Stuxnet Scenario: Water Treatment SCADA Deployment

Stuxnet Scenario: Water Treatment SCADA Deployment

Clearwater Municipal Water Authority: Water utility with 200 employees serving 500,000 residents
Water SCADA Sabotage • Stuxnet
STAKES
Public water safety + Treatment integrity + Critical-service continuity + Regulatory confidence
HOOK
Control-room teams report mismatches between commanded and measured chemical dosing levels, anomalous actuator behavior in treatment loops, and contradictory telemetry across redundant monitoring channels. Security monitoring also detects unusual communications originating from recently commissioned SCADA components.
PRESSURE
  • Decision deadline: 3:30 PM
  • Population at risk: 500,000 residents
  • Facility profile: Water utility with 200 employees serving 500,000 residents
  • Exposure estimate: USD 12 million projected emergency treatment and recovery exposure
FRONT • 180 minutes • Expert
Clearwater Municipal Water Authority: Water utility with 200 employees serving 500,000 residents
Water SCADA Sabotage • Stuxnet
NPCs
  • Director Michael Torres (Managing Director): Owns strategic safety and escalation decisions
  • Sandra Williams (Plant Manager): Oversees treatment continuity and operational safeguards
  • Kevin Chen (SCADA Engineer): Leads control-system validation and isolation sequencing
  • Jennifer Park (Security Director): Coordinates containment, evidence quality, and authority engagement
SECRETS
  • Commissioning workflows introduced high-trust changes before full baseline validation completed
  • Process-control anomalies were initially masked by dashboard consistency assumptions
  • Timing indicates intent to exploit routine treatment operations rather than disruptive shutdown events

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Stuxnet Water Treatment Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Stuxnet Water Treatment SCADA Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Commanded chemical dosing values and measured concentrations are diverging”
  • “SCADA dashboards and independent instrumentation disagree on process status”
  • “Actuator timing in treatment loops no longer matches approved operating patterns”
  • “Commissioning-era control components show unusual communications and integrity alerts”

Key Discovery Paths:

Detective Investigation Leads:

  • Timeline reconstruction links anomalies to high-trust commissioning and update workflows
  • Logic-diff analysis reveals unauthorized edits in dosing and actuator control paths
  • Evidence chain suggests both process manipulation and monitoring-confidence degradation

Protector System Analysis:

  • Process validation identifies high-risk treatment stages requiring immediate manual safeguards
  • Monitoring review confirms critical mismatch between digital views and physical measurements
  • Containment design must preserve continuous safe treatment while restoring control trust

Tracker Network Investigation:

  • Session mapping shows coordinated command patterns across treatment-control tiers
  • Threat profile indicates strategic interest in essential public-service disruption pathways
  • Intelligence correlation supports highly resourced targeting of industrial control operations

Communicator Stakeholder Interviews:

  • Operations leaders need clear criteria for manual override and staged restoration decisions
  • Public-health teams require evidence-backed confidence statements for external communication
  • Regulatory stakeholders require structured interim updates during active containment

Crisis Manager Strategic Coordination:

  • Round 1: Initiate regulatory reporting to {{regulatory_body}} under public health safety obligations – confirm current treatment safety controls before any communication; own notification timing so authorities receive actionable information, not premature alarm
  • Round 2: Navigate the transparency tradeoff – public health authority needs enough information for independent safety decisions; premature public disclosure creates panic without enabling protective action
  • Round 3: Coordinate with {{cyber_authority}} and law enforcement on public endangerment assessment – active SCADA manipulation of water treatment may trigger criminal investigation authority parallel to standard cyber-incident response
  • Round 5+: Lead public communication when evidence supports it; coordinate with {{state_authority}} on consumer safety communications; engage water sector critical infrastructure protection programs on industry-wide notification

Threat Hunter APT Investigation:

  • Round 1: Determine adversary dwell time before the SCADA manipulation was discovered – water treatment attacks often involve extended reconnaissance of process control systems; how long has the attacker had access to chemical dosing parameters?
  • Round 2: Hunt for dormant implants in unaffected treatment systems and historian servers – if one facility is compromised, check whether neighboring facilities in the same water authority share the entry vector
  • Round 3: Investigate whether the active manipulation is designed to draw response resources away from a quieter, parallel objective – exfiltration of facility schematics, employee data, or emergency response procedures are high-value targets for a patient adversary
  • Round 5+: Develop sector-wide indicators of compromise for water treatment SCADA environments; contribute to {{cyber_authority}} and water sector ISAC on adversary TTPs and hunting methodology for this attack class

Mid-Scenario Pressure Points:

  • Hour 1: Laboratory checks confirm expanding variance in treatment output quality metrics
  • Hour 2: Regulatory stakeholders request immediate assurance on current water safety controls
  • Hour 3: Engineers identify additional unauthorized changes in control logic dependencies
  • Hour 4: Leadership must choose between aggressive isolation and constrained continued treatment

Evolution Triggers:

  • If manipulation persists, treatment reliability may degrade beyond safe operating margins
  • If fallback sequencing is delayed, operator burden and process risk both increase rapidly
  • If reporting cadence is weak, public trust impacts can outpace technical recovery progress

Resolution Pathways:

Technical Success Indicators:

  • Unauthorized control changes are removed and validated against trusted process baselines
  • Monitoring trust is restored through independent verification and calibrated reconciliation
  • Commissioning and update pathways are hardened with explicit integrity checks

Business Success Indicators:

  • Safe water delivery remains stable throughout containment and recovery phases
  • Authority communications remain timely, evidence-based, and operationally coherent
  • Long-term resilience improves without reducing day-to-day treatment reliability

Learning Success Indicators:

  • Team demonstrates practical understanding of SCADA sabotage in water-treatment contexts
  • Participants balance public-health priorities with forensic and containment discipline
  • Group coordinates engineering, cybersecurity, and governance roles effectively

Common IM Facilitation Challenges:

If Teams Trust Dashboards Over Field Reality:

“Independent instruments and SCADA screens disagree. Which source governs safety decisions, and how do you justify that choice?”

If Teams Delay Public-Health Safeguards:

“Containment is ongoing, but treatment confidence is contested. What immediate safeguards protect residents while verification continues?”

If Teams Postpone Authority Reporting:

“Regulators request an interim status now. What can you state with confidence, and what remains explicitly unverified?”

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 3 investigation rounds, 1 decision round
Focus: Detect treatment-control compromise and establish immediate safety safeguards
Key Actions: Validate process integrity, activate manual controls, and set reporting cadence

Lunch & Learn (75-90 minutes)

Structure: 5 investigation rounds, 2 decision rounds
Focus: Balance treatment continuity, containment speed, and authority coordination
Key Actions: Confirm manipulation scope, restore monitoring trust, and align escalation workflow

Full Game (120-140 minutes)

Structure: 7 investigation rounds, 3 decision rounds
Focus: End-to-end water-sector SCADA response under public-health and regulatory pressure
Key Actions: Coordinate forensics, stabilize operations, and harden commissioning pathways

Advanced Challenge (150-170 minutes)

Structure: 8-9 investigation rounds, 4 decision rounds
Expert Elements: Ambiguous quality telemetry, contested shutdown thresholds, and confidence tradeoffs
Additional Challenges: Public communication stress, overlapping regulator demands, and constrained staffing

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Safety-First Manual Control

    • Action: Isolate contested SCADA domains, switch to manual verified dosing, and defer automation restoration until full validation completes.
    • Pros: Maximizes confidence in treatment safety and process control.
    • Cons: Increases operator workload and reduces near-term operational efficiency.
    • Type Effectiveness: Super effective for immediate public-health risk reduction.

  • Option B: Parallel Validation with Limited Automation

    • Action: Keep low-risk automation active while validating high-risk dosing domains under strict guardrails.
    • Pros: Maintains partial efficiency while improving verification speed.
    • Cons: Requires disciplined governance to avoid hidden manipulation persistence.
    • Type Effectiveness: Moderately effective when decision gates are enforced.

  • Option C: Segmented Recovery with Enhanced Sampling

    • Action: Restore validated treatment stages first and increase physical sampling to support staged automation return.
    • Pros: Balances continuity with strong physical verification.
    • Cons: Extends partial-risk operations and coordination complexity.
    • Type Effectiveness: Moderately effective with rigorous oversight.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Control Integrity Mapping (30-35 min)

Round 2: Public-Health Decision and Regulator Coordination (30-35 min)

Debrief Focus

  • How water-sector attacks can erode trust in process visibility before causing obvious disruption
  • Which evidence standards should govern manual override and staged automation return
  • How to align public-health priorities with cyber containment under time pressure
  • Which long-term controls harden SCADA commissioning and update pathways