Raspberry Robin Scenario: Precision Manufacturing Corp Outbreak
Planning Resources
Scenario Details for IMs
Precision Manufacturing Corp: Aerospace Parts Production During Critical Contract Delivery
Quick Reference
- Organization: Industrial precision aerospace manufacturing facility, 850 employees (600 production floor workers), 80 production machines with air-gapped control networks requiring USB-based maintenance
- Key Assets at Risk: Worker safety systems (hazardous gas detection, emergency shutdown controls protecting 850 workers), Production control and industrial systems (air-gapped SCADA, CNC machines, quality certification), $25M aerospace contract (300 jobs dependent, Friday deadline with $500K daily penalties)
- Business Pressure: 72 hours until aerospace contract delivery Friday—maximum capacity 24/7 operations, 150+ daily USB insertions for equipment maintenance, customer demanding production status confirmation
- Core Dilemma: Continue USB-based maintenance required for aerospace quality standards BUT allows malware propagation through air-gapped production systems, OR Halt USB use for containment BUT stops equipment calibration risking $500K daily penalties and worker safety certification
Detailed Context
Organization Profile
- Type: Industrial precision manufacturing facility specializing in aerospace components
- Size: 850-employee facility (600 production floor workers, 120 maintenance technicians and quality engineers, 80 supervisors, 50 administrative and engineering staff)
- Operations: Precision steel processing, CNC machining, aerospace-grade manufacturing, hydraulic press operations, heat treatment, quality control and certification, equipment maintenance
- Critical Services: 24/7 production floor operations across multiple lines, industrial control systems (SCADA, CNC, programmable logic controllers), worker safety monitoring (hazardous material detection, emergency shutdown systems, temperature controls), quality control and certification systems for aerospace specifications, equipment maintenance and calibration
- Technology: Air-gapped production control networks (isolated from corporate IT for security), Windows-embedded industrial control systems (legacy OS for certified equipment), USB-based data transfer for maintenance and updates (required bridge between air-gapped systems), SCADA manufacturing control systems, quality measurement and certification equipment, worker safety monitoring and alarm systems
Precision Manufacturing Corp is mid-sized aerospace component supplier serving aircraft manufacturers and defense contractors. The facility produces high-precision parts requiring aerospace certification and strict quality control. Current status: Maximum capacity operations fulfilling $25M aerospace contract due Friday, production running 24/7 to meet delivery deadline with $500K per day late penalties, 150+ daily USB device insertions for routine equipment maintenance and data transfer between air-gapped production systems.
Key Assets & Impact
What’s At Risk:
- Worker Safety Systems: Environmental monitoring (hazardous gas detection, chemical alerts), emergency shutdown controls for heavy machinery, temperature monitoring for heat treatment processes, personnel safety equipment controls—USB-based malware spreading through maintenance procedures compromises safety instrumented systems protecting 850 production floor workers from industrial hazards, creates OSHA-reportable incidents, triggers mandatory operations halt until safety certification restored
- Production Control & Industrial Systems: Air-gapped SCADA networks, CNC machine control systems, quality measurement equipment, production data logging—Raspberry Robin USB worm propagating through maintenance workflows bypasses air-gap isolation, compromises manufacturing control integrity, threatens aerospace certification validity, risks $500K daily contract penalties with Friday delivery deadline
- Aerospace Contract & Business Viability: $25M aerospace contract represents facility’s largest customer relationship, 300 jobs dependent on contract continuation, thin manufacturing profit margins vulnerable to major revenue loss—USB malware affecting quality control systems invalidates aerospace certification, customer threatens alternative suppliers, facility closure risk affects 850 employees and local community
Immediate Business Pressure
Tuesday morning, 72 hours before aerospace contract delivery Friday. Precision Manufacturing operating at maximum production capacity. Senior Technician Carlos Rodriguez performing routine equipment updates using USB drives—standard procedure for transferring data between air-gapped production control systems. Every manufacturing facility relies on USB for maintenance because air-gap isolation prevents network-based updates.
Carlos radios maintenance team: “USB drives automatically creating suspicious files on every system—‘Equipment_Updates’, ‘Production_Data’, ‘Quality_Control’ folders that aren’t real folders. Systems running slower after USB insertion.” Operations Manager Janet Williams overhears—immediately concerned about aerospace contract jeopardy. “We can’t afford production disruptions. $500K daily late penalties start Saturday if we miss Friday delivery. What’s happening?”
Investigation team discovers Raspberry Robin USB worm creating malicious LNK files disguised as legitimate manufacturing data folders. Malware propagates automatically when USB drives inserted into air-gapped production systems—no user interaction required beyond normal maintenance procedures. Infection spreading through 150+ daily USB insertions required for equipment calibration, firmware updates, quality data transfer, and production control maintenance. Manufacturing technicians share 10 USB drives across 80 production machines—single infected USB contaminates entire maintenance workflow.
Safety Coordinator Diana Park reporting worker safety systems potentially compromised—infected USB drives accessed emergency shutdown controls, hazardous material detection, and personnel safety equipment through same maintenance procedures. Production line 3 experiencing unexpected shutdown after infected USB calibration. Aerospace customer calling demanding production status confirmation. Quality Engineer Mark Thompson concerned infected USB drives accessing quality control systems—entire aerospace certification could be invalidated if production data integrity questioned.
Critical Timeline:
- Current moment (Tuesday 9am): Raspberry Robin identified spreading through air-gapped manufacturing networks via USB maintenance procedures, 72 hours until aerospace contract delivery
- Stakes: Worker safety systems compromised, $25M aerospace contract threatened with $500K daily penalties, 850 employees and 300 jobs dependent on facility operations, air-gapped production control integrity questioned
- Dependencies: 80 production machines requiring daily USB maintenance for aerospace quality standards, worker safety monitoring protecting employees from industrial hazards, quality control certification required for aerospace component delivery, air-gap isolation creates USB dependency that malware exploits
Cultural & Organizational Factors
Why This Vulnerability Exists:
- Air-gap security architecture creates mandatory USB dependency: Precision Manufacturing designed production control networks as air-gapped (no network connectivity) for security and aerospace certification requirements. Aircraft manufacturers demand isolated manufacturing systems to prevent network-based espionage or sabotage. Air-gap creates security against network attacks—but requires USB drives as only method for firmware updates, calibration data transfer, quality measurements, and equipment maintenance. The security measure designed to protect manufacturing becomes the attack vector—USB worm exploits the very isolation meant to provide safety.
- Equipment maintenance workflows are non-negotiable for production: CNC machines require daily calibration via USB. Quality control systems need USB data transfer for aerospace certification. Heat treatment equipment depends on USB firmware updates. Production monitoring requires USB log downloads. These USB procedures are mandatory requirements in aerospace manufacturing—not convenience or negligence. Technicians cannot “just stop using USB” without halting production operations. Equipment vendors specify USB maintenance in service contracts. Attempting to eliminate USB usage means losing aerospace certification and ability to manufacture certified components.
- Manufacturing technicians share USB drives creating propagation network: Facility has 10 USB drives for 80 production machines and 120 maintenance technicians. Shared USB drives move between departments, production lines, and equipment types throughout day. Single infected USB inserted into one system Tuesday contaminates entire facility by Thursday through routine maintenance rotation. Cross-contamination accelerated by cost-efficiency practice of sharing drives rather than dedicating USB devices per machine or technician. Budget constraints ($15 specialized industrial-grade USB drives vs $150 for 100 drives) drove sharing practice that created rapid propagation pathway.
- External contractor introduced infection beyond facility control: Timeline analysis traces initial Raspberry Robin infection to maintenance contractor’s USB drive used during equipment service 5-7 days prior. Contractor companies service multiple manufacturing facilities with same USB drives and tools. Facility has limited control over third-party cybersecurity practices—but must grant contractor USB access to fulfill equipment warranty and maintenance contracts. Supply chain USB contamination created infection source outside organizational security boundaries.
Operational Context
How This Manufacturing Facility Actually Works:
Precision Manufacturing operates in competitive aerospace supply market with thin profit margins ($25M contract represents 30% annual revenue). Air-gapped production networks were expensive security investment required for aerospace defense contractor certification. The air-gap protects against network-based industrial espionage targeting aerospace manufacturing intellectual property—but creates operational dependency on USB as only data transfer method between isolated systems and administrative networks. Operations Manager Janet balances three competing pressures: aerospace customer delivery demands ($500K daily penalties), worker safety requirements (OSHA and insurance mandates), and equipment vendor maintenance specifications (warranty compliance). The facility runs 24/7 during contract delivery periods—technicians perform USB maintenance on evenings and weekends when production demand is highest. This creates vulnerability window where USB procedures occur with minimal IT security oversight. The gap between industrial security best practice (dedicated USB devices per system, real-time malware scanning, vendor cybersecurity requirements) and manufacturing economic reality (shared USBs for cost control, contractor access for warranty compliance, production schedule overrides security maintenance) created perfect conditions for USB worm designed specifically to exploit air-gapped industrial environments.
Key Stakeholders
- Janet Williams (Operations Manager) - Managing $25M aerospace contract delivery with 72-hour deadline, watching USB malware spread through air-gapped production systems, balancing security response with $500K daily late penalties
- Carlos Rodriguez (Senior Technician) - Discovering routine USB maintenance procedures are spreading malware across facility, frustrated that security measures might interfere with proven maintenance workflows required for aerospace quality
- Diana Park (Safety Coordinator) - Investigating worker safety system compromise as USB malware spreads through industrial control networks, must ensure OSHA compliance and employee protection before production resumption
- Mark Thompson (Quality Engineer) - Analyzing production data integrity as infected USB drives contaminate quality control systems, concerned entire aerospace certification could be invalidated by malware affecting quality records
Why This Matters
You’re not just containing a USB worm—you’re protecting 850 workers from compromised safety systems while trying to save 300 jobs dependent on a $25M aerospace contract with 72-hour delivery deadline. Air-gapped production networks designed to prevent network attacks are being compromised through USB maintenance procedures that cannot be eliminated without halting manufacturing. Worker safety monitoring for hazardous materials, emergency shutdowns, and temperature controls is potentially corrupted—OSHA requires absolute certainty before workers can safely operate heavy machinery and chemical processes. The aerospace customer demands quality certification that malware hasn’t affected production data or component integrity. Manufacturing technicians need USB drives for equipment updates required by aerospace standards—but every USB insertion risks spreading the worm through air-gapped systems. There’s no option that eliminates USB, protects workers, meets the deadline, and preserves quality certification. You must decide which matters most.
IM Facilitation Notes
- This is air-gapped OT security, not enterprise IT security: Players often suggest “network isolation” or “disconnect from internet”—remind them systems are ALREADY air-gapped by design. USB is the deliberate bridge for maintenance. The security architecture that should protect them is being exploited. Force players to understand air-gap limitations.
- USB usage is manufacturing requirement, not negligence: Don’t let players dismiss USB as “poor security practice.” Aerospace certification requires air-gapped systems. Equipment vendors specify USB maintenance. Quality standards mandate USB data transfer. This is industrial operational reality. Eliminating USB means losing aerospace certification and production capability.
- Worker safety is non-negotiable even under deadline pressure: If players propose “continue production while investigating,” remind them hazardous material detection and emergency shutdown systems potentially compromised. Cannot verify safety systems while workers use them in active production. OSHA liability if injury occurs. Diana will mandate halt if safety cannot be certified.
- Shared USB drives accelerate propagation authentically: Ten USB drives for 80 machines is realistic manufacturing practice driven by equipment cost and budget constraints. Players may criticize this—acknowledge it’s optimization for operational efficiency over security. Budget-constrained manufacturing made rational choice that created vulnerability.
- Contract pressure is authentic manufacturing crisis: $500K daily penalties and $25M contract loss threatens 300 jobs and facility viability. This isn’t hypothetical—aerospace manufacturing operates with aggressive delivery schedules and penalty clauses. Players must balance worker safety (absolute) with business survival (affects 850 families). Force difficult ethical trade-offs.
Opening Presentation
“It’s Tuesday morning at Precision Manufacturing Corp, and the factory is operating at maximum capacity to fulfill a critical aerospace contract due Friday. Maintenance technicians are performing routine equipment updates using USB drives to transfer data between air-gapped production systems when they notice something disturbing: the USB drives are automatically creating files that look like normal folders, but clicking on them causes strange system behavior. The malware is spreading through legitimate maintenance procedures, jumping between isolated manufacturing networks.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Critical production line shuts down due to infected USB drives affecting manufacturing control systems
- Hour 2: Worker safety monitoring systems show signs of compromise affecting factory floor operations
- Hour 3: Aerospace customer demands assurance that production quality hasn’t been compromised by malware
- Hour 4: Manufacturing deadline approaches with production systems still showing signs of USB-based infection
Evolution Triggers:
- If USB disinfection fails, malware continues spreading through all manufacturing maintenance procedures
- If production systems remain infected, aerospace contract delivery is threatened
- If safety systems are compromised, worker protection and regulatory compliance are at risk
Resolution Pathways:
Technical Success Indicators:
- Complete USB-based malware removal from manufacturing systems with verified clean maintenance procedures
- Air-gapped network security restored preventing further USB-based propagation
- Production control and safety system integrity verified ensuring worker protection and manufacturing quality
Business Success Indicators:
- Manufacturing operations restored maintaining aerospace contract delivery schedule
- Production quality assurance verified preventing customer concerns and contract penalties
- Worker safety systems secured maintaining regulatory compliance and factory floor protection
Learning Success Indicators:
- Team understands USB-based propagation in air-gapped manufacturing environments
- Participants recognize removable media security challenges in industrial control systems
- Group demonstrates coordination between cybersecurity response and manufacturing operations continuity
Common IM Facilitation Challenges:
If Air-Gapped Environment Is Misunderstood:
“Your network security approach is solid, but Carlos explains that manufacturing systems are air-gapped - the malware is spreading through USB drives during routine maintenance. How does this change your containment strategy?”
If Production Impact Is Ignored:
“While you’re analyzing the USB malware, Janet reports that production line 3 is down and the aerospace contract delivery is at risk. How do you balance thorough investigation with critical manufacturing deadlines?”
If Safety System Compromise Is Overlooked:
“Diana just discovered that worker safety monitoring systems may be infected through the same USB maintenance procedures. How do you assess and protect worker safety while managing production continuity?”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 3 investigation rounds, 1 decision round Focus: Core USB worm discovery and immediate manufacturing network containment Simplified Elements: Streamlined industrial control complexity and safety system details Key Actions: Identify USB malware propagation, implement emergency device controls, coordinate production impact assessment
Lunch & Learn (75-90 minutes)
Structure: 5 investigation rounds, 2 decision rounds Focus: Comprehensive USB workflow investigation and production continuity protection Added Depth: Air-gapped network security requirements and worker safety system integrity Key Actions: Complete forensic analysis of USB worm spread, coordinate aerospace contract impact, restore manufacturing operations with verification
Full Game (120-140 minutes)
Structure: 7 investigation rounds, 3 decision rounds Focus: Complete manufacturing USB outbreak response with production and safety coordination Full Complexity: Worker safety system assessment, aerospace contract delivery management, long-term ICS USB security policy Key Actions: Comprehensive USB malware containment across air-gapped systems, coordinate production and safety response, implement enhanced manufacturing workflow security
Advanced Challenge (150-170 minutes)
Structure: 8-9 investigation rounds, 4 decision rounds Expert Elements: Industrial control system technical depth, air-gapped security complexity, production quality validation Additional Challenges: Mid-scenario aerospace deadline pressure, safety system verification requirements, production data integrity assessment Key Actions: Complete investigation under manufacturing operational constraints, coordinate multi-system industrial response, implement comprehensive ICS USB architecture while maintaining production and worker safety
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Progressive hints to maintain engagement and learning momentum:
Pre-Defined Response Options
Three balanced response approaches with trade-offs:
Option A: Emergency Manufacturing Shutdown & Complete USB Elimination
- Action: Immediately halt all production operations and disable all USB ports across manufacturing systems, implement complete malware removal and system rebuild, verify worker safety system integrity before any production restart, accept aerospace contract delay and associated penalties.
- Pros: Ensures absolute certainty of malware elimination and worker safety, provides thorough investigation of industrial control system compromise, demonstrates unwavering commitment to manufacturing security and personnel protection, eliminates USB propagation vector completely.
- Cons: Misses $25M aerospace contract deadline incurring $1.5M+ in late penalties, suspends manufacturing operations for 1-2 weeks affecting multiple customer contracts, requires complete re-validation of aerospace quality procedures, creates severe financial impact potentially including layoffs.
- Type Effectiveness: Super effective against Worm malmon type; complete USB lockdown prevents propagation and ensures manufacturing network security with zero reinfection risk.
Option B: Accelerated Parallel Response & Conditional Production Restoration
- Action: Conduct intensive 48-hour malware removal across all affected systems using maximum resources, implement enhanced USB device scanning and strict control policies, coordinate real-time aerospace quality verification for expedited production authorization while maintaining worker safety monitoring.
- Pros: Balances manufacturing operations with security response requirements, provides compressed but thorough USB malware containment, demonstrates agile industrial incident management, maintains aerospace contract viability while addressing outbreak.
- Cons: Requires extraordinary coordination across production teams and sustained 24/7 operations, compressed timeline increases risk of incomplete malware removal in some air-gapped systems, maintains operational uncertainty during production restoration, intensive resource stress on manufacturing and safety personnel.
- Type Effectiveness: Moderately effective against Worm malmon type; addresses immediate manufacturing security concerns while restoring operations, but compressed timeline may not fully eliminate persistent USB infections across air-gapped industrial networks.
Option C: Selective System Isolation & Phased Security Recovery
- Action: Isolate confirmed infected production systems from critical manufacturing operations, implement immediate USB scanning and verification protocols for clean systems, maintain aerospace contract production using verified equipment while conducting thorough malware investigation at affected locations, coordinate phased security restoration aligned with production priorities.
- Pros: Maintains aerospace contract timeline and avoids severe financial penalties, allows quality-compliant production with verified clean USB procedures, provides time for comprehensive USB malware investigation and safety system assessment, demonstrates sophisticated risk management balancing security with manufacturing obligations.
- Cons: Operates with partially contained outbreak requiring sustained vigilance across production floors, requires intensive USB verification and manual monitoring increasing operational complexity, extended containment window across air-gapped manufacturing systems, depends on effectiveness of system isolation and USB verification procedures against worm reintroduction through maintenance operations.
- Type Effectiveness: Partially effective against Worm malmon type; addresses immediate manufacturing operational requirements through isolation and verification, but extended containment creates ongoing reinfection risk if USB procedures aren’t perfectly controlled across distributed air-gapped production systems.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Discovery & Air-Gapped Environment Assessment (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Senior Technician Carlos Rodriguez reports that USB drives used for routine equipment updates are creating suspicious files. “Every time we plug in a maintenance USB, we’re seeing files that look like folders named ‘Equipment_Data’ and ‘Production_Updates’ - but they’re actually LNK shortcuts. The systems are acting strange afterward.”
- Clue 2 (Minute 10): USB forensics reveal Raspberry Robin worm using disguised LNK files to propagate through manufacturing maintenance workflows. The malware spreads automatically to air-gapped production control systems because technicians must use USB drives to transfer updates and data between isolated networks. There’s no network connection - USB is the only data transfer method.
- Clue 3 (Minute 15): Operations Manager Janet Williams reports that production line 3 experienced unexpected shutdown after infected USB was used for equipment calibration. “We’re running at maximum capacity for the aerospace contract - every production line shutdown costs us $20,000 per hour in delayed deliveries.”
- Clue 4 (Minute 20): Industrial control system analysis reveals the worm has spread to multiple air-gapped manufacturing networks across the facility. Quality Engineer Mark Thompson discovers infected USB drives have touched quality control systems, production monitoring equipment, and automated manufacturing controls. “Our air-gap security was supposed to protect us from network-based malware - but USB drives bypass all those protections.”
Response Options:
- Option A: Emergency Production Halt & USB Lockdown - Immediately shut down all infected production lines, disable USB ports on all manufacturing systems, implement emergency USB sanitization procedures, prioritize worker safety system verification before any restart.
- Pros: Completely stops worm propagation across air-gapped networks; ensures worker safety systems aren’t compromised; demonstrates priority of security over production.
- Cons: Halts aerospace contract production threatening $25M deal; $500K per-day late penalties start accumulating; manufacturing workers idle during extended shutdown.
- Type Effectiveness: Super effective - immediately halts USB worm propagation but creates severe production and financial impact.
- Option B: Selective System Isolation with Production Priority - Isolate confirmed infected systems, implement USB scanning protocols for critical production equipment, maintain aerospace contract manufacturing using verified clean systems and USB drives.
- Pros: Balances security response with critical production deadlines; maintains aerospace contract timeline; allows continued manufacturing with enhanced USB controls.
- Cons: Worm may continue spreading through USB during production operations; intensive USB verification creates operational complexity; partial containment risks reinfection.
- Type Effectiveness: Moderately effective - maintains production while implementing controls, but doesn’t guarantee complete worm elimination during active operations.
- Option C: Air-Gapped Network Remediation Focus - Prioritize complete USB malware removal from safety-critical and production control systems, accept temporary production reduction on non-critical lines, establish strict USB device management protocols.
- Pros: Protects worker safety systems and critical production controls; allows continued partial operations; provides time for thorough air-gapped network remediation.
- Cons: Reduced production capacity may impact aerospace contract delivery; differential remediation creates confusion; extended timeline for complete facility coverage.
- Type Effectiveness: Partially effective - protects highest-priority systems but allows propagation in lower-priority areas during phased approach.
Round 2: Worker Safety & Production Continuity (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (shutdown) was chosen: Janet reports the aerospace customer is threatening to cancel the $25M contract due to production delays. “They’re saying if we can’t deliver by Friday, they’ll find another supplier. This contract supports 300 jobs.”
- Clue 5 (Minute 30): If Option B or C was chosen: Carlos discovers worm propagation continuing through USB drives despite scanning protocols. “The malware is sophisticated - it’s re-infecting ‘clean’ USB drives when we use them on systems we haven’t fully remediated yet. We’re chasing our tails.”
- Clue 6 (Minute 40): Safety Coordinator Diana Park completes assessment of worker safety monitoring systems. “Infected USB drives have accessed emergency shutdown controls, hazardous material detection, and personnel safety equipment. We can’t definitively say these life-safety systems are trustworthy right now.”
- Clue 7 (Minute 50): External ICS security analysis reveals Raspberry Robin typically establishes command-and-control through infected systems and can download additional payloads. Some infected production control systems show attempted external connections (failed due to air-gap, but malware is trying). “This isn’t just USB propagation - it’s initial access for potential follow-on attacks if anyone ever connects these systems.”
- Clue 8 (Minute 55): Quality Engineer Mark discovers infected USB drives accessed production data and quality control systems. “We need to verify data integrity for all aerospace parts manufactured in the past 2 weeks. The customer requires certification that malware hasn’t compromised manufacturing quality or production records.”
Response Options:
- Option A: Comprehensive Manufacturing Security Remediation - Complete shutdown and USB worm removal across all production systems, implement enterprise USB security controls for manufacturing environment, conduct thorough worker safety system verification, coordinate aerospace quality re-certification.
- Pros: Eliminates all USB infections protecting worker safety and production integrity; demonstrates full commitment to manufacturing security; provides definitive aerospace quality assurance.
- Cons: Extended downtime likely results in aerospace contract cancellation; $25M revenue loss plus late penalties; potential layoffs of manufacturing workforce; customer relationship damage.
- Type Effectiveness: Super effective - comprehensive security restoration with complete worm elimination but maximum business impact.
- Option B: Worker Safety Prioritized with Production Recovery - Immediate verification and remediation of all worker safety systems, establish sanitized USB workflow for critical aerospace production, implement real-time USB monitoring, conduct rolling production line remediation.
- Pros: Maintains worker safety as absolute priority; attempts aerospace contract rescue through rapid recovery; demonstrates balanced risk management.
- Cons: Compressed timeline increases risk of incomplete remediation; intensive coordination burden on manufacturing teams; may still miss deadline with partial operations.
- Type Effectiveness: Moderately effective - protects worker safety while attempting production recovery but challenging timeline.
- Option C: Industrial Security Vendor Partnership - Engage specialized ICS security firm for rapid air-gapped network remediation expertise, coordinate with equipment vendors for USB security guidance, request aerospace customer accommodation while demonstrating proactive response.
- Pros: Leverages industrial security expertise improving response quality; vendor support may provide faster remediation paths; customer communication demonstrates professionalism.
- Cons: External engagement extends response timeline; costs $100K+ for ICS security specialists; admission of limited internal manufacturing security capability.
- Type Effectiveness: Moderately effective - improves response quality through expertise but may extend timeline beyond contract deadline.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether the manufacturing facility faces immediate contract cancellation (shutdown approach) or continued worm propagation (selective/partial approach). Either way, the situation escalates when Safety Coordinator Diana Park reveals that worker safety monitoring systems - including emergency shutdown controls and hazardous material detection - have been accessed by infected USB drives. This transforms the incident from a production security problem to a worker safety crisis requiring absolute prioritization. Additionally, external ICS analysis reveals Raspberry Robin’s command-and-control capabilities, indicating the USB worm could be initial access for follow-on attacks targeting industrial control systems. The aerospace customer demands quality certification that malware hasn’t compromised manufacturing data or production integrity. The team must now balance worker safety (non-negotiable), production continuity ($25M contract), industrial security (air-gapped network protection), and quality assurance (aerospace certification requirements) simultaneously under extreme time pressure.
Debrief Focus:
- Recognition of USB-based propagation in air-gapped industrial environments
- Worker safety absolute priority in manufacturing security incidents
- Balance between production deadlines and comprehensive security response
- Air-gapped network security challenges and USB vector limitations
- Industrial control system security and manufacturing cybersecurity maturity
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Discovery & Manufacturing Impact (35-40 min)
Opening Scenario:
It’s Tuesday morning at Precision Manufacturing Corp, and the production floor is humming with activity at maximum capacity. The $25M aerospace contract due Friday requires every production line operating at peak efficiency. Senior Technician Carlos Rodriguez is performing routine equipment updates using USB drives - the standard procedure for transferring data between air-gapped production control systems.
“Something’s wrong with the USB drives,” Carlos radios to the maintenance team. “Every system I plug into is creating these files that look like folders - ‘Equipment_Updates’, ‘Production_Data’, ‘Quality_Control’ - but when I click them, nothing happens. And afterward, the systems are running slower.”
Operations Manager Janet Williams overhears the radio call and immediately calls the IT department. “We can’t afford any production disruptions. The aerospace contract has $500K per-day late penalties. What’s happening?”
As the investigation team assembles, reports come in from multiple production lines across the 850-employee facility: USB drives are automatically creating suspicious files, and the infection is spreading through the very maintenance procedures designed to keep production running.
Team Action: Each player takes 2 actions to investigate the incident using their role’s capabilities. The IM should track what the team discovers based on their investigation choices.
Investigation Discoveries (based on role and approach):
Detective-focused investigations:
- USB drive forensics reveal Raspberry Robin worm creating malicious LNK files disguised as legitimate manufacturing data folders
- Malware propagates automatically when USB drives are inserted - requires no user interaction beyond normal maintenance procedures
- Timeline analysis indicates initial infection likely introduced by external maintenance contractor 5-7 days ago
- Memory forensics show worm attempts to establish persistence and external connectivity from infected systems
Protector-focused investigations:
- Manufacturing network architecture deliberately uses air-gapped isolation for production control systems
- USB drives are the intentional and necessary bridge between isolated industrial networks for maintenance
- Traditional network security controls (firewalls, IDS, web gateways) don’t protect against USB propagation
- Industrial control systems often run legacy embedded operating systems with limited security controls
Tracker-focused investigations:
- USB propagation mapping shows worm spreading through maintenance workflows across all production lines
- Manufacturing maintenance procedures require 150+ USB insertions daily across facility
- Network monitoring detects attempted external connections from infected systems (blocked by air-gap but malware is trying)
- Evidence of USB drives moving between production control systems and administrative networks creating cross-contamination
Communicator-focused investigations:
- Maintenance technician interviews reveal USB drives shared across departments - “We have 10 USB drives for 80 production machines”
- Production management expresses extreme concern about any delays affecting aerospace contract deliverables
- Worker safety coordinator notes same USB procedures used for safety system maintenance and updates
- Quality engineering reports USB drives used to transfer production data for aerospace certification and customer reporting
Key NPCs and Interactions:
Janet Williams (Operations Manager):
- Responsible for meeting aerospace contract delivery deadline worth $25M in revenue
- Under pressure from executive leadership to maintain production schedule at all costs
- Balancing security response with manufacturing operational requirements
- Perspective: “I understand cybersecurity is important, but we have 72 hours to deliver aerospace-grade precision parts. Every hour of downtime is $20,000 in late penalties. Tell me how we protect production while fixing this.”
Carlos Rodriguez (Senior Technician):
- 20 years manufacturing maintenance experience but limited cybersecurity knowledge
- Discovering that routine USB procedures are spreading malware across air-gapped networks
- Frustrated by security measures that might interfere with proven maintenance workflows
- Reality check: “You want to disable USB? How am I supposed to update CNC machines, calibrate quality sensors, and transfer production data? These systems can’t be networked - USB is the only option per aerospace security requirements.”
Diana Park (Safety Coordinator):
- Responsible for worker safety systems protecting 850 employees across production floors
- Concerned about malware affecting emergency shutdown controls and hazardous material monitoring
- Must ensure regulatory compliance with OSHA and manufacturing safety standards
- Pressure point: “If worker safety systems are compromised, I’m required to halt operations until we verify employee protection. We’re talking about heavy machinery, hazardous chemicals, and high-temperature processes. Lives are at stake.”
Mark Thompson (Quality Engineer):
- Manages aerospace quality certification and customer compliance
- Concerned about malware affecting production data integrity and quality control systems
- Must provide assurance to aerospace customer that manufacturing meets specifications
- Conflict point: “The aerospace customer requires certification that every component meets exact specifications with full production traceability. If malware has infected our quality control systems or production data, we can’t certify anything. The entire contract could be invalidated.”
Round 1 Pressure Events:
These occur during the 35-40 minute investigation period, building tension:
- 15 minutes in: Production line 3 experiences unexpected shutdown after USB calibration procedure. Janet needs immediate restart to maintain schedule. “We just lost 2 hours of production on our most critical aerospace components.”
- 25 minutes in: Diana discovers infected USB drives have accessed worker safety monitoring systems. “Emergency shutdown controls, hazardous gas detection, personnel safety equipment - all potentially compromised through the same USB maintenance procedures.”
- 30 minutes in: Aerospace customer calls requesting production status update. “We need delivery confirmation by EOD today or we’re evaluating alternative suppliers. This is a make-or-break contract for your facility.”
Round 1 Conclusion:
After investigations, the team should understand they’re facing USB worm propagation through essential manufacturing maintenance workflows, affecting air-gapped production control systems and worker safety equipment, during critical aerospace contract deadline. Janet asks: “Based on what you’ve discovered, what’s your response strategy that maintains production safety and delivery commitments while addressing this security threat?”
Round 2: Response Strategy & Worker Safety Priority (35-40 min)
Situation Development:
The team’s initial response strategy meets the harsh reality of manufacturing operations. If they chose production shutdown, the aerospace customer is threatening contract cancellation. If they implemented selective isolation, USB worm propagation continues through maintenance procedures. If they focused on monitoring, worker safety systems remain questionable.
More critically, external ICS security analysis reveals Raspberry Robin’s capabilities extend beyond simple USB propagation.
Opening:
External threat intelligence from ICS-CERT: Raspberry Robin infections in manufacturing environments have led to follow-on attacks including ransomware (Conti, LockBit) and OT-specific malware (Pipedream framework) in multiple industrial facilities over the past year. “The USB worm is initial access for sophisticated industrial attacks. Your air-gapped production networks are now potentially accessible to threat actors despite network isolation.”
Simultaneously, Diana Park completes comprehensive worker safety system assessment: infected USB drives have accessed emergency shutdown systems, hazardous material detection sensors, personnel safety equipment controls, and high-temperature process monitors across 8 production areas. “Under OSHA regulations and our insurance policy, I cannot certify worker safety with compromised monitoring systems. We may be legally required to halt operations.”
Mark Thompson reports quality control system analysis: “Infected USB drives accessed production data logs, quality measurement systems, and aerospace certification records for the past 2 weeks of manufacturing. The customer will require independent verification that malware hasn’t compromised component quality or falsified compliance data. This could invalidate everything we’ve produced recently.”
Team Action: Each player takes 2 actions to develop comprehensive response strategy, considering:
- Worker safety system verification and regulatory compliance
- Production continuity and aerospace contract delivery
- Air-gapped industrial network security and USB malware containment
- Quality assurance and customer certification requirements
Response Options and Consequences:
Comprehensive Manufacturing Shutdown & Security Restoration:
- Implementation: Complete production halt across all lines, systematic USB worm removal from every industrial system, independent third-party verification of worker safety systems, aerospace quality re-certification for all recent production, implement enterprise USB security architecture
- Immediate Effects: Immediate aerospace contract cancellation due to delivery failure, $25M revenue loss plus $3M late penalties, likely layoffs of 200-300 manufacturing workers, 2-3 week facility-wide remediation timeline
- Outcome: Absolute certainty of USB malware elimination and worker safety system integrity, demonstrates unwavering commitment to manufacturing security and personnel protection, provides foundation for long-term industrial cybersecurity program
- Learning: Shows maximum security prioritization approach and resulting business consequences, value of comprehensive industrial security restoration, importance of planning for complete operational disruption scenarios
Emergency Parallel Operations & Compressed Response:
- Implementation: 72-hour maximum-effort USB remediation sprint, segregate verified-clean production equipment for aerospace contract completion, parallel worker safety system verification with temporary manual monitoring backup, implement real-time USB scanning and intensive monitoring protocols
- Immediate Effects: Requires 24/7 operations from all teams, compressed timeline increases risk of incomplete remediation, extraordinary coordination complexity across production and security teams, significant overtime costs
- Outcome: Possible (but not guaranteed) aerospace contract rescue, worker safety maintained through intensive monitoring and backup procedures, partial USB worm containment with ongoing risks
- Learning: Demonstrates extreme time-pressure response and associated risks, shows tradeoffs between compressed remediation and thoroughness, importance of worker safety backup procedures
Worker Safety First with Production Sacrifice:
- Implementation: Absolute priority to worker safety system verification and remediation regardless of production impact, establish definitive safety certification before any operations resume, accept aerospace contract loss if necessary to ensure employee protection, implement rigorous USB controls
- Immediate Effects: Aerospace contract likely lost during extended safety verification, significant revenue impact and potential layoffs, but zero worker safety risk, demonstrates organizational values prioritizing personnel over profits
- Outcome: Worker safety systems independently verified and certified, organizational commitment to employee protection established, industrial security program built on strong foundation, customer relationships may improve long-term based on values demonstration
- Learning: Shows absolute safety prioritization in manufacturing environment, demonstrates organizational value framework under crisis, long-term trust building through difficult choices
ICS Security Vendor Partnership with Customer Communication:
- Implementation: Engage specialized industrial security firm for air-gapped network expertise, coordinate with equipment vendors for USB security guidance specific to manufacturing equipment, maintain transparent communication with aerospace customer about incident response, request deadline accommodation
- Immediate Effects: Leverages industrial control system expertise improving response quality, vendor partnerships may accelerate remediation, customer communication demonstrates professionalism, external costs $150K+ for specialized ICS security
- Outcome: Higher-quality remediation through sector expertise, potential customer accommodation based on transparent communication, improved long-term industrial security posture, demonstrates mature incident response approach
- Learning: Shows value of specialized ICS security capabilities, importance of customer relationship management during incidents, benefits of vendor ecosystems in industrial cybersecurity
Phased Production Recovery with Safety Zones:
- Implementation: Divide facility into safety-verified and under-remediation zones, establish verified-clean production areas with strict USB protocols for aerospace work, conduct rolling remediation across remaining facility, implement graduated production restoration
- Immediate Effects: Enables partial aerospace contract fulfillment (reduced scope negotiation with customer), maintains some production capacity minimizing layoffs, extends overall remediation timeline but enables revenue generation
- Outcome: Partial contract fulfillment with customer relationship preservation, graduated approach to USB worm elimination and safety verification, demonstrates sophisticated manufacturing risk management
- Learning: Shows phased recovery approach in industrial environments, benefits of zone-based safety and security management, customer relationship flexibility in crisis situations
Round 2 Pressure Events:
Building tension during response implementation:
- 15 minutes in: Equipment vendor reports USB remediation on CNC machines requires full recalibration taking 6-8 hours per unit. “We can’t just clean the malware - aerospace manufacturing requires recertification after any control system changes.”
- 25 minutes in: ICS-CERT shares intelligence that facility in similar industry experienced Ekans ransomware 6 weeks after Raspberry Robin infection. “Your window to prevent follow-on attack is limited. USB worm is just the initial access phase.”
- 30 minutes in: Aerospace customer executive calls: “We’re willing to discuss limited deadline extension if you can demonstrate comprehensive security response and quality assurance. But we need details today.” Potential contract rescue opportunity with right communication.
- 35 minutes in: Worker safety incident (near-miss): Infected safety system failed to alert personnel of temperature spike in heat treatment process. No injuries, but Diana escalates urgency. “We got lucky this time. Next incident could be fatal.”
Round 2 Conclusion:
Regardless of chosen approach, the team is managing complex intersecting challenges: worker safety (regulatory and moral obligation), production continuity ($25M contract and 300 jobs), industrial security (air-gapped network USB propagation), quality assurance (aerospace certification), and regulatory compliance (OSHA, insurance). The incident has evolved from USB malware to comprehensive manufacturing crisis requiring integration of safety, security, operations, quality, and customer relationship management. Janet states: “I need your recommendations. 850 employees are depending on us to make the right call for their safety and their jobs.”
Round 3: Resolution & Industrial Security Lessons (35-40 min)
Final Situation:
One week after initial discovery, the USB worm response is reaching resolution. Depending on the team’s Round 2 response strategy:
If comprehensive shutdown: All production and safety systems have been cleaned of Raspberry Robin infection. Independent third-party verification confirms worker safety system integrity. USB security controls implemented across manufacturing environment. No follow-on attacks occurred.
However, aerospace contract was lost ($25M revenue), late penalties imposed ($3M), and 250 manufacturing workers laid off due to revenue impact. Facility reputation as reliable supplier damaged. The thoroughness ensured security but at maximum business cost. Leadership questions whether less disruptive approach could have balanced security and business survival.
If emergency parallel operations: 72-hour sprint resulted in partial aerospace contract fulfillment (60% of components delivered). Customer accepted reduced scope given transparent communication. Worker safety systems verified through intensive backup monitoring. Some USB infections remain in non-critical systems requiring extended remediation.
The heroic effort saved 200 jobs and preserved customer relationship but exhausted teams and left gaps in security. Follow-on attack risk remains in areas with incomplete remediation. Demonstrated agility but highlighted risks of compressed response timelines.
If worker safety first: Worker safety systems comprehensively verified and certified by independent assessors. Absolute certainty of employee protection maintained throughout incident. Aerospace contract lost but customer expressed respect for safety-first approach.
Revenue impact significant ($25M + penalties) with 200 layoffs, but organizational values clearly demonstrated. Worker morale improved seeing management prioritize safety over profits. Long-term customer relationships strengthened by values alignment. Facility position as safety-leader in industry enhanced.
If ICS vendor partnership: Specialized industrial security firm accelerated remediation by 50% through air-gapped network expertise. Equipment vendor collaboration provided manufacturing-specific USB security guidance. Customer accommodation secured through transparent communication ($25M contract fulfilled with 2-week extension).
External expertise costs $150K but preserved revenue and jobs. Facility now has strong ICS security partnerships for future challenges. Demonstrated mature incident response approach. Some executive concern about internal capability gaps revealed by vendor reliance.
If phased recovery: Safety-verified production zones enabled partial aerospace contract fulfillment (75% of components). Customer negotiated reduced scope maintaining $18M revenue (72% of original). Worker safety protected through zone-based approach. Rolling remediation continues across facility with 4-week total timeline.
Balanced approach prevented worst-case outcomes while accepting partial business impact. Some workers temporarily reassigned or laid off (50). Demonstrated sophisticated risk management and customer relationship skills. Extended remediation timeline keeps some systems vulnerable but enables continued operations.
Team Action - Part 1: Incident Closure (15-20 min):
Each player takes 1-2 actions to: - Complete any remaining technical remediation or system verification - Finalize worker safety certification and regulatory reporting - Document lessons learned for industrial security improvement - Present recommendations to executive leadership for manufacturing USB security architecture
Team Action - Part 2: Industrial Security Learning (15-20 min):
The IM facilitates group discussion on manufacturing cybersecurity lessons:
Facilitation Questions:
- “What makes industrial cybersecurity different from enterprise IT security?”
- Guide toward: Worker safety primacy, operational technology constraints, air-gapped network limitations, production continuity requirements, equipment vendor dependencies
- “How do USB-based threats challenge air-gapped industrial networks?”
- Guide toward: Physical media bypassing network controls, legitimate maintenance workflows as attack vectors, difficulty of USB monitoring in OT environments, balance between isolation and operational necessities
- “What role does worker safety play in manufacturing cybersecurity decisions?”
- Guide toward: Regulatory obligations (OSHA), moral imperatives, safety system verification requirements, life-safety vs production trade-offs, insurance and liability considerations
- “How should manufacturing organizations balance security and production deadlines?”
- Guide toward: Risk-based prioritization frameworks, customer communication and relationship management, phased response approaches, executive decision-making with incomplete information
- “What partnerships and external resources are valuable for industrial security?”
- Guide toward: ICS-CERT threat intelligence, specialized industrial security vendors, equipment manufacturers security guidance, customer collaboration, insurance and regulatory agencies
- “How have USB threats evolved in industrial environments, and what does the future look like?”
- Guide toward: USB as initial access for OT-specific attacks, supply chain USB compromise, BadUSB and firmware attacks, zero-trust approaches to removable media in manufacturing
Victory Conditions Assessment:
Technical Success:
Business Success:
Learning Success:
Final Debrief Topics:
Manufacturing Security Challenges:
- Worker safety must be absolute priority in all industrial cybersecurity decisions
- Air-gapped networks provide network isolation but create USB dependency for maintenance
- Production deadlines create intense pressure on security response timelines and approaches
- Equipment vendor relationships critical for security guidance specific to industrial systems
USB Threat Landscape in Manufacturing:
- Raspberry Robin demonstrates USB worm evolution to initial access vector for industrial targets
- Air-gap bypass through physical media represents fundamental challenge for OT security
- Legitimate maintenance workflows create unavoidable USB usage difficult to restrict
- Supply chain and contractor USB introduces risks beyond organizational control
Industrial Incident Response:
- Requires integration of safety, security, operations, quality, and business considerations
- Worker safety verification cannot be compromised for production or financial pressures
- Customer communication and relationship management critical during manufacturing incidents
- External expertise (ICS security vendors, equipment manufacturers) provides valuable specialized capabilities
Organizational Values and Decision-Making:
- Crisis incidents reveal organizational value priorities (safety vs production vs profit)
- Leadership decisions under uncertainty with incomplete information and time pressure
- Long-term reputation and trust built through demonstrated values alignment
- Employee morale and organizational culture influenced by incident response choices
Future Considerations:
- Zero-trust approaches to removable media in industrial environments
- Supply chain security for equipment, contractors, and USB device provenance
- OT-specific threat intelligence and manufacturing sector information sharing
- Integration of IT and OT security programs while respecting operational differences
Round 3 Conclusion:
Janet addresses the team: “You’ve navigated the most difficult challenge in manufacturing management - protecting our workers while trying to save their jobs, maintaining production quality while securing our systems, and managing customer relationships during crisis. There are no perfect answers when worker safety, cybersecurity, and business survival all demand attention simultaneously. You’ve demonstrated the thoughtful, values-driven approach we need in industrial incident response. Our workers and our customers deserve nothing less.”
Advanced Challenge Materials (150-170 min, 3 rounds)
Additional Complexity Layers
For experienced teams seeking maximum challenge, add these complexity elements:
1. Industrial Control System Technical Complexity
OT-Specific Constraints:
- Production control systems run proprietary SCADA software that cannot be updated without vendor support (12-week lead time)
- CNC machines use Windows XP embedded systems that cannot be upgraded or patched
- Equipment vendor maintenance contracts require specific USB procedures that cannot be modified
- Industrial protocols (Modbus, OPC, PROFINET) have no built-in security controls
Implementation: Introduce realistic ICS technical limitations where standard cybersecurity practices conflict with industrial operational requirements. Make players navigate equipment vendor dependencies, legacy system constraints, and OT protocol security gaps. Security response must work within industrial technology framework, not against it.
2. Worker Safety Critical Incidents
Real-Time Safety Impact:
- During Round 1: Infected hazardous gas detection system fails to alert workers of chemical leak - emergency evacuation required
- During Round 2: Heat treatment process safety monitor malfunction nearly results in equipment fire due to malware corruption
- During Round 3: Emergency shutdown system delay (malware-related) creates near-miss incident with heavy machinery
Regulatory Consequences:
- OSHA investigation triggered by reportable safety incident during cybersecurity event
- Workers’ compensation insurance questions coverage due to cybersecurity-related safety failures
- Union representatives demand facility shutdown until absolute safety certification provided
Implementation: Introduce 1-2 actual worker safety incidents (not hypothetical risks) during the scenario. Make players balance security remediation with immediate life-safety response and regulatory investigations. Create tension between comprehensive security restoration and urgent safety certification requirements.
3. Aerospace Customer Relationship Complexity
Contract Pressures:
- Customer threatens immediate contract cancellation with 24-hour notice if production delays continue
- Quality certification auditor (customer-hired) arrives mid-incident demanding access to infected production systems
- Competitor offering to fulfill contract at premium price if facility cannot meet deadline
- Contract includes liquidated damages clause: $500K per day late penalties escalating to $1M after first week
Customer Communications:
- Customer executive demands hourly status updates during incident response consuming management time
- Quality requirements prohibit delivery of any components manufactured during malware infection period (potentially invalidating 2 weeks of production)
- Customer security team requests detailed incident information creating disclosure and IP concerns
- Long-term supplier relationship (15 years, $200M cumulative) at risk based on incident response performance
Implementation: Make aerospace customer relationship genuinely at risk with specific contractual consequences and competing pressures. Introduce customer demands that conflict with security response priorities. Create communication challenges requiring executive stakeholder management skills beyond technical security knowledge.
4. Manufacturing Workforce and Union Dynamics
Worker Concerns:
- Production workers fear job loss if contract is cancelled - pressure management to prioritize production over security
- Union representatives question if management caused incident through inadequate cybersecurity investment
- Manufacturing technicians resist USB restrictions that make their jobs harder: “We’ve done it this way for 20 years safely”
- Safety committee demands independent verification (not company-hired) of all worker protection systems
Organizational Politics:
- Manufacturing floor leadership and IT security have historically poor relationship and mutual distrust
- Executive team divided on priorities: CFO prioritizes contract/revenue, COO prioritizes worker safety, CEO facing board pressure
- Some managers blame cybersecurity team for “causing” production disruption through security requirements
- Union threatens work stoppage if workers forced to use infected safety equipment
Implementation: Introduce 2-3 explicit conflicts between different stakeholder groups with competing priorities. Make players navigate workforce concerns, union dynamics, inter-departmental tensions, and executive politics. Success requires understanding manufacturing culture and building trust across organizational silos.
5. Resource Constraints & Manufacturing Economics
Financial Pressures:
- Facility operates on thin margins in competitive aerospace supply market
- Incident response costs (ICS security vendors $150K, equipment recertification $200K, overtime $100K) threaten quarterly profitability
- CFO questions cybersecurity spending: “We’re manufacturers, not tech companies. Why didn’t existing security prevent this?”
- Contract loss could trigger facility closure decision by parent company affecting 850 jobs and community
Operational Constraints:
- Manufacturing has only 3 IT staff (2 positions vacant due to budget cuts) - external contractors required for incident response
- Equipment downtime during remediation costs $20K per hour in lost production across all product lines
- Some response options require production equipment moves or facility modifications costing $500K+
- Insurance may not cover business interruption losses during cybersecurity incidents
Implementation: Enforce realistic manufacturing budget and resource constraints. Make players explicitly justify security spending against worker salaries and operational needs. Create tension between comprehensive security response and business economic survival. Require creative resource utilization and priority-based allocation. No option is “unlimited budget” - all responses have financial consequences affecting workers.
6. Multi-Site Manufacturing Operations
Distributed Complexity:
- Precision Manufacturing operates 3 facilities: main plant (600 workers), satellite plant (200 workers), R&D facility (50 engineers)
- Each facility shares USB drives and maintenance technicians creating cross-site contamination risks
- Equipment and workers move between facilities based on production demands
- Corporate IT has limited visibility into facility-level industrial control systems
- Remote facility has different equipment vendors, industrial systems, and operational constraints
Implementation: Expand scenario beyond single facility to multi-site manufacturing operations. Introduce coordination challenges across facilities, resource sharing creating propagation vectors, and distributed decision-making authority. Make players manage enterprise manufacturing incident response with varying local conditions and capabilities.
7. Supply Chain and Contractor Involvement
External Attack Vector:
- Initial infection traced to maintenance contractor’s USB drive used during equipment service
- Contractor company has inadequate cybersecurity practices but holds exclusive service contracts for critical equipment
- Equipment vendors refuse to support remediation without expensive service agreements
- Supply chain customers (aircraft manufacturers) demanding assurance that parts aren’t compromised
Downstream Impact:
- Delivered components may have been manufactured with infected quality control systems
- Aircraft manufacturers threaten to quarantine and re-inspect all recent deliveries at facility’s cost ($2M+)
- Other aerospace suppliers in facility’s network may be contaminated through shared contractors
- Industry reputation at risk if facility identified as source of supply chain USB malware
Implementation: Add supply chain complexity showing manufacturing facilities as nodes in larger ecosystem. Introduce contractor and vendor dependencies creating security gaps beyond direct control. Make players consider downstream customers and supply chain partners affected by incident. Demonstrate industrial cybersecurity as multi-party challenge.
Advanced Challenge Round Structure
Round 1: Discovery Under Industrial Constraints (45-50 min)
Players must investigate Raspberry Robin with: - Industrial control system technical limitations constraining investigation methods - Worker safety incident during investigation requiring immediate emergency response - Aerospace customer pressure demanding production status updates and timeline certainty - Union and workforce concerns about job security and safety system integrity
Success requires: Balancing technical investigation with worker safety emergencies, navigating industrial technology constraints, managing customer and workforce stakeholder pressures, making progress despite OT system access limitations and vendor dependencies.
Round 2: Response Under Manufacturing Complexity (45-50 min)
Players must develop response strategy while managing: - Equipment vendor dependencies limiting remediation options and extending timelines - Active worker safety incidents due to malware-corrupted monitoring and control systems - Aerospace customer relationship at risk with specific contractual penalties and competitive pressures - Union and workforce dynamics creating organizational tensions and resistance - Budget constraints requiring justification of security spending against manufacturing operations and worker salaries
Success requires: Industrial-appropriate response balancing worker safety, production continuity, customer relationships, and security objectives. Stakeholder management across workforce, customer, vendor, regulatory, and executive domains. Creative problem-solving within OT technology and manufacturing economic constraints.
Round 3: Resolution Under Manufacturing Scrutiny (45-50 min)
Players must complete incident response while handling: - OSHA investigation of worker safety incidents during cybersecurity event - Aerospace customer quality auditing and potential retroactive product quarantine - Union negotiations and workforce trust rebuilding - Long-term industrial security program development within budget and operational constraints - Supply chain downstream impact and industry reputation management
Success requires: Closure of complex manufacturing incident addressing safety, security, operational, customer, regulatory, and organizational dimensions. Strategic thinking about industrial cybersecurity program evolution. Learning extraction about manufacturing-specific security challenges and OT-IT integration.
Advanced Challenge Debriefing
Focus Areas:
1. Worker Safety Absolute Priority:
- How did the team maintain worker safety as non-negotiable priority throughout incident?
- What frameworks guided decisions when safety verification conflicted with production or security timelines?
- Were they able to resist pressure to compromise safety for business or customer demands?
- How did they communicate safety priorities to stakeholders with competing interests?
2. Industrial Control System Complexity:
- How effectively did the team work within OT technology constraints and vendor dependencies?
- What creative approaches did they develop for ICS security given industrial system limitations?
- Were they able to engage equipment vendors and manufacturing technicians as partners rather than obstacles?
- How did they balance security best practices with operational technology realities?
3. Manufacturing Stakeholder Management:
- How well did the team navigate customer, workforce, union, vendor, and regulatory stakeholder demands?
- What communication strategies worked for building trust across diverse manufacturing stakeholders?
- Were they able to translate security concerns into safety/quality/operational language that resonated with manufacturing culture?
- How did they manage executive leadership, customer executives, and union representatives with conflicting priorities?
4. Production Continuity and Business Survival:
- How did the team approach critical business decisions under uncertainty and time pressure?
- What decision-making frameworks balanced security thoroughness with business economic survival?
- Were they able to acknowledge and articulate difficult tradeoffs explicitly to stakeholders?
- How did they manage customer relationships during crisis while maintaining professional incident response?
5. Industrial Incident Response Maturity:
- What specific capabilities or approaches are unique to manufacturing cybersecurity?
- How should industrial organizations structure security programs given OT operational primacy?
- What role should manufacturing technicians and production staff play in industrial cybersecurity?
- How can manufacturing facilities build security resilience within budget, technology, and operational constraints?
Victory Conditions (Advanced Challenge):