Large Group Facilitator Guide: Stuxnet – Manufacturing Deadline

Large Group Facilitator Guide: Stuxnet – Manufacturing Deadline

Tip

Quick Reference

• Format: Multi-Team Coordination
• Session length: 150 min + 25 min debrief (Fog Lifts arc runs deeper)
• Teams: Alpha (Forensics) / Bravo (Network/Infrastructure) / Charlie (Business Impact)
• Variants: US (TechCore Semiconductors / DoD) / UK (Precision Defence Systems / MOD)
• Expertise level: Advanced (ICS/OT context requires comfort with industrial control systems concepts)
• Central dilemma: Deliver parts that may be defective to meet the defense contract deadline, or hold delivery for integrity – the 14:00 UTC briefing with the contract officer is the pivot
• For format selection, IC briefing, and general facilitation mechanics, see the Large Group Facilitation Guide.

21 Artifacts at a Glance

Red herring: ALPHA Development 1 (ADMIN-WS-012 After-Hours OPC-UA Sessions). Let teams chase this for up to 5 minutes in Round 4; the benign explanation arrives in the same card. Do not tip teams off in advance.

Tier	Team	Card	Key Content
R1	Alpha	Initial Indicator 1: USB-Origin Malware on SCADA Workstation	AV detection 29 min after USB event; ~WTR4132.tmp staging file; USB inserted February 17 – 18 days ago
R1	Alpha	Initial Indicator 2: Step 7 Project File Modification – PLC Code Changed	LineA_Production.s7p and LineB_Production.s7p modified at USB insertion time; no engineer session open; no change management record
R1	Bravo	Initial Indicator 1: SCADA Readings vs. Physical Reality	98.7% SCADA pass rate vs. 77% physical measurement; QC Manager found discrepancy manually; Line B still running
R1	Bravo	Initial Indicator 2: OT Network Architecture – Air Gap Status	Air gap false since 2023 OPC-UA addition; no audit logging on OPC-UA server; unauthenticated access
R1	Charlie	Initial Indicator 1: Production Halt – Defense Delivery Deadline	1,600 units delivered; 480 in facility; Lines A and B halted; contract officer assessment 14:00 UTC (4 hours)
R1	Charlie	Initial Indicator 2: Regulatory Notification Obligations	72-hour notification clock running; “safety-of-flight” language from contract officer; preliminary notification vs. waiting
R2-3	Alpha	Deep Analysis 1: PLC Modification – What the Malware Actually Changed	7% over-speed + 12% under-coolant; SCADA masking separate from PLC change; clean backup dated January 8
R2-3	Alpha	Deep Analysis 2: Batch 1 vs. Batch 2 – Production Date Forensics	Batches 1 and 2 predate the compromise (Feb 17 modification); 480 defective units in facility are Batch 3; ERP log checked for tampering
R2-3	Alpha	Deep Analysis 3: Malware Attribution and Scope of Infection	Two zero-day exploits required; targeted specific facility production parameters; contained to MFG-WS-001, MFG-WS-002, 3 PLCs
R2-3	Bravo	Deep Analysis 1: PLC Reprogramming – What Recovery Requires	8-10 hour recovery; clean engineering laptop constraint (Siemens licensed); clean backup from TCS-BAK-01 January 8
R2-3	Bravo	Deep Analysis 2: IT/OT Boundary – OPC-UA Path Analysis	3 after-hours sessions from ADMIN-WS-012 to OT network before USB event (red herring – see Development 1); no OPC-UA audit logging
R2-3	Bravo	Deep Analysis 3: Line C – Only Unaffected Production Line	Line C PLC clean; MFG-WS-002 infected but Line C PLC not targeted; firewall change (restrict OPC-UA to ERP only) can be done in minutes
R2-3	Charlie	Deep Analysis 1: Batch Integrity – Shipped Component Safety Assessment	“Likely clean” finding for Batches 1 and 2; retained sample re-inspection needed; “safety-of-flight” escalates if even one sample fails
R2-3	Charlie	Deep Analysis 2: Regulatory Notification Strategy	Preliminary notification now vs. waiting; filing today protects cleared status; “no CUI/classified exfiltration confirmed” statement
R2-3	Charlie	Deep Analysis 3: Contract Recovery Path and Customer Relationship	Contract officer offered extension because of transparent communication; PLC restoration tonight is critical path
R4-5	Alpha	Development 1: ADMIN-WS-012 After-Hours OPC-UA Sessions Investigated	Red herring resolved: David Reyes personal testing, benign; sessions cleared in ~3 hours
R4-5	Alpha	Development 2: USB Placement – Physical Security Investigation	Targeted drop at named engineer’s parking spot; prior surveillance required; Siemens service engineer visited day before
R4-5	Bravo	Development 1: PLC Restoration Complete – Production Verified	Recovery complete; replacement Batch 3 on track; MFG-WS-001 and MFG-WS-002 still infected (disconnected from PLCs)
R4-5	Bravo	Development 2: Permanent OT Security Architecture Recommendations	USB lockdown + OPC-UA restriction ($180K/£148K); OT monitoring platform ($340K/£279K); file integrity monitoring; physical security ($45K/£37K)
R4-5	Charlie	Development 1: Regulatory Authority Review – Cleared Status Preserved	DCSA/MOD DSO cleared status maintained; timely notification explicitly cited; 30-day forensic report required
R4-5	Charlie	Development 2: Executive Debrief – What Prevented Disaster	QC Manager physical gauge check was the only control that worked; three Board investments approved; SCADA trustworthiness finding

Opening Delivery

This is Group B “Fog Lifts” – the attack was 18 days ago and was designed to be invisible. Teams open their first cards knowing something is wrong but not knowing what. The investigative challenge is establishing what was compromised before any decision can be made.

Pre-release framing is more important for Fog Lifts than Crisis Curve. Teams need the “something is wrong but unclear” premise before opening cards. Do not rush the opening.

“It is Wednesday 10:00 UTC. TechCore Semiconductors has halted production on Lines A and B. Your QC manager found that physical measurements don’t match what SCADA is reporting – and the gap is large enough that something has gone wrong. The antivirus flagged a staging file on a SCADA workstation this morning. Your contract officer is expecting a status briefing at 14:00 UTC, four hours from now. Turn over your cards.”

“It is Wednesday 10:00 UTC. Precision Defence Systems has halted production on Lines A and B. Your QC manager found that physical measurements don’t match what SCADA is reporting – and the gap is large enough that something has gone wrong. The antivirus flagged a staging file on a SCADA workstation this morning. Your contract officer is expecting a status briefing at 14:00 UTC, four hours from now. Turn over your cards.”

Critical note for Group B: Teams will want to know what the malware is in Round 1. That is correct. Do not rescue them. The fog is the learning. Teams that name the threat family too quickly will skip the batch integrity question – which is the most important analytical question in the session. If a team states “this is Stuxnet” without working through the production date forensics, prompt: “Naming the family is a starting point. What does that tell you about whether the defective units have already shipped?”

Round-by-Round Facilitation Notes

Round 1 – Initial Indicators

Released: All 6 R1 cards at session open

Alpha discovers: USB event was 18 days ago; AV quarantined the file but PLC payload may have already executed; modification is to production control, not data

Bravo discovers: SCADA data is falsified – readings don’t match physical reality; the “air gap” is false (OPC-UA path added 2023)

Charlie discovers: 1,600 units delivered; 480 in facility; contract officer briefing is 4 hours away; “safety-of-flight” escalation is in play

IC synthesis: Alpha knows when the USB event happened. Charlie knows when delivery happened. The IC needs to connect those two dates to answer: did defective production start before or after the shipped units were made?

IM navigation prompt: “Ask Alpha: when did the USB event happen? Ask Charlie: when were Batches 1 and 2 delivered?”

End-of-round check: Have teams identified that the key question is batch timing, not malware attribution? Has anyone mentioned the 14:00 UTC briefing constraint?

Note: Round 1 often produces confused teams – “fog” is working as designed. Teams will have wrong hypotheses (Line C is affected, Batches 1 and 2 are also defective). Don’t correct them. The evidence will correct them in Rounds 2-3.

Timing: 20–25 min

Round 2 – Deep Analysis

Released: 3 cards per team at start of Round 2

Alpha discovers: The PLC was programmed to run slightly wrong – precision that required inside knowledge of production tolerances; Batches 1 and 2 predate the February 17 modification

Bravo discovers: OPC-UA path shows 3 after-hours sessions from ADMIN-WS-012 before USB event – this looks suspicious (red herring setup); Line C PLC is clean

Charlie discovers: Batches 1 and 2 are “likely clean” – but retained samples need physical re-inspection to confirm; preliminary regulatory notification recommended now

IC synthesis: Three teams each hold one-third of the batch integrity question – Alpha has the modification date, Bravo has Line C status, Charlie has the shipped batch timing. The IC must bring all three together to answer: “Are the shipped components safe?”

IM navigation prompt: “Ask Alpha: when did the PLC modification start? Ask Charlie: when were Batches 1 and 2 produced? Ask Bravo: which lines produced which batches?”

Red herring note: The ADMIN-WS-012 sessions in Bravo’s Deep Analysis 2 card look suspicious – 3 after-hours sessions to OT network. Many teams will want to chase this. That’s correct behavior – let them. The answer comes in Round 4 (benign). If teams are still on this thread in Round 3, a light prompt: “That thread is worth pursuing. While that investigation continues, what does Charlie need to deliver to the contract officer at 14:00 UTC?”

Timing: 25–30 min

Round 3 – Deep Analysis, Second Pass

No new artifacts.

Alpha: Attribution and scope; confidence in scope assessment (only MFG-WS-001/002 and 3 PLCs). Bravo: PLC restoration plan (8-10 hr recovery; Siemens laptop constraint). Charlie: Prepare 14:00 UTC contract officer briefing; preliminary regulatory notification decision.

IC synthesis: Does the team have enough for the 14:00 UTC briefing? Charlie needs: (a) batch integrity assessment (Alpha and Bravo), (b) regulatory notification filed (Charlie), (c) recovery timeline (Bravo). The IC’s job is to check whether all three are ready.

IM navigation prompt: “It is 13:30 UTC. The contract officer briefing is in 30 minutes. What does each team need to deliver before that briefing starts?”

Timing: 20–25 min

Round 4 – Developments

Released: 2 cards per team at start of Round 4

Alpha: ADMIN-WS-012 red herring resolved – David Reyes was testing OPC-UA path personally, benign; USB was a targeted parking-lot drop

Bravo: PLC restoration complete; production verified; MFG-WS-001/002 still infected but disconnected

Charlie: Regulatory authority cleared status preserved; timely notification was the key factor cited

IC synthesis: What decisions in the response protected the contract and the cleared status?

Note: When Alpha delivers the ADMIN-WS-012 finding (benign), some teams will feel they wasted time. Reframe: that investigation was necessary – they couldn’t have known it was benign without investigating. The question for debrief is whether the resources spent on it were proportionate.

Timing: 20–25 min

Round 5 – Executive Debrief (Optional at 180 Min)

Charlie: Executive debrief – QC Manager physical check was the only working control; Board investment approvals. Bravo: Permanent OT security architecture. Alpha: USB placement investigation complete; Siemens service engineer timing noted.

The Central Dilemma

Deliver parts that may be defective to meet the defense contract deadline, or hold delivery for integrity – and the 14:00 UTC briefing with the contract officer is the pivot.

Colonel Kim has one question: are Batches 1 and 2 safe? The answer requires three inputs that only IC synthesis can bring together: Alpha’s modification date (February 17), Bravo’s confirmation of which lines produced which batches, and Charlie’s batch production records. None of the three teams can answer the question alone. That is the design. A premature answer – “probably fine” – without the retained sample re-inspection is the failure mode.

Brigadier Webb has one question: are Batches 1 and 2 safe? The answer requires three inputs that only IC synthesis can bring together: Alpha’s modification date (February 17), Bravo’s confirmation of which lines produced which batches, and Charlie’s batch production records. None of the three teams can answer the question alone. That is the design. A premature answer – “probably fine” – without the retained sample re-inspection is the failure mode.

Preliminary regulatory notification + retained sample analysis are both required before the 14:00 UTC briefing. IM watches whether Charlie has produced both by Round 3.

The contract officer’s response depends entirely on how the briefing is handled. The scenario is designed so that transparent, timely communication preserves the cleared status – and evasion or delay would not. Teams rarely need to be told this; the Development cards make it explicit.

Information Asymmetry Map

Alpha knows	Bravo knows	Charlie knows	IC must synthesize
PLC modification date (February 17); what was changed and how precisely	Which production lines are affected; Line C is clean	Batch delivery dates (Batches 1 and 2 predate February 17)	All three pieces needed to answer “are shipped components safe?” – no team can answer alone
Malware required prior knowledge of production tolerances	OPC-UA path exists (unauthenticated, no audit log)	“Safety-of-flight” designation escalates consequences	The targeting precision (Alpha) + the unauthenticated access path (Bravo) changes the threat assessment
Scope confirmed to MFG-WS-001/002 and 3 PLCs	PLC restoration is 8-10 hours; Siemens laptop constraint	Contract officer briefing at 14:00 UTC; recovery must start tonight	Recovery timeline (Bravo) + deadline constraint (Charlie) – can both be met?

Common Failure Modes

1. Teams state batch safety before checking production dates

What it looks like: Charlie team reassures the group that Batches 1 and 2 are safe without checking whether the modification date predates those batches.

IM response: “The CSO said one altered data point invalidates the delivery. What is the production date for Batches 1 and 2 – and when did the modification start?”

2. All resources go to attribution at the expense of batch integrity

What it looks like: Alpha spends Rounds 2-3 on malware attribution (nation-state, zero-days, target intelligence) without connecting to the batch timing question.

IM response: “Attribution is important for the investigation. But the contract officer is in 90 minutes. What does the team know about Batches 1 and 2?”

3. Red herring (ADMIN-WS-012) consumes Round 4

What it looks like: Alpha team pursues the David Reyes OPC-UA sessions for the entire round, treating it as the primary threat thread.

IM response: Let them pursue for 5 minutes. Then, if they’re still going: “That thread has context in the same card. What does the full card say about those sessions?”

4. Preliminary regulatory notification deferred until findings are complete

What it looks like: Charlie team holds notification until they have full scope – waiting for Alpha and Bravo to finish before filing.

IM response: “Filing preliminary notification now, with incomplete findings, is the standard approach. What are the risks of waiting – and what are the risks of filing now?” (Regulatory body: DFARS/DCSA)

IM response: “Filing preliminary notification now, with incomplete findings, is the standard approach. What are the risks of waiting – and what are the risks of filing now?” (Regulatory body: DEFCON 658/MOD DSO)

5. Teams miss the retained sample re-inspection requirement

What it looks like: Charlie presents the batch integrity finding as “likely clean” and moves on, without noting that “likely” requires retained sample physical verification.

IM response: “The contract officer said ‘safety-of-flight.’ If Batch 2 retained samples show even one out-of-spec unit, what does that change?”

6. Bravo closes the OPC-UA path without consulting impact on production scheduling

What it looks like: Bravo recommends closing the OPC-UA path immediately without checking with Charlie/Manufacturing what that breaks.

IM response: “Closing that path can be done in minutes. What breaks when you do it – and is there a production scheduling dependency that needs to be managed first?”

Discussion Prompts by Tier and Team

Initial Indicators – Round 1

ALPHA – Initial Indicator 1: USB-Origin Malware on SCADA Workstation

• The AV quarantined the staging file 29 minutes after the USB event. What could have happened in those 29 minutes – and is the quarantine action actually stopping anything?
• engineer.r plugged in an unrecognized USB he found in a parking lot. What should have stopped that, and who is responsible for the gap?
• ~WTR4132.tmp is a known Stuxnet staging filename from 2010. Why would a detection tool recognize this file only today, 18 days after the USB event?
• The USB device serial is not in company inventory. Is there a USB device control policy – and was it enforced on MFG-WS-001?
• If the AV quarantine removed the staging file but not the PLC payload, what is the actual scope of what is still running on this system?

ALPHA – Initial Indicator 2: Step 7 Project File Modification – PLC Code Changed

• The project files were modified at the same minute as the USB autorun, with no engineer session open. What does that tell you about whether this was deliberate or accidental?
• The modification was 18 days ago – February 17. It is now Wednesday. If defective production started February 18, how many components have been produced under modified PLC logic?
• The change management system has no record of these modifications. Is that a detection failure or a policy gap?
• LineA_Production.s7p and LineB_Production.s7p are the programs that run the production lines. What should happen to Line A and Line B right now, before you know what was changed?
• The malware ran as SYSTEM. What does that mean about the privilege level of the compromise – and what else on this machine could a SYSTEM-level process access?

BRAVO – Initial Indicator 1: SCADA Readings vs. Physical Reality

• SCADA shows 98.7% pass rate. Physical inspection shows 77% failure rate. What are the possible explanations – and which ones require a cybersecurity response?
• The QC manager found this discrepancy through physical measurement. How long would it have gone undetected if he had only used automated QC?
• If SCADA data cannot be trusted, what else in the production environment might be falsified? How do you determine what is real?
• Line B is still running. Should it be halted while you investigate – and who has authority to halt a production line with a contract deadline 48 hours away?
• What physical measurements would confirm or deny that Line B has the same problem?

BRAVO – Initial Indicator 2: OT Network Architecture – Air Gap Status

• This malware arrived via USB, not the network. But the “air gap” was already false before this incident. How many other attacks could have used the OPC-UA path without being detected?
• The OPC-UA server has no audit logging. How do you determine whether the IT-to-OT path has been used by the attacker – or anyone else – in the past 18 days?
• Who made the decision to add the OPC-UA path in 2023, and was a risk assessment conducted at the time?
• The OPC-UA session is unauthenticated. What could an attacker on the corporate IT network do with unauthenticated OPC-UA access to the manufacturing network?
• The malware is in the OT network. Should the OPC-UA path be closed immediately – and what breaks in production scheduling if it is?

CHARLIE – Initial Indicator 1: Production Halt – Defense Delivery Deadline

• 1,600 units have already been delivered. If the PLC modification has been running since February 17, the key question is: when were those batches produced? What information does your team need to answer that?
• Line C is unaffected and still running. Does that help with the Friday deadline – or does Line C produce different components?
• The contract officer is asking for a 14:00 UTC assessment – four hours from now. What can your team realistically determine in that window, and what will still be uncertain?
• Both Line A and Line B are halted. At what point do you have enough information to restart them safely – and who authorizes that?
• The Friday deadline is real. Recovery takes time. What is the tradeoff between forensic thoroughness and contract survival?

CHARLIE – Initial Indicator 2: Regulatory Notification Obligations

• The 72-hour notification clock is running. The investigation is incomplete. Should the team file a preliminary notification now, or wait for more findings?
• The contract officer is asking about Batches 1 and 2. If the answer is “we don’t know yet,” what happens to the contract – and how do you communicate uncertainty without triggering a worst-case response?
• Preliminary notification satisfies the regulatory clock without requiring complete findings. What are the risks of filing a preliminary notification – and what are the risks of not filing?
• Who at this company is authorized to make the regulatory notification – Legal, the Security Officer, or the CEO?
• The contract officer mentioned “safety-of-flight.” What does that escalate this incident to – and does it change anything about the investigation timeline?

Deep Analysis – Rounds 2-3

ALPHA – Deep Analysis 1: PLC Modification – What the Malware Actually Changed

• The modifications run spindle speed 7% over and coolant 12% under – both small enough to avoid automated alerts. What does that precision tell you about who designed this?
• The attacker needed to know that 7% over-speed specifically causes out-of-tolerance inner diameter. Where would that knowledge come from?
• The SCADA masking is a separate modification from the PLC control change. What does having both components tell you about the sophistication of whoever wrote this?
• The original PLC logic from January 8 is the restoration target. Is that backup trustworthy – and where is it stored?
• PLC-LINE-A2 has the same modification as PLC-LINE-A1. PLC-LINE-B1 has a variant. Are there other PLCs that should be checked?

ALPHA – Deep Analysis 2: Batch 1 vs. Batch 2 – Production Date Forensics

• Batches 1 and 2 predating the compromise is the best possible news. How do you verify that finding – what physical evidence confirms these dates?
• 480 defective units are in the facility. What needs to happen to them – and can they be re-machined or are they scrap?
• The ERP production log was checked for tampering. Is that check sufficient – or could an attacker have modified the log to hide the actual modification date?
• If you brief the contract officer at 14:00 UTC, what is the key message – and what evidence supports it?
• The clean backup of the PLC program is dated January 8. Why is the backup 40 days older than the most recent legitimate engineer save on January 8?

ALPHA – Deep Analysis 3: Malware Attribution and Scope of Infection

• The malware required two zero-day exploits and precise knowledge of this facility’s production parameters. What class of adversary has that capability?
• The infection is contained to MFG-WS-001, MFG-WS-002, and the three Line A/B PLCs. What gives you confidence that the scope assessment is complete?
• MFG-WS-002 is infected but the Line C PLC it connects to is not targeted. Does MFG-WS-002 need to be cleaned before Line C can be trusted?
• CISA notification is recommended. Who at this company makes that call – Security, Legal, or the CEO?
• The attacker knew TechCore’s PLC model, production parameters, and a specific engineer’s parking spot. What does that level of prior knowledge mean for the ongoing investigation?

BRAVO – Deep Analysis 1: PLC Reprogramming – What Recovery Requires

• The recovery is 8–10 hours, and you have 51 hours available. The timing works – but what can go wrong that extends that estimate?
• The clean engineering laptop constraint: if Siemens cannot provide a licensed laptop within 2 hours, is there any other source?
• Step 2 (firmware integrity) is not guaranteed to be clean. If PLC firmware was also modified, what does that add to the recovery time?
• The Step 7 archive backup on TCS-BAK-01 is dated January 8. Is it the right source – is there a more recent clean backup anywhere?
• Who has the authority to begin PLC restoration tonight – and do they need to be physically present?

BRAVO – Deep Analysis 2: IT/OT Boundary – OPC-UA Path Analysis

• Three sessions from a non-ERP admin workstation to the OT network, after hours, on consecutive days before the USB event. What investigative steps do you take on ADMIN-WS-012?
• OPC-UA audit logging is disabled. How do you determine what those sessions actually did on MFG-WS-001?
• The USB was the delivery vector for the malware. But could the OPC-UA sessions be a separate, parallel access path – or reconnaissance before the USB drop?
• The OPC-UA path has no authentication and no encryption. An anonymous unauthenticated session can read all OPC-UA tags. What sensitive operational data is exposed?
• Should the OPC-UA path be closed right now while the investigation continues – and does closing it break production scheduling?

BRAVO – Deep Analysis 3: Line C – Only Unaffected Production Line

• Line C is clean and the recovery path is available. What is the single biggest risk that could prevent a successful PLC restoration by Thursday morning?
• TCS-BAK-01 is confirmed clean. Is the January 8 PLC archive the right version to restore – were there legitimate changes between January 8 and February 17 that would need to be reapplied?
• The firewall change (restrict OPC-UA to ERP server only) can be done in minutes. Is there any reason not to do that right now?
• Physical verification after PLC restoration is the final gate. Who certifies that a production run is “verified” – the ICS specialist, the QC manager, or both?
• If Siemens firmware verification (Step 2) finds PLC firmware was also modified, what is the contingency plan?

CHARLIE – Deep Analysis 1: Batch Integrity – Shipped Component Safety Assessment

• The “likely clean” finding for Batches 1 and 2 is based on production dates. How do you get from “likely” to “confirmed” before the 14:00 UTC briefing with the contract officer?
• 480 defective units are quarantined. Can they be salvaged by re-machining, or is the dimensional deviation too large?
• The retained sample re-inspection takes how long? Can it be completed before the 14:00 UTC briefing – and what if it cannot?
• The contract officer said “safety-of-flight.” If Batch 2 retained samples show even one out-of-spec unit, what does that change?
• Who signs off on the QC certification for the replacement Batch 3 production – and does that certification need independent verification given the compromised SCADA history?

CHARLIE – Deep Analysis 2: Regulatory Notification Strategy

• Filing the preliminary notification now, with incomplete findings, is the recommended approach. What are the risks of that – and what are the risks of waiting?
• The contract officer is meeting at 14:00 UTC. What is the difference between what Legal needs to communicate and what the technical team needs to communicate?
• “No CUI/classified information exfiltration confirmed” is technically accurate but requires confidence. How do you establish that the malware was sabotage-only and did not exfiltrate design files?
• Defence sector regulatory bodies will assign a representative to review the facility. How should the company prepare for that review?
• Filing preliminary notification today protects the company’s cleared status. What would happen to the cleared contractor relationship if notification was delayed 72+ hours?

CHARLIE – Deep Analysis 3: Contract Recovery Path and Customer Relationship

• The contract officer has offered a path to contract completion. What is the single most likely thing to go wrong that could close that path?
• “Transparent communication today” was specifically cited as a factor. What would have happened if the company had delayed the 14:00 UTC briefing?
• The PLC restoration needs to start tonight. Who is running that operation overnight – and what is the escalation path if the Siemens laptop licence cannot be provisioned in time?
• Physical QC certification for replacement Batch 3 is the final gate before delivery. Who has authority to certify that batch – and can they be available Thursday afternoon?
• The contract officer offered the extension because of how the company responded. What specific behaviors preserved that option – and are those behaviors in the company’s standard incident response plan?

Developments – Rounds 4-5

ALPHA – Development 1: ADMIN-WS-012 After-Hours OPC-UA Sessions Investigated

• The sessions are benign. But David Reyes had unapproved, unlogged access to OT systems from a corporate workstation. Is that still a finding?
• He chose MFG-WS-001 as a test target because it was “easy to reach.” That means the OPC-UA path from IT to OT has no access control beyond the firewall rule. What should change?
• David Reyes was unaware the sessions were being logged. Who should have been aware – and why wasn’t there an alert on anomalous IT-to-OT OPC-UA connections?
• The investigation cleared this thread in approximately 3 hours. Was that the right priority – and what was deferred while the team investigated this?
• IT staff testing OT connections with no OT team notification is itself a risk. Is there a formal change request process for IT work that touches OT systems?

ALPHA – Development 2: USB Placement – Physical Security Investigation

• Placing the USB at a specific engineer’s parking spot required knowing who that person was and approximately when they arrived. What does that level of prior surveillance tell you about the threat actor?
• The parking lot was public access with no barriers. Is adding physical security to the employee lot a reasonable response – or does it just move the attack vector?
• The Siemens service engineer visited the day before. Is that timing coincidental, or should the team investigate whether the Line C maintenance visit was legitimate?
• Ryan Cho plugged in an unknown USB because he was curious. Is this a training failure, a policy failure, or a technical control failure – and what is the right fix?
• This was a surveilled, targeted operation against a named individual at a specific facility. Who needs to know that – and when?

BRAVO – Development 1: PLC Restoration Complete – Production Verified

• Production is verified and restarted. The immediate crisis is resolved. What does the team still need to close out before considering this incident fully contained?
• MFG-WS-001 and MFG-WS-002 are still infected. They are no longer connected to the PLCs – but what needs to happen to those workstations before they can be returned to service?
• The OPC-UA path is still open. Was the recommended firewall change (restrict to ERP server IP only) made during the recovery operation?
• Firmware on all three PLCs was verified clean. Does that mean the malware did not modify firmware, or that firmware modification was reversed during restoration?
• Replacement Batch 3 completes Friday 00:30 UTC. That is 17 hours before the extended deadline. Is there a QC certification step between production completion and delivery – and how long does that take?

BRAVO – Development 2: Permanent OT Security Architecture Recommendations

• The two “immediate” items (USB lockdown and OPC-UA restriction) can be done today. What is stopping either of them from being completed before end of business?
• The OT monitoring platform ($340,000) would have detected the SCADA masking anomaly – a discrepancy between commanded and reported values. Why wasn’t something like this in place already?
• File integrity monitoring on Step 7 project files would have detected the February 17 modification within hours. Is there a reason this specific control was never implemented?
• The physical security upgrade (parking lot badge control) costs $45,000 and takes weeks. In the interim, what stops the same attack from happening again tomorrow?
• The total security investment is $520,000. The contract is worth far more. How does the team frame this investment for Board approval – and who presents it?

CHARLIE – Development 1: Regulatory Authority Review – Cleared Status Preserved

• Cleared contractor status maintained. What specific actions between Wednesday 08:10 UTC and Thursday 10:00 UTC directly produced that outcome?
• The DCSA/MOD DSO explicitly noted “timely notification.” If notification had been delayed by 24 hours while the team waited for more findings, how might this outcome have differed?
• The 30-day forensic report requirement is a live obligation. Who owns that deliverable – and is the current team capable of producing it, or is external support needed?
• NCSC / CISA involvement in a state-sponsored ICS attack typically results in a threat intelligence brief to peer contractors. Is TechCore/Precision Defence prepared to participate in that debrief?
• The DCSA/DSO representative said “no defective components reached DoD/MOD.” That was luck of timing. What process change ensures this outcome by design rather than by luck in the future?

CHARLIE – Development 2: Executive Debrief – What Prevented Disaster

• A QC manager doing a physical gauge check was the only control that worked. What does that tell you about the limits of automation in security-critical manufacturing?
• The three investments approved today: which one would have caught this attack earliest if it had been in place before February 17?
• The central finding: SCADA data is only as trustworthy as the PLCs feeding it. How does the company change its quality assurance philosophy to reflect this?
• The board approved all three investments. Is that because the attack was serious – or because the response was transparent? Would the same investments have been approved if the attack had been discovered after defective components were already installed in defense systems?
• After the board briefing, what is the CISO’s most important next action – and what is the manufacturing director’s?

Debrief Focus

1. “Alpha knew the modification date. Bravo knew the line-to-batch mapping. Charlie knew the delivery dates. None of you could answer the batch safety question alone. When did the IC bring those three pieces together – and how long did that take?”

Surfaces: information asymmetry as a structural design in the scenario; the IC synthesis function.

2.

“The DCSA reviewer cited ‘timely notification’ as the specific factor that preserved cleared status. If the team had waited 24 hours for more complete findings before notifying, how might that outcome have differed?”

Surfaces: the tradeoff between completeness and timeliness in regulatory disclosure.

“The MOD DSO reviewer cited ‘timely notification’ as the specific factor that preserved cleared status. If the team had waited 24 hours for more complete findings before notifying, how might that outcome have differed?”

Surfaces: same point under UK framework.

3. “The ADMIN-WS-012 sessions looked suspicious and turned out to be benign. The team spent resources investigating them. Was that a good use of time – and what would it have cost to not investigate?”

Surfaces: the legitimate cost of chasing red herrings vs. the cost of missing a real threat.

4. “The QC Manager found the discrepancy by taking physical measurements. Every automated control failed – AV didn’t catch it for 18 days, SCADA was masking the anomaly, the change management system had no record. What does that tell you about the limits of automated detection in OT environments?”

Surfaces: the role of human observation in ICS/OT security.

5. “The malware required knowledge of this facility’s production tolerances and a specific engineer’s parking spot. What kind of adversary has that capability – and does knowing the answer change anything about your organization’s threat model?”

Surfaces: nation-state targeting of critical infrastructure suppliers; the supply chain security implication.