production pressure creates industrial cybersecurity vulnerabilities
- Participants recognize critical importance of OT/IT security integration
- Group demonstrates coordination between production operations, safety systems, and cybersecurity
Common IM Facilitation Challenges:
If Production Impact Is Ignored:
“Your security analysis is thorough, but the production floor just reported that scheduling delays might force overtime shifts, and Linda is demanding to know why ‘IT problems’ are affecting the contract delivery.”
If Safety Systems Are Overlooked:
“While you’re investigating network issues, the environmental monitoring system just displayed a safety alert. How do you ensure worker safety while responding to the cybersecurity incident?”
If Business Pressure Is Underestimated:
“The major client just called threatening contract cancellation if delivery is delayed. Sarah needs to know: can production continue safely, or do we risk losing our biggest customer?”
Success Metrics for Session:
Planning Resources
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish manufacturing production crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing production deadline pressure vulnerabilities and operational technology protection.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of industrial cybersecurity challenges. Use the full set of NPCs to create realistic production deadline pressures. The two rounds allow GaboonGrabber to progress toward operational technology systems, raising stakes. Debrief can explore balance between production continuity and security controls.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing production schedules, worker safety systems, OT/IT security integration, and major client relationships. The three rounds allow for full narrative arc including villain’s manufacturing-specific multi-stage attack plan.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate vendor software updates causing unrelated production issues). Make containment ambiguous, requiring players to justify production-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of industrial control system and OT security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “You discover that 12 production scheduling and vendor coordination workstations received emails Tuesday evening from ‘SupplyChain-Optimization@majorvendor-portal.com’ with urgent instructions to install ‘vendor efficiency tools’ to meet increased production demands. Email analysis reveals sophisticated spoofing of legitimate manufacturing vendor communications.”
Clue 2 (Minute 10): “File system investigation shows ‘VendorOptimizer.exe’ and ‘SupplyChainTool.exe’ running on production systems. These executables lack valid vendor digital signatures and are establishing connections between office IT systems and operational technology networks controlling manufacturing processes.”
Clue 3 (Minute 15): “Process monitoring reveals GaboonGrabber trojan with injection attempts targeting production scheduling software. The malware is conducting reconnaissance of industrial control system access and attempting to establish persistent access to systems connected to manufacturing floor operations and safety monitoring.”
Pre-Defined Response Options
Option A: Full System Isolation & Production Safety Priority
- Action: Immediately isolate affected workstations, remove GaboonGrabber from all systems, implement network segmentation between IT and OT environments, establish secure production scheduling with safety system verification.
- Pros: Completely removes threat and protects worker safety systems; establishes proper IT/OT security boundaries for manufacturing.
- Cons: May require temporary production adjustments; Friday deadline might need client communication about minor schedule impacts.
- Type Effectiveness: Super effective against Trojan type malmons like GaboonGrabber in industrial environments.
Option B: Selective Quarantine & Production Continuity Focus
- Action: Quarantine confirmed compromised systems, implement enhanced monitoring on production network, maintain manufacturing schedule using verified clean systems while accelerating malware removal.
- Pros: Allows continued production toward Friday deadline; protects major client relationship while addressing security threat.
- Cons: Maintains some operational risk during investigation; requires continuous monitoring of production systems during high-output period.
- Type Effectiveness: Moderately effective against Trojan threats; balances production continuity with security response.
Option C: Network Segmentation & Monitoring Enhancement
- Action: Implement emergency network segmentation preventing IT-to-OT lateral movement, deploy enhanced monitoring on industrial control systems, continue production with increased safety system oversight.
- Pros: Protects critical operational technology and worker safety systems; maintains Friday production deadline.
- Cons: Doesn’t remove existing malware from production planning systems; allows GaboonGrabber potential access to manufacturing data during continued operations.
- Type Effectiveness: Partially effective against Trojan type malmons; contains but doesn’t eliminate threat.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Discovery & Identification (30-35 min)
Investigation Clues:
Clue 1 (Minute 5): Carlos Martinez (Plant Manager) reports that 12 staff members across production scheduling and vendor coordination received “URGENT: Supply Chain Optimization Required” emails Tuesday evening from “SupplyChain-Optimization@majorvendor-portal.com” (legitimate vendor is majorvendor.com). During the contract deadline crunch, staff clicked through thinking it was required vendor efficiency update.
Clue 2 (Minute 10): File analysis discovers “VendorOptimizer.exe” and “SupplyChainTool.exe” running on production scheduling workstations. Memory forensics shows process injection into manufacturing resource planning (MRP) software - this is GaboonGrabber trojan specifically targeting industrial production systems.
Clue 3 (Minute 15): Network monitoring reveals GaboonGrabber has discovered IT-to-OT network connections and is attempting to access industrial control systems (ICS). It’s mapping SCADA systems controlling steel processing temperatures, hydraulic press operations, and environmental safety monitoring. The OT network wasn’t properly segmented from office IT.
Clue 4 (Minute 20): Linda Zhang (Operations Director) calls emergency meeting demanding production continue regardless of “IT issues” - Friday deadline represents $15M client relationship and $200K/day penalties. Meanwhile, Mike Johnson (IT/OT Coordinator) admits he expedited vendor software approval yesterday to avoid production delays. Sarah Park (client project manager) emails threatening contract termination if Friday delivery missed.
Response Options (Choose One):
- Option A: Emergency IT/OT Separation + Worker Safety Priority
- Action: Immediately isolate infected workstations, implement emergency air-gap between IT and OT networks, shut down IT-to-OT connections, verify all safety systems (temperature monitors, hydraulic controls, environmental sensors) are uncompromised before resuming production
- Pros: Guarantees worker safety; prevents GaboonGrabber from accessing industrial control systems; establishes proper OT security architecture
- Cons: Requires 8-12 hours of production halt for safety verification; Friday deadline likely missed; $200K+ in contract penalties; Linda threatens to escalate to CEO; Sarah may terminate contract
- Business Impact: Worker safety protected but major client relationship at risk; contract penalties significant
- Type Effectiveness: Super effective against Trojan type malmons - prevents OT compromise
- Option B: Rapid Forensics + Parallel Production Verification
- Action: Quarantine infected IT systems, deploy emergency OT security monitoring, conduct rapid forensics to confirm whether ICS systems were accessed, maintain production with enhanced safety oversight and manual verification protocols
- Pros: Balances worker safety with production continuity; allows Friday deadline if forensics confirm OT systems clean; preserves client relationship
- Cons: GaboonGrabber remains active on quarantined IT systems during investigation; risk if forensics later reveal OT compromise; manual safety verification slows production 15-20%
- Business Impact: Friday deadline possible with overtime; client relationship managed; some efficiency loss acceptable
- Type Effectiveness: Moderately effective against Trojan type malmons - contains but doesn’t immediately remove
- Option C: Network Segmentation + Production Priority
- Action: Implement emergency firewall rules blocking IT-to-OT traffic, deploy ICS monitoring tools, continue full production schedule with “heightened awareness”
- Pros: Fastest response; maintains Friday deadline; keeps Linda and Sarah satisfied; no contract penalties; demonstrates production commitment
- Cons: GaboonGrabber’s fileless techniques may have already accessed OT systems before segmentation; doesn’t address root compromise; continuing without safety verification risks worker injury if environmental monitors compromised
- Business Impact: Client relationship preserved; contract intact; but worker safety uncertain
- Type Effectiveness: Partially effective against Trojan type malmons - containment without verification
Round Transition Guidance:
After Round 1 response, GaboonGrabber’s next stage activates based on team’s choice:
If Option A (IT/OT Separation): Round 2 focuses on managing client crisis (Sarah Park threatening contract termination), explaining production halt rationale to Linda Zhang who doesn’t understand cybersecurity risks, and pressure from 150 production workers worried about overtime/layoffs if contract lost.
If Option B (Parallel Verification): Round 2 reveals forensics found GaboonGrabber accessed SCADA system credentials - can’t confirm if ICS was compromised without multi-day audit. Race to complete verification before Friday deadline while maintaining safe production and managing Sarah’s escalating demands for delivery confirmation.
If Option C (Production Priority): Round 2 discovers environmental monitoring system displayed false “normal” readings for 6 hours - GaboonGrabber had accessed temperature sensors. Actual steel processing temperature exceeded safe limits, risking equipment damage and worker burns. Now must address safety incident, equipment verification, and potential OSHA reporting while Linda still demands Friday delivery.
Round 2: Safety Verification & Production Impact (30-35 min)
Investigation Clues:
Clue 5 (Minute 35): Forensic reconstruction shows GaboonGrabber was active for 26 hours before detection. During that window, it accessed production scheduling data, vendor coordination systems, and discovered credentials for SCADA systems controlling: hydraulic press operations, steel processing temperature control, and environmental safety monitoring (gas detection, air quality, temperature alerts).
Clue 6 (Minute 40): Industrial safety consultant explains: if environmental monitoring was compromised, OSHA requires immediate incident reporting, safety system verification before production resumption, and potential workplace inspection. Equipment damage from incorrect processing parameters could require multi-week repairs ($500K+ cost). Worker injury from compromised safety systems triggers mandatory investigation.
Clue 7 (Minute 50): Mike Johnson reveals the production pressure culture - Linda’s directive to “approve anything that prevents delays” led IT/OT to bypass normal vendor verification for anything labeled “efficiency” or “optimization.” Monthly production meetings track “operational responsiveness” as KPI, creating organizational pressure to approve vendor requests instantly without security review.
Clue 8 (Minute 55): Linda Zhang escalates to CEO, demanding production resume immediately regardless of “theoretical security risks.” 150 production workers are in breakroom waiting for direction - potential overtime or early dismissal, affecting family schedules and income. Sarah Park (client) has called CEO directly threatening not just contract termination but negative industry references that could affect future bids. Operations team reports abnormal equipment vibrations in Hydraulic Press #3 - possibly related to compromised control parameters.
Response Options (Choose One):
- Option A: Complete Safety Verification + Transparent Client Communication
- Action: Conduct comprehensive safety system audit before production resumption (12-24 hours), inspect all equipment for parameter-related damage, file OSHA incident report documenting potential monitoring compromise, notify client of safety-driven delay with revised delivery timeline
- Pros: Guarantees worker safety; protects against equipment damage; demonstrates safety-first organizational values; OSHA compliant
- Cons: Friday deadline missed; $200K+ contract penalties; potential contract termination; 150 workers lose overtime pay; CEO faces board questions about $15M client relationship
- Business Impact: Safety preserved but major business consequences; industry reputation for reliability damaged
- Type Effectiveness: Super effective against Trojan type malmons - ensures OT integrity before resuming operations
- Option B: Accelerated Verification + Weekend Recovery
- Action: Conduct priority safety system checks (temperature monitoring, gas detection - 4-6 hours), inspect critical equipment (hydraulic systems, processing controls), request client approval for Saturday delivery (1-day delay, reduced penalties), deploy triple-shift weekend production if safety clearance obtained
- Pros: Balances safety verification with business continuity; reduces contract penalties to $200K (vs $400K+); demonstrates good-faith effort to client; workers get Saturday overtime pay
- Cons: Accelerated verification may miss subtle compromise indicators; 1-day delay still triggers penalties and client dissatisfaction; weekend production increases labor costs
- Business Impact: Managed compromise - safety reasonably verified, client relationship strained but salvageable, financial impact significant but not catastrophic
- Type Effectiveness: Moderately effective against Trojan type malmons - prioritized verification with some risk
- Option C: Production Resumption + Minimal Disclosure
- Action: Resume production immediately after basic equipment checks, describe situation to client as “routine maintenance” (minimal details), commit to Friday delivery, implement enhanced monitoring going forward
- Pros: Friday deadline met; no contract penalties; client satisfaction maintained; worker overtime preserved; CEO avoids board scrutiny
- Cons: Potential OSHA violation (resuming without proper safety verification after monitoring compromise); worker safety risk if hidden equipment damage exists; legal liability if injury occurs; ethically problematic given known compromise
- Business Impact: Short-term business preservation; catastrophic risk if safety incident occurs
- Type Effectiveness: Ineffective against Trojan type malmons - doesn’t verify OT integrity; safety and regulatory failure
IM Facilitation Notes:
This round introduces industrial safety and operational technology security complexity. Players must balance: - Worker safety (mandatory priority) vs. production deadlines (business survival) - OSHA compliance (regulatory requirement) vs. client relationship (revenue) - Equipment integrity verification (prevent $500K damage) vs. aggressive schedule (meet Friday deadline) - Transparent communication (demonstrates values) vs. minimal disclosure (preserves contracts)
Key Discussion Points:
- What are the consequences of worker injury vs. contract loss?
- How does “operational responsiveness” culture create OT security vulnerabilities?
- When do production pressures override safety verification requirements?
- How do you explain cybersecurity-driven safety concerns to operations-focused leadership?
Full Game Materials (120-140 min, 3 rounds)
Investigation Sources Catalog
System Logs & Forensics:
- Email server logs: Phishing campaign targeting production and vendor coordination staff (sender spoofing, deadline timing analysis)
- EDR telemetry: Process injection into MRP software, memory-resident malware behavior
- OT network logs: IT-to-OT traffic patterns, SCADA system access attempts, ICS credential discovery
- SCADA system logs: Industrial control system queries, parameter access, setpoint viewing
- Production scheduling logs: What manufacturing data GaboonGrabber accessed, production timelines, vendor coordination details
Industrial Systems & Safety:
- ICS access logs: What industrial control systems were queried (hydraulic, temperature, environmental monitoring)
- Safety system verification: Environmental monitors (gas detection, air quality), temperature controls, pressure sensors - integrity status
- Equipment diagnostics: Hydraulic Press #3 vibrations, processing parameter deviations, potential compromise indicators
- Production floor reports: Worker observations of system behavior, unusual equipment responses, safety alert history
- Vendor communications: Legitimate vendor update history - when do real vendors communicate? What’s normal approval process?
Stakeholder Interviews & Culture:
- Carlos Martinez (Plant Manager): Reveals production pressure, explains vendor software approval bypass, represents frontline management caught between safety and deadlines
- Linda Zhang (Operations Director): Demonstrates operations-first mentality, initially dismisses security concerns as “IT paranoia,” represents business pressure
- Mike Johnson (IT/OT Coordinator): Explains IT/OT security challenges, admits to bypass under pressure, reveals inadequate OT security resources
- Sarah Park (Client Project Manager): Business perspective - contract penalties, industry reputation, alternative vendor threats
- Production Workers (150 employees): Personal impact - overtime income, family schedules, workplace safety trust, job security if contract lost
Technical Analysis:
- Infected workstation forensics: GaboonGrabber capabilities specific to manufacturing (MRP integration, ICS credential harvesting)
- OT compromise assessment: Did malware actually access SCADA systems? Were control parameters modified? Definitive answers require extensive analysis
- Network segmentation review: Why was IT connected to OT? What’s the proper industrial architecture? How to implement safe separation?
- Safety system integrity: Can temperature monitors, gas detectors, pressure sensors be trusted? Verification timeline and cost
Production & Safety Impact:
- Friday deadline analysis: Can it be met with safety verification? What’s minimum verification required? Saturday delivery feasible?
- Contract penalty structure: $200K/day delays, but what triggers termination? Can relationship be salvaged with transparency?
- Worker safety risk: What are actual risks if environmental monitoring compromised? Historical incident precedents
- Equipment damage assessment: Hydraulic Press #3 vibrations - GaboonGrabber-related or coincidental? Inspection requirements
- OSHA reporting: When is incident report required? What triggers mandatory inspection? Penalties for non-compliance vs. production resumption without verification
Vendor & Client Context:
- GaboonGrabber threat intelligence: Known industrial sector targeting, typical OT exploitation patterns
- Manufacturing vendor practices: How do legitimate vendors communicate? What’s normal software update process?
- Client relationship: Sarah’s industry influence, alternative vendors’ capabilities, contract language around force majeure/safety incidents
- Industry safety standards: ISA/IEC 62443 OT security guidance, OSHA manufacturing safety requirements
- Similar incidents: Other manufacturing breaches, safety incidents from compromised ICS, business impact case studies
Response Evaluation Criteria
Type-Effective Approaches (Trojan/Stealth Malmons in OT):
- Complete IT/OT separation: Air-gapping or strict firewalling ensures malware can’t reach industrial control systems
- Comprehensive safety system verification: Confirming environmental monitors and controls haven’t been compromised before production resumption
- ICS credential rotation: Changing SCADA system passwords accessed from infected IT workstations
- OT network monitoring: Deploy industrial-specific monitoring to detect unusual ICS activity
- Equipment parameter verification: Confirming production controls (temperature, pressure, timing) haven’t been modified
Common Effective Strategies:
- Worker safety first: Prioritizing safety verification over production deadlines demonstrates organizational values
- Transparent client communication: Explaining safety-driven delays with technical rationale maintains long-term trust
- OSHA compliance: Filing incident reports demonstrates regulatory maturity
- Cultural assessment: Addressing “operational responsiveness over security” mindset prevents recurrence
- IT/OT security integration: Establishing proper OT security architecture with Mike’s leadership
Common Pitfalls:
- Signature-based detection in OT: Industrial control systems often can’t run traditional antivirus - behavioral monitoring required
- Production pressure capitulation: Resuming operations without safety verification risks worker injury
- Equipment risk dismissal: “Hydraulic Press vibrations are probably unrelated” - ignoring potential compromise indicators
- Client relationship prioritization: “We can’t lose $15M contract” overriding “we can’t injure workers”
- Compliance minimization: Not filing OSHA report because “nothing actually happened” (but monitoring was compromised)
Adjudicating Novel Approaches
Hybrid Solutions (Encourage with Guidance):
“We’ll implement parallel production on verified-safe equipment while auditing potentially compromised systems” → “Yes, and… that maintains partial production while ensuring safety. Which equipment can you verify quickly enough to meet some Friday deadline? How do you communicate partial delivery to Sarah?”
“We’ll propose Saturday delivery with expedited shipping at our cost to offset client penalties” → “Creative business solution. What’s expedited shipping cost vs $200K penalty? Does absorbing costs demonstrate good faith to Sarah? How does this affect future contract negotiations?”
“We’ll engage OT security specialists to provide rapid safety system assessment with written certification” → “Yes, that provides third-party validation for both safety and client communication. What’s cost and timeline for OT security rapid response? Does certification satisfy OSHA requirements?”
Creative But Problematic (Redirect Thoughtfully):
“We’ll blame the production halt on ‘routine safety inspection’ to avoid explaining cyber incident to client” → “That avoids uncomfortable conversation, but Sarah asks: ‘Why wasn’t routine inspection scheduled to avoid contract deadline?’ How do you answer? What if she discovers the real reason later - how does that affect trust?”
“We’ll resume production and handle safety verification in parallel to meet Friday deadline” → “That maintains schedule, but safety consultant explains you can’t verify environmental monitoring systems while actively using them in production. How do you confirm gas detectors work without test cycles? What’s risk if hidden compromise triggers injury during production?”
“We’ll focus on verifying safety-critical systems only (temperature, pressure) and skip production scheduling/MRP remediation until after Friday” → “That prioritizes safety, but GaboonGrabber remains on IT systems with OT network access. What prevents it from using established access later? How do you defend ‘temporary’ compromise to investigators if incident occurs?”
Risk Assessment Framework:
When players propose novel approaches, evaluate:
- Worker Safety: Does this ensure environmental monitoring and equipment controls are trustworthy?
- OSHA Compliance: Does this meet regulatory requirements for incident response and safety verification?
- Equipment Integrity: Does this prevent $500K+ damage from compromised control parameters?
- Business Viability: Does this preserve $15M client relationship while meeting safety obligations?
- Long-term Security: Does this establish proper OT security architecture to prevent recurrence?
Example Adjudication:
Player Proposal: “We’ll conduct ‘red light/green light’ verification - test critical safety systems (temperature monitors, gas detectors) with physical verification equipment, mark as ‘green’ for production use. Systems we can’t quickly verify stay ‘red’ (offline). Run Friday production only on green-marked equipment.”
IM Response: “Interesting tiered approach. What percentage of production capacity can you verify by Friday? Safety consultant notes physical verification of temperature monitors takes 2-3 hours per system, gas detectors 1 hour each - you have 15 systems total. Can you verify enough for partial Friday delivery? How do you explain reduced delivery volume to Sarah - is it partial breach of contract?”
Guidance for Players: Encourage them to calculate realistic verification timeline (4-6 critical systems can be verified in 12 hours), propose partial Friday delivery (60% capacity), negotiate Saturday completion of remainder. Frame as “safety-validated production” to Sarah - demonstrates responsibility while showing good-faith effort.
Advanced Challenge Materials (150-170 min, 3 rounds)
Complexity Layer: Ambiguous Evidence
Subtle Indicators:
- Partial SCADA Logs: Industrial control system logging was not comprehensive - can confirm GaboonGrabber queried ICS credentials, but can’t determine if controls were actually accessed or modified
- Equipment Anomalies: Hydraulic Press #3 vibrations detected, but could be: (1) GaboonGrabber modifying control parameters, (2) normal wear-and-tear coincidental timing, or (3) maintenance oversight unrelated to breach
- Environmental Monitor Uncertainty: Temperature logs show readings within normal range, but can’t confirm if sensors were displaying accurate data or false “safe” readings from compromised monitoring
- Timeline Ambiguity: Phishing emails sent Tuesday evening, but some OT network logs show unusual queries Monday night - earlier compromise or log timezone confusion?
- Production Parameter Questions: Some steel processing batches showed 2-3% quality variations this week - within normal tolerance, but could indicate subtle temperature control compromise
Incomplete Information:
- Unknown ICS Impact: Can’t determine whether SCADA systems were actually compromised without multi-day offline forensic analysis (halts all production for verification)
- Credential Harvesting Scope: GaboonGrabber accessed IT systems with ICS credentials, but can’t confirm if those credentials were exfiltrated, used, or just viewed
- Safety System Trust: Environmental monitoring displayed “normal” readings during breach window, but can’t verify sensor accuracy without physical calibration tests (3-4 hours per sensor, 15 sensors total)
- Client Flexibility Unknown: Don’t know if Sarah/client would accept safety-justified delay, partial delivery, or if any deviation triggers contract termination
Technical Ambiguity:
- Persistent OT Access: Found GaboonGrabber on IT systems attempting OT access - but was IT/OT segmentation sufficient to block access? Or did malware establish backdoor in SCADA systems before detection?
- AgentTesla Deployment: Threat intelligence indicates GaboonGrabber typically deploys AgentTesla as Stage 3 for credential harvesting - was it deployed? If so, what ICS credentials were stolen?
- Control Parameter Integrity: Can’t conclusively prove production control setpoints (temperature targets, pressure limits, timing sequences) weren’t modified without extensive audit of historical parameters vs current configuration
Complexity Layer: Red Herrings
Legitimate Anomalies:
- Scheduled Vendor Update: Legitimate MRP software vendor actually released update last week - team may waste time investigating whether vendor update was attack vector vs separate phishing campaign
- Equipment Maintenance: Hydraulic Press #3 was scheduled for routine maintenance next month - vibrations may be unrelated wear indicators, not compromise evidence
- Production Stress Testing: Operations team recently increased production rates 20% to test capacity for contract - some quality variations attributable to aggressive scheduling, not malware
Coincidental Timing:
- Industry Conference: Major manufacturing conference this week where vendors showcase optimization software - GaboonGrabber phishing leveraged conference timing, but legitimate vendor communications also increased
- Client Site Visit: Sarah Park’s company considered scheduling site visit this week (cancelled due to their schedule) - her intense deadline pressure partially driven by wanting to demonstrate success to her leadership
Previous Incidents:
- Q3 Equipment Failure: Hydraulic Press #2 experienced unrelated control board failure 2 months ago - some staff may confuse incidents and believe ongoing systemic problems
- Former Contractor Access: OT contractor was terminated 6 weeks ago - some staff suspect insider threat, wasting investigation time on unrelated personnel issue
- Previous Deadline Crisis: Last major contract (18 months ago) also had aggressive deadline - operations culture developed “approve everything during deadlines” habit from that experience
Expert-Level Insights
Advanced Trojan TTPs in OT Environments:
- MRP/SCADA Bridging: GaboonGrabber exploits that many manufacturers connect manufacturing resource planning (MRP/ERP) systems directly to SCADA networks for “efficiency” - creating IT-to-OT attack path
- Deadline Exploitation: Attacker understands manufacturing deadline cycles - targets companies during high-pressure delivery periods when security scrutiny lowest
- Safety System Targeting: Industrial malware increasingly targets safety instrumented systems (SIS) - environmental monitoring, emergency shutdown systems - because compromise creates maximum pressure to pay ransoms or halt operations
Operational Security Patterns:
- Contract Intelligence: Attack precisely timed for production deadline suggests reconnaissance of public contract announcements or monitoring of manufacturing job postings (companies advertise production staff positions during high-output periods)
- Vendor Trust Exploitation: Social engineering leverages manufacturers’ dependency on vendor software - “efficiency optimization” promises appeal to operations-focused leadership
- Production Culture Weaponization: “Operational responsiveness” KPI created measurable incentive to bypass safety protocols - organizational metric became attack vector
Strategic Implications:
- OT Security Gap: Many manufacturers have IT security but minimal OT security capabilities - IT/OT coordinator role often stretched thin without proper training or resources
- Safety System Reliability: Worker safety depends on trusting environmental monitoring - once compromised (or suspected of compromise), production can’t safely resume without verification
- Manufacturing Supply Chain: If GaboonGrabber successfully targets SteelCorp during deadline, downstream construction project (Sarah’s company) also affected - supply chain cascade
Innovation Requirements
Why Standard Approaches Are Insufficient:
- Safety Verification Paradox: Standard “verify everything before resuming” approach takes days and guarantees contract loss, but standard “resume and monitor” risks worker injury
- OT Forensics Challenge: Can’t do thorough ICS forensics without halting production for offline analysis - but can’t safely resume production without forensics confirming integrity
- Production Deadline Rigidity: Standard incident response timelines (weeks) don’t align with manufacturing contracts (days/hours) - can’t delay indefinitely
- IT/OT Skillset Gap: Standard IT security team may lack OT/ICS expertise to understand industrial control system risks - need specialized knowledge for response decisions
Creative Solutions Needed:
Emergency “Parallel Production Verification” System:
- Challenge: Establish temporary “shadow production” using verified-safe equipment subset while conducting comprehensive forensics on potentially compromised systems
- Innovation Required: Rapid critical system verification (temperature, pressure, safety monitors), partial capacity production plan, client communication strategy for reduced initial delivery
- Evaluation Criteria: Can enough equipment be verified to meet partial Friday deadline? Does reduced delivery maintain contract? How do you scale to full capacity once forensics complete?
“Safety-First Transparency” Client Partnership:
- Challenge: Transform deadline miss from contract failure to demonstration of organizational values - explain technical reality of OT security to operations-focused client
- Innovation Required: Non-technical explanation of ICS compromise risks, safety-driven timeline justification, offering alternative value (expedited future deliveries, absorbed penalties)
- Evaluation Criteria: Can team explain OT security to non-technical client? Does transparency strengthen or damage long-term relationship? What specific accommodations offset delivery delay?
“Tiered Safety Verification” Protocol:
- Challenge: Develop risk-based verification approach - immediate physical validation of critical safety systems (environmental monitoring), scheduled comprehensive audit of production controls
- Innovation Required: Prioritize life-safety systems over efficiency systems, establish verification completion criteria, document decision-making process for OSHA/liability
- Evaluation Criteria: Does tiered approach satisfy safety requirements? Can it be completed within business timeline? Is it defensible to regulators if incident occurs?
Production Safety Status Tracking
Initial State (100%):
- 12 IT workstations infected with GaboonGrabber trojan
- IT-to-OT network connection discovered, ICS credentials accessed
- Friday delivery deadline (48 hours): $15M client relationship, $200K/day penalties
- 150 production workers dependent on contract continuation
- Worker safety systems (environmental monitoring, equipment controls) potentially compromised
Degradation Triggers:
- Hour 0-4 (Immediate Response Window): Each hour of delayed IT/OT separation = 20% increased likelihood GaboonGrabber accesses SCADA systems and establishes persistent OT compromise
- Hour 4-12 (Safety Verification Window): Production halt extending beyond 12 hours makes Friday deadline mathematically impossible even with weekend overtime
- Hour 12-24 (Contract Decision Point): Client communication must occur - silence beyond 24 hours likely triggers contract termination regardless of later explanation
- Hour 24-48 (Friday Deadline): Missing deadline without prior client agreement = automatic penalties + probable termination
Recovery Mechanisms:
- Immediate IT/OT Network Separation: Prevents malware from reaching industrial control systems (+60% safety system protection, -100% IT-dependent production efficiency during separation)
- Rapid Critical Safety Verification: Physical testing of temperature monitors, gas detectors, pressure sensors (+50% worker safety confidence, requires 4-6 hours and halts production during tests)
- Partial Verified Production: Resume operations on equipment subset confirmed safe (+40% production capacity, +70% safety confidence, enables partial Friday delivery)
- Transparent Client Communication: Early safety-driven timeline explanation (+30% client relationship preservation, requires non-technical OT security explanation)
- Third-Party OT Security Assessment: External ICS experts provide rapid safety verification with written certification (+60% safety confidence + client/OSHA credibility, requires $50-75K and 8-12 hours)
Critical Thresholds:
- Below 60% Worker Safety: Environmental monitoring cannot be trusted - production resumption risks worker exposure to hazardous conditions (gas leaks, temperature extremes), mandatory OSHA reporting, potential criminal liability if injury occurs
- Below 50% Client Relationship: Missed Friday deadline without prior communication triggers contract termination - $15M annual relationship lost, negative industry references affect future bids (30% revenue impact)
- Below 40% Equipment Integrity: Compromised control parameters cause equipment damage (Hydraulic Press destruction, processing furnace failure) - $500K+ repair costs, 4-6 week production halt, worker layoffs
Time Pressure Dynamics:
- Wednesday Morning (Hour 0): Detection and initial response - critical decision point for IT/OT separation vs production continuity
- Wednesday Afternoon (Hour 4-8): Safety verification decision - can Friday deadline still be met? When must client communication occur?
- Thursday Morning (Hour 24): Client communication deadline - Sarah Park must be notified of any delivery changes to manage her project schedule
- Thursday Evening (Hour 36): Last decision point for weekend recovery production - can verified systems enable Saturday completion?
- Friday Morning (Hour 48): Contractual deadline - delivery occurs or penalties/termination triggered
Success Metrics:
- Optimal Outcome (>85% across all dimensions): Rapid IT/OT separation within 2 hours, critical safety system verification by Thursday morning, partial Friday delivery (60% capacity) with Saturday completion, transparent client communication maintains relationship, worker safety ensured, proper OT security architecture established
- Acceptable Outcome (65-85%): IT/OT separation within 8 hours, tiered safety verification complete, Saturday delivery with client accommodation, some contract penalties but relationship preserved, no worker injuries, basic OT security improvements
- Poor Outcome (<65%): Delayed/inadequate safety verification, worker injury from compromised monitoring, missed Friday deadline without client communication, contract terminated, 150 workers laid off, OSHA investigation, equipment damage, reputation for safety/reliability destroyed