Raspberry Robin Scenario: Manufacturing Floor
Industrial Removable-Media Outbreak • RaspberryRobin
STAKES
Production integrity + Worker safety + OT reliability + Delivery continuity
HOOK
Maintenance crews report removable media creating unexpected shortcut files on engineering stations, unusual process execution on production-support hosts, and unexplained activity crossing segmented floor networks. Security telemetry confirms recurring outbound sessions from OT-adjacent systems while endpoint scans remain inconsistent.
PRESSURE
- Decision deadline: Thursday 17:00
- Contract context: Automotive just-in-time delivery commitments
- Operating scale: Manufacturer with 600 employees producing automotive components on Industrie 4.0 lines
FRONT • 120 minutes • Intermediate
Industrial Removable-Media Outbreak • RaspberryRobin
NPCs
- Thomas Muller (Plant Manager): Owns delivery and safety decisions under uncertainty
- Sabine Schneider (IT Director): Leads containment and engineering-host triage
- Andreas Weber (OT Engineer): Validates floor-network and control-system behavior
- Klaus Fischer (Quality Lead): Verifies production integrity and release eligibility
SECRETS
- Removable-media workflows remained embedded in update procedures across segmented floor systems
- Access controls around engineering support stations exceeded least-privilege intent
- Covert activity prioritized quality and calibration artifacts before visible production interruption
Raspberry Robin Scenario: Manufacturing Floor
Industrial Removable-Media Outbreak • RaspberryRobin
STAKES
Production integrity + Worker safety + OT reliability + Delivery continuity
HOOK
Maintenance crews report removable media creating unexpected shortcut files on engineering stations, unusual process execution on production-support hosts, and unexplained activity crossing segmented floor networks. Security telemetry confirms recurring outbound sessions from OT-adjacent systems while endpoint scans remain inconsistent.
PRESSURE
- Decision deadline: Thursday 17:00
- Contract context: Aerospace component delivery commitments
- Operating scale: Manufacturer with 450 employees producing aerospace components with OT and SCADA integration
FRONT • 120 minutes • Intermediate
Industrial Removable-Media Outbreak • RaspberryRobin
NPCs
- Thierry Dupont (Plant Manager): Owns delivery and safety decisions under uncertainty
- Nathalie Petit (IT Director): Leads containment and engineering-host triage
- Sebastien Martin (OT Engineer): Validates floor-network and control-system behavior
- Isabelle Mercier (Quality Lead): Verifies production integrity and release eligibility
SECRETS
- Removable-media workflows remained embedded in update procedures across segmented floor systems
- Access controls around engineering support stations exceeded least-privilege intent
- Covert activity prioritized quality and calibration artifacts before visible production interruption
Planning Resources
For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:
Raspberry Robin Manufacturing Floor Planning Document
Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.
Scenario Details for IMs
Hook
“It is Tuesday at 06:45 at Rheinische Maschinenbau AG. Early-shift maintenance teams using removable media for equipment updates report suspicious shortcut file creation, unexplained process activity on floor-support hosts, and anomalies spreading between segmented production zones. Security staff detect repeated outbound sessions from OT-adjacent systems while line supervisors prepare critical deliveries. Leadership must contain the incident without compromising worker safety or delivery commitments.”
“Initial shift alert logged at 06:45. Regional context: Germany.”
“It is Tuesday at 06:45 at Atelier Metallurgique de Lyon. Early-shift maintenance teams using removable media for equipment updates report suspicious shortcut file creation, unexplained process activity on floor-support hosts, and anomalies spreading between segmented production zones. Security staff detect repeated outbound sessions from OT-adjacent systems while line supervisors prepare critical deliveries. Leadership must contain the incident without compromising worker safety or delivery commitments.”
“Initial shift alert logged at 06:45. Regional context: France.”
Initial Symptoms to Present:
- “Removable media creates suspicious shortcut files on maintenance stations”
- “Engineering-support hosts show unexplained process launches after update procedures”
- “Segmented production zones show cross-zone anomalies despite normal controls”
- “OT-adjacent systems emit recurring encrypted outbound traffic”
Key Discovery Paths:
Detective Investigation Leads:
- Timeline analysis links propagation to routine removable-media maintenance actions
- Access traces indicate focus on quality and calibration record repositories
- Host artifacts suggest sustained reconnaissance before overt disruption
Protector System Analysis:
- Endpoint triage confirms propagation indicators across floor-support systems
- Control-boundary review finds overtrusted update paths in segmented environments
- Containment requires preserving evidence while reducing floor-level safety risk rapidly
Tracker Network Investigation:
- Beaconing and staged transfers indicate coordinated command infrastructure behavior
- Lateral traces follow maintenance and engineering pathways between segmented zones
- Telemetry profile matches industrial reconnaissance via trusted operational routines
Communicator Stakeholder Interviews:
- Production teams need clear guidance on safe continuation thresholds
- Quality teams require a defensible integrity-assurance strategy for outbound shipments
- Oversight and customer stakeholders require evidence-based status communication
Mid-Scenario Pressure Points:
- Hour 1: Floor supervisors report anomalies on high-priority production lines
- Hour 2: Quality teams cannot fully validate integrity of current calibration records
- Hour 3: Leadership must decide whether to pause or continue high-value output runs
- Hour 4: Contractual and safety risk rises as scope remains unresolved
Evolution Triggers:
- If removable-media controls lag, propagation continues through routine maintenance tasks
- If systems are reset too early, evidential confidence and compliance posture degrade
- If communication lags, customer trust and delivery resilience decline quickly
Resolution Pathways:
Technical Success Indicators:
- Propagation paths are removed and segmented floor systems return to trusted baselines
- Forensic timeline and quality evidence are preserved for oversight review
- Removable-media governance is hardened across maintenance workflows
Business Success Indicators:
- Delivery and safety decisions remain defensible under documented risk analysis
- Quality communication remains timely, accurate, and confidence-scoped
- Incident response preserves customer trust while maintaining worker protection priorities
Learning Success Indicators:
- Team recognizes removable-media propagation behavior in industrial environments
- Participants balance containment urgency with evidential-quality discipline
- Group coordinates production, quality, and cybersecurity decision-making under pressure
Common IM Facilitation Challenges:
If Teams Focus Only on IT Hosts:
“Which immediate controls reduce OT floor risk in the next hour while your investigation remains incomplete?”
If Teams Delay Oversight Coordination:
“BfDI-aligned oversight contacts and major customer auditors request incident status, evidential controls, and assurance that production and quality records remain reliable.”
“CNIL-aligned oversight contacts and major customer auditors request incident status, evidential controls, and assurance that production and quality records remain reliable.”
If Teams Ignore Production-Quality Linkage:
“What evidence threshold is required before releasing production output to customers?”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 2 investigation rounds, 1 decision round
Focus: Detect removable-media propagation and apply immediate floor protections
Key Actions: Scope exposure, preserve evidence, and set initial quality-assurance posture
Lunch & Learn (75-90 minutes)
Structure: 4 investigation rounds, 2 decision rounds
Focus: Coordinate OT triage, production continuity, and oversight escalation
Key Actions: Validate integrity confidence, isolate high-risk workflows, align quality messaging
Full Game (120-140 minutes)
Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end industrial removable-media response under delivery pressure
Key Actions: Balance operational continuity with defensible containment and compliance posture
Advanced Challenge (150-170 minutes)
Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Ambiguous OT evidence, multi-line quality risk, and authority coordination conflict
Additional Challenges: Compressed delivery timelines and contested production governance decisions
This German variation can be adapted to other EU countries during facilitation. EU members share GDPR breach obligations, but industrial agencies and reporting paths differ.
When localizing this manufacturing scenario, substitute the relevant institutions below:
| Denmark |
Datatilsynet |
CFCS |
Danish Working Environment Authority |
High digital-manufacturing integration |
| France |
CNIL |
ANSSI |
DREAL / sector regulators |
Strong aerospace and heavy-industry profile |
| Netherlands |
Autoriteit Persoonsgegevens |
NCSC-NL |
Netherlands Labour Authority |
Dense logistics and manufacturing corridors |
| Sweden |
IMY |
CERT-SE |
Swedish Work Environment Authority |
Advanced industrial automation footprint |
| Italy |
Garante Privacy |
ACN |
INL and sector regulators |
Diverse regional industrial clusters |
Notes:
- Federal vs centralized models: Reporting pathways vary by national governance structure.
- Sector obligations: OT incidents may trigger additional safety and labor reporting requirements.
- Facilitation: Keep technical flow consistent and localize only institutions, agency names, and legal framing.
This French variation can be adapted to other EU countries during facilitation. EU members share GDPR breach obligations, but industrial agencies and reporting paths differ.
When localizing this manufacturing scenario, substitute the relevant institutions below:
| Germany |
BfDI |
BSI |
State labor and industrial authorities |
Large Industrie 4.0 footprint |
| Denmark |
Datatilsynet |
CFCS |
Danish Working Environment Authority |
High digital-manufacturing integration |
| Netherlands |
Autoriteit Persoonsgegevens |
NCSC-NL |
Netherlands Labour Authority |
Dense logistics and manufacturing corridors |
| Sweden |
IMY |
CERT-SE |
Swedish Work Environment Authority |
Advanced industrial automation footprint |
| Italy |
Garante Privacy |
ACN |
INL and sector regulators |
Diverse regional industrial clusters |
Notes:
- Federal vs centralized models: Reporting pathways vary by national governance structure.
- Sector obligations: OT incidents may trigger additional safety and labor reporting requirements.
- Facilitation: Keep technical flow consistent and localize only institutions, agency names, and legal framing.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
- Clue 1 (Minute 5): Security operations at Rheinische Maschinenbau AG confirms removable-media propagation across engineering support hosts.
- Clue 2 (Minute 10): Klaus Fischer confirms unexplained access to quality-control templates and calibration records tied to this week’s high-priority output runs.
- Clue 3 (Minute 15): Plant Manager Thomas Muller opens an emergency shift briefing and states that line stability is now uncertain. IT Director Sabine Schneider confirms suspicious process execution on engineering support hosts connected to removable-media workflows. OT Engineer Andreas Weber reports that maintenance update stations are showing propagation indicators across segmented floor zones. Quality Lead Klaus Fischer demands immediate validation that production outputs remain trustworthy.
- Clue 1 (Minute 5): Security operations at Atelier Metallurgique de Lyon confirms removable-media propagation across engineering support hosts.
- Clue 2 (Minute 10): Isabelle Mercier confirms unexplained access to quality-control templates and calibration records tied to this week’s high-priority output runs.
- Clue 3 (Minute 15): Plant Manager Thierry Dupont opens an emergency shift briefing and states that line stability is now uncertain. IT Director Nathalie Petit confirms suspicious process execution on engineering support hosts connected to removable-media workflows. OT Engineer Sebastien Martin reports that maintenance update stations are showing propagation indicators across segmented floor zones. Quality Lead Isabelle Mercier demands immediate validation that production outputs remain trustworthy.
Pre-Defined Response Options
Option A: Evidence-First Floor Containment
- Action: Isolate affected maintenance and engineering stations, preserve artifacts, and enforce staged line recovery with explicit safety checks.
- Pros: Maximizes evidence quality and long-term operational defensibility.
- Cons: Short-term throughput pressure and delivery uncertainty.
- Type Effectiveness: Super effective for durable industrial resilience.
Option B: Continuity-First Operations
- Action: Maintain broad production while applying targeted controls in high-risk workflows.
- Pros: Preserves near-term delivery continuity.
- Cons: Increases risk of continued propagation and quality uncertainty.
- Type Effectiveness: Partially effective with elevated safety risk.
Option C: Phased Integrity Restoration
- Action: Prioritize highest-risk zones and restore remaining workflows in controlled waves.
- Pros: Balances operational urgency with validation discipline.
- Cons: Extended uncertainty can strain customer confidence.
- Type Effectiveness: Moderately effective when governance remains strict.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Floor-System Exposure (30-35 min)
- Opening: Plant Manager Thomas Muller opens an emergency shift briefing and states that line stability is now uncertain. IT Director Sabine Schneider confirms suspicious process execution on engineering support hosts connected to removable-media workflows. OT Engineer Andreas Weber reports that maintenance update stations are showing propagation indicators across segmented floor zones. Quality Lead Klaus Fischer demands immediate validation that production outputs remain trustworthy.
- Clue 1 (Minute 10): Endpoint telemetry indicates repeated propagation behavior tied to removable-media update routines.
- Clue 2 (Minute 20): Klaus Fischer confirms unexplained access to quality-control templates and calibration records tied to this week’s high-priority output runs.
- Opening: Plant Manager Thierry Dupont opens an emergency shift briefing and states that line stability is now uncertain. IT Director Nathalie Petit confirms suspicious process execution on engineering support hosts connected to removable-media workflows. OT Engineer Sebastien Martin reports that maintenance update stations are showing propagation indicators across segmented floor zones. Quality Lead Isabelle Mercier demands immediate validation that production outputs remain trustworthy.
- Clue 1 (Minute 10): Endpoint telemetry indicates repeated propagation behavior tied to removable-media update routines.
- Clue 2 (Minute 20): Isabelle Mercier confirms unexplained access to quality-control templates and calibration records tied to this week’s high-priority output runs.
Round 2: Oversight and Delivery Decisions (30-35 min)
- Clue 3 (Minute 35): BfDI-aligned oversight contacts and major customer auditors request incident status, evidential controls, and assurance that production and quality records remain reliable.
- Clue 4 (Minute 45): BSI reports recurring campaigns where removable-media propagation in industrial environments enabled persistent OT reconnaissance before visible disruption.
- Pressure Event (Minute 55): “Leadership requires a production and communication decision by Thursday 17:00.”
- Coordination Note: “Immediate external coordination: BSI and BKA plus BfDI and relevant state DPA channels under GDPR and BDSG obligations for industrial data handling.”
- Clue 3 (Minute 35): CNIL-aligned oversight contacts and major customer auditors request incident status, evidential controls, and assurance that production and quality records remain reliable.
- Clue 4 (Minute 45): ANSSI reports recurring campaigns where removable-media propagation in industrial environments enabled persistent OT reconnaissance before visible disruption.
- Pressure Event (Minute 55): “Leadership requires a production and communication decision by Thursday 17:00.”
- Coordination Note: “Immediate external coordination: ANSSI and OCLCTIC plus CNIL supervisory channels under GDPR and CNIL obligations for industrial data handling.”
Debrief Focus
- How removable-media propagation alters assumptions in segmented OT environments
- What evidence quality is required before quality-release commitments
- Which maintenance controls should be redesigned for future resilience
- How to align cybersecurity response with industrial safety and compliance obligations