Raspberry Robin Scenario: Precision Manufacturing Corp Outbreak

Precision Manufacturing Corp: Industrial equipment manufacturer, 850 employees across production floors

Worm • RaspberryRobin

STAKES

Production line security + Industrial control systems + Manufacturing deadlines + Worker safety systems

HOOK

Precision Manufacturing is running at maximum capacity to fulfill a critical aerospace contract when maintenance technicians begin reporting strange behavior from production control systems. Multiple USB drives used for equipment updates and data transfer between air-gapped systems are spreading malicious LNK files that appear as normal folders, and the infection is jumping between isolated manufacturing networks through routine USB maintenance procedures.

PRESSURE

Aerospace contract delivery Friday - production delays cost $500K per day + Worker safety systems potentially compromised

FRONT • 120 minutes • Advanced

Precision Manufacturing Corp: Industrial equipment manufacturer, 850 employees across production floors

Worm • RaspberryRobin

NPCs

• Operations Manager Janet Williams: Managing critical aerospace production deadline, watching USB-based malware spread between air-gapped manufacturing systems through routine maintenance procedures
• Senior Technician Carlos Rodriguez: Discovering that USB drives used for equipment updates are automatically creating malicious files that spread to every system they touch
• Safety Coordinator Diana Park: Investigating potential compromise of worker safety systems as USB malware spreads through industrial control networks
• Quality Engineer Mark Thompson: Analyzing production data integrity as infected USB drives contaminate manufacturing control systems and quality monitoring equipment

SECRETS

• Manufacturing technicians routinely use USB drives to transfer updates and data between air-gapped production systems
• USB-based malware is spreading through legitimate maintenance procedures, bypassing network security controls
• Infected systems include both production control and worker safety monitoring equipment

---

Scenario Details for IMs

Opening Presentation

“It’s Tuesday morning at Precision Manufacturing Corp, and the factory is operating at maximum capacity to fulfill a critical aerospace contract due Friday. Maintenance technicians are performing routine equipment updates using USB drives to transfer data between air-gapped production systems when they notice something disturbing: the USB drives are automatically creating files that look like normal folders, but clicking on them causes strange system behavior. The malware is spreading through legitimate maintenance procedures, jumping between isolated manufacturing networks.”

Initial Symptoms to Present:

• “USB drives used for equipment maintenance automatically creating suspicious LNK files”
• “Production control systems showing signs of infection after routine USB data transfers”
• “Air-gapped manufacturing networks experiencing unauthorized file creation and system modifications”
• “Worker safety monitoring systems displaying anomalous behavior after USB maintenance procedures”

Key Discovery Paths:

Detective Investigation Leads:

• Digital forensics reveal USB-based worm creating malicious LNK files disguised as legitimate folders
• Manufacturing system analysis shows infection spreading through routine maintenance USB procedures
• Timeline analysis indicates initial compromise through external contractor USB device

Protector System Analysis:

• Production control system monitoring reveals USB-based malware bypassing air-gapped network security
• Industrial safety system assessment shows potential compromise of worker protection monitoring
• Manufacturing network security analysis indicates systematic USB-based propagation across isolated systems

Tracker Network Investigation:

• USB device analysis reveals sophisticated worm designed specifically for air-gapped environment spreading
• Manufacturing system communication patterns show malware adapting to industrial control protocols
• Production data integrity analysis indicates potential compromise of quality control and safety systems

Communicator Stakeholder Interviews:

• Maintenance technician interviews reveal routine USB usage patterns and infection spread mechanisms
• Production management coordination regarding manufacturing deadline impact and system safety
• Aerospace customer communication about potential production delays and quality assurance

Mid-Scenario Pressure Points:

• Hour 1: Critical production line shuts down due to infected USB drives affecting manufacturing control systems
• Hour 2: Worker safety monitoring systems show signs of compromise affecting factory floor operations
• Hour 3: Aerospace customer demands assurance that production quality hasn’t been compromised by malware
• Hour 4: Manufacturing deadline approaches with production systems still showing signs of USB-based infection

Evolution Triggers:

• If USB disinfection fails, malware continues spreading through all manufacturing maintenance procedures
• If production systems remain infected, aerospace contract delivery is threatened
• If safety systems are compromised, worker protection and regulatory compliance are at risk

Resolution Pathways:

Technical Success Indicators:

• Complete USB-based malware removal from manufacturing systems with verified clean maintenance procedures
• Air-gapped network security restored preventing further USB-based propagation
• Production control and safety system integrity verified ensuring worker protection and manufacturing quality

Business Success Indicators:

• Manufacturing operations restored maintaining aerospace contract delivery schedule
• Production quality assurance verified preventing customer concerns and contract penalties
• Worker safety systems secured maintaining regulatory compliance and factory floor protection

Learning Success Indicators:

• Team understands USB-based propagation in air-gapped manufacturing environments
• Participants recognize removable media security challenges in industrial control systems
• Group demonstrates coordination between cybersecurity response and manufacturing operations continuity

Common IM Facilitation Challenges:

If Air-Gapped Environment Is Misunderstood:

“Your network security approach is solid, but Carlos explains that manufacturing systems are air-gapped - the malware is spreading through USB drives during routine maintenance. How does this change your containment strategy?”

If Production Impact Is Ignored:

“While you’re analyzing the USB malware, Janet reports that production line 3 is down and the aerospace contract delivery is at risk. How do you balance thorough investigation with critical manufacturing deadlines?”

If Safety System Compromise Is Overlooked:

“Diana just discovered that worker safety monitoring systems may be infected through the same USB maintenance procedures. How do you assess and protect worker safety while managing production continuity?”

Success Metrics for Session:

• Team understands USB-based malware propagation in air-gapped manufacturing environments
• Production operations and worker safety maintained as priorities throughout incident response
• Air-gapped network security concepts and removable media controls clearly understood
• Learning includes industrial control system security and manufacturing cybersecurity challenges
• Response strategy balances immediate threat containment with production and safety requirements