Stuxnet Scenario: Water Treatment SCADA Deployment
Scenario Details for IMs
Opening Presentation
“It’s Monday morning at Metro Water Authority, and the new SCADA system that will modernize water treatment operations for 500,000 residents is nearly operational. The system must demonstrate EPA compliance within two weeks, but water operations staff are noticing subtle inconsistencies between chemical dosing commands and actual treatment levels. Initial investigation suggests that sophisticated malware may have compromised the industrial control systems during the installation process, potentially threatening both public water safety and federal regulatory compliance.”
Initial Symptoms to Present:
- “Water treatment chemical dosing showing slight discrepancies between commanded and actual levels”
- “SCADA monitoring displays showing normal operations while field measurements suggest different chemical concentrations”
- “Network monitoring detecting unexpected communication patterns on water treatment control networks”
- “System installation contractors reporting unusual behavior during recent SCADA deployment activities”
Key Discovery Paths:
Detective Investigation Leads:
- Forensic analysis reveals sophisticated malware specifically designed for water treatment industrial controls
- SCADA system examination shows manipulation of chemical dosing controls with concealed monitoring
- Installation timeline analysis reveals compromise during system modernization and network integration
Protector System Analysis:
- Water treatment monitoring reveals discrepancies between control commands and actual chemical processes
- Industrial control system integrity analysis shows potential manipulation of safety-critical treatment functions
- Network security assessment reveals compromise of air-gapped water treatment control networks
Tracker Network Investigation:
- Traffic analysis reveals covert command and control communication through water treatment networks
- Chemical process monitoring shows subtle manipulation patterns designed to avoid detection
- Attribution analysis suggests nation-state-level sophistication targeting critical water infrastructure
Communicator Stakeholder Interviews:
- Water treatment operators describe subtle inconsistencies in chemical dosing and system responses
- SCADA installation contractors explain procedures that may have introduced compromise vectors
- Regulatory compliance staff describe federal requirements for water safety monitoring and incident reporting
Mid-Scenario Pressure Points:
- Hour 1: Water quality lab reports trace chemical levels slightly outside normal treatment parameters
- Hour 2: EPA regional administrator calls to schedule compliance verification for new SCADA system
- Hour 3: Operations manager discovers that backup monitoring systems show different readings than primary SCADA displays
- Hour 4: Public health department inquires about water quality reports after receiving citizen complaints about taste changes
Evolution Triggers:
- If malware manipulation continues, water quality could degrade beyond safe drinking standards
- If EPA compliance deadline is missed, federal penalties and regulatory intervention become inevitable
- If attack involves nation-state adversary targeting water infrastructure, federal security agencies and critical infrastructure protection protocols activate
Resolution Pathways:
Technical Success Indicators:
- Team identifies sophisticated malware and industrial control system manipulation
- Water treatment process integrity restored through comprehensive system validation and malware removal
- SCADA system security enhanced to prevent future compromise while maintaining EPA compliance capabilities
Business Success Indicators:
- Public water safety maintained throughout cybersecurity incident response and system recovery
- EPA compliance demonstration completed on schedule with verified system integrity
- Federal regulatory requirements met while addressing sophisticated cybersecurity threat
Learning Success Indicators:
- Team understands nation-state threats to critical infrastructure and advanced persistent threat capabilities
- Participants recognize water treatment cybersecurity challenges and public safety implications
- Group demonstrates coordination between cybersecurity, public health, and regulatory compliance
Common IM Facilitation Challenges:
If Public Safety Impact Is Minimized:
“While you’re analyzing the technical details, Dr. Kim just confirmed that water treatment chemical levels are outside normal parameters, potentially affecting drinking water for 500,000 residents. How do you balance cybersecurity investigation with immediate public health protection?”
If Regulatory Complexity Is Overwhelming:
“The EPA compliance details are complex, but the fundamental question is simple: can the water authority demonstrate that their new monitoring systems are accurate and trustworthy for protecting public health?”
If Critical Infrastructure Context Is Missed:
“Alexandra just realized that this attack specifically targets water treatment controls - not random systems. What does this suggest about the threat actor’s objectives and the broader implications for critical infrastructure?”