Stuxnet Scenario: Smart Grid Infrastructure Sabotage

Stuxnet Scenario: Smart Grid Infrastructure Sabotage

Great Plains Energy Cooperative: Electric utility with 500 employees serving 800,000 customers
Smart Grid ICS Sabotage • Stuxnet
STAKES
Grid stability + Critical-service continuity + Infrastructure trust + National security response
HOOK
Grid operators observe unexplained switching behavior in automated distribution controls, contradictory telemetry between field devices and control dashboards, and unauthorized parameter changes in renewable balancing logic. Security monitoring also detects abnormal traffic associated with recently deployed vendor update packages.
PRESSURE
  • Decision deadline: 5:45 PM
  • Peak-risk window: 5:00 PM heatwave demand peak
  • Facility profile: Electric utility with 500 employees serving 800,000 customers
  • Exposure estimate: USD 28 million projected outage and recovery exposure
FRONT • 180 minutes • Expert
Great Plains Energy Cooperative: Electric utility with 500 employees serving 800,000 customers
Smart Grid ICS Sabotage • Stuxnet
NPCs
  • Director Patricia Hoffman (CEO): Owns strategic incident decisions and executive coordination
  • Kevin Torres (Grid Operations Director): Manages real-time dispatch integrity and service continuity
  • Dr. Sarah Chen (Smart Grid Engineer): Validates automation logic and control-parameter integrity
  • Frank Morrison (CISO): Leads containment, evidence quality, and external authority engagement
SECRETS
  • High-trust vendor update workflows introduced unverified automation changes into production controls
  • Control-parameter manipulation focused on balancing functions that are hardest to challenge in real time
  • Timing indicators show intent to trigger instability during predictable demand stress windows

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Stuxnet Smart Grid Sabotage Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Stuxnet Smart Grid Sabotage Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Automated switching behavior no longer aligns with operator dispatch instructions”
  • “Control-center dashboards and field telemetry diverge during balancing operations”
  • “Renewable integration logic includes unauthorized parameter edits”
  • “Recent vendor update pathways show unusual command traffic and integrity anomalies”

Key Discovery Paths:

Detective Investigation Leads:

  • Forensic sequencing links control anomalies to high-trust vendor update workflows
  • Logic-diff analysis reveals targeted changes in balancing and switching behavior
  • Timeline reconstruction indicates preparation for activation during forecasted demand stress

Protector System Analysis:

  • Real-time control validation identifies high-risk automation zones requiring manual safeguards
  • Stability analysis shows cascading-risk pathways across interconnected feeders and substations
  • Containment design must preserve service continuity while restoring control integrity

Tracker Network Investigation:

  • Session mapping identifies coordinated command patterns across automation management tiers
  • Threat profile indicates highly resourced targeting of modernized grid balancing functions
  • Intelligence correlation suggests strategic interest in high-impact energy disruption windows

Communicator Stakeholder Interviews:

  • Grid leadership requires clear thresholds for manual override and staged automation rollback
  • Governance teams need defensible language for regulator and public briefings under uncertainty
  • Control operators need concise incident criteria to maintain safe decision cadence

Crisis Manager Strategic Coordination:

  • Round 1: Initiate critical-infrastructure reporting through {{regulatory_body}} and engage {{cyber_authority}} – escalation obligations under {{regulatory_framework}} exist regardless of investigation maturity; establish the compliance and notification timeline
  • Round 2: Manage dual pressures – regulatory communications must be accurate and timely but must not disrupt peak-demand operational decision-making; Crisis Manager owns the boundary between incident transparency and grid operational security
  • Round 3: Prepare public communication contingency – if grid operations degrade toward {{demand_window}}, communications must be pre-coordinated with {{regulatory_body}} and {{state_authority}} alignment
  • Round 5+: Lead federal critical infrastructure briefing through {{cyber_authority}}; engage energy sector information sharing on the vendor update pathway as a supply-chain attack vector

Threat Hunter APT Investigation:

  • Round 1: Hunt for pre-positioned implants beyond the compromised balancing systems – grid sabotage operations typically stage across multiple substations or grid management systems before activation; what else was accessed that hasn’t yet triggered an alert?
  • Round 2: Investigate the vendor update pathway – if this was a supply-chain attack, every other grid operator using the same vendor is potentially pre-compromised; develop indicators of compromise for sector-wide hunting
  • Round 3: Reconstruct adversary lateral movement through grid management infrastructure – the goal is identifying the full scope of access before {{demand_window}} creates pressure to declare the environment clean prematurely
  • Round 5+: Lead post-incident threat intelligence development on grid-targeting TTPs; coordinate with {{cyber_authority}} on sector-wide hunting campaign using indicators developed from this investigation

Mid-Scenario Pressure Points:

  • Hour 1: Dispatch teams report widening mismatch between planned and executed switching actions
  • Hour 2: Reliability stakeholders request confidence estimates before entering peak-load interval
  • Hour 3: Engineers identify additional unauthorized edits in balancing control domains
  • Hour 4: Leadership must choose between aggressive isolation and constrained continued operations

Evolution Triggers:

  • If manipulation persists into peak demand, local instability can propagate across regional connections
  • If rollback sequencing is rushed, human-operator overload can create secondary operational risk
  • If authority messaging is delayed, regulatory and public trust impacts escalate faster than recovery

Resolution Pathways:

Technical Success Indicators:

  • Unauthorized control changes are removed and validated against trusted operational baselines
  • Automation pathways are segmented with explicit trust and verification gates
  • Monitoring strategy detects process deception before dispatch-critical decisions

Business Success Indicators:

  • Service continuity remains stable through demand peaks with documented safeguards
  • Authority communication remains timely, evidence-based, and operationally consistent
  • Recovery improves long-term resilience without degrading normal grid performance

Learning Success Indicators:

  • Team demonstrates understanding of automation-layer sabotage in modern grid environments
  • Participants balance operational continuity with verification discipline under pressure
  • Group coordinates engineering, cyber, and governance roles through a high-consequence scenario

Common IM Facilitation Challenges:

If Teams Over-Rely on Dashboard Confidence:

“Field telemetry disagrees with control dashboards. Which source governs your safety decisions, and why?”

If Teams Delay Containment for Perfect Attribution:

“Attribution can continue in parallel, but peak demand is approaching. What containment action cannot wait?”

If Teams Ignore Regulator Coordination:

“Authorities request immediate status under critical-infrastructure obligations. What can you report confidently right now?”

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 3 investigation rounds, 1 decision round
Focus: Detect automation-layer compromise and establish immediate stability controls
Key Actions: Confirm manipulation scope, preserve service continuity, and define peak-load safeguards

Lunch & Learn (75-90 minutes)

Structure: 5 investigation rounds, 2 decision rounds
Focus: Balance dispatch reliability, containment sequencing, and authority engagement
Key Actions: Validate control integrity, stage rollback decisions, and align regulator reporting

Full Game (120-140 minutes)

Structure: 7 investigation rounds, 3 decision rounds
Focus: End-to-end smart-grid incident response under modernization and demand pressure
Key Actions: Coordinate cross-domain forensics, protect critical operations, and restore trusted automation

Advanced Challenge (150-170 minutes)

Structure: 8-9 investigation rounds, 4 decision rounds
Expert Elements: Ambiguous telemetry, contested rollback thresholds, and cascading-system risk
Additional Challenges: Multi-operator coordination, parallel regulatory scrutiny, and compressed demand windows

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Stability-First Isolation

    • Action: Isolate affected automation domains, enforce manual dispatch controls, and defer full automation restart until validation completes.
    • Pros: Maximizes control certainty during peak-risk windows.
    • Cons: Reduces operational efficiency and increases operator workload.
    • Type Effectiveness: Super effective for immediate cascade-risk reduction.

  • Option B: Parallel Validation with Controlled Automation

    • Action: Keep low-risk automation active while validating high-risk domains with strict decision gates.
    • Pros: Preserves partial efficiency and faster service normalization.
    • Cons: Requires precise governance to prevent hidden manipulation from persisting.
    • Type Effectiveness: Moderately effective when verification ownership is clear.

  • Option C: Segmented Recovery and Demand Curtailment Support

    • Action: Restore validated feeders in phases and use demand-side support to reduce peak stress during recovery.
    • Pros: Balances reliability and resilience under constrained conditions.
    • Cons: Extends partial-risk period and complicates stakeholder coordination.
    • Type Effectiveness: Moderately effective with strong cross-team discipline.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Automation Compromise Mapping (30-35 min)

Round 2: Peak-Demand Decision and Authority Reporting (30-35 min)

Debrief Focus

  • How smart-grid modernization expands both resilience opportunities and attack surfaces
  • Which evidence thresholds should govern automation rollback versus controlled continuation
  • How to align cyber containment with dispatch reliability under peak-demand pressure
  • Which long-term controls harden trusted update pathways and balancing logic integrity