Stuxnet Scenario: Water Treatment SCADA Deployment

Metro Water Authority: Regional water treatment, 300 employees, serves 500,000 residents
APT • Stuxnet
STAKES
Public water safety + EPA compliance + Critical infrastructure protection
HOOK
Metro Water Authority is completing the installation of a new SCADA system to modernize their water treatment operations and meet updated EPA monitoring requirements. The sophisticated attack began when the new system was brought online last week, and malware is now manipulating water treatment chemical dosing while hiding its activities from monitoring systems.
PRESSURE
EPA compliance deadline in 2 weeks - new SCADA system must be operational or face federal penalties
FRONT • 150 minutes • Expert
Metro Water Authority: Regional water treatment, 300 employees, serves 500,000 residents
APT • Stuxnet
NPCs
  • Linda Zhang (Water Operations Manager): Noticing subtle anomalies in water treatment chemical levels, must balance public safety with system modernization and EPA compliance
  • Dr. Samuel Foster (Water Quality Director): Responsible for ensuring treated water meets all safety standards, discovering that monitoring systems may not be showing accurate chemical dosing information
  • Alexandra Wu (SCADA Systems Engineer): Leading new control system deployment, realizing that sophisticated malware may have compromised industrial controls during installation phase
  • Michael Park (EPA Regional Administrator): Expecting compliance demonstration with new monitoring systems, represents federal regulatory authority and public health protection
SECRETS
  • New SCADA system installation created temporary vulnerabilities in air-gapped water treatment networks
  • Nation-state adversary specifically targets water infrastructure during system modernization and upgrade periods
  • Sophisticated malware manipulates chemical dosing controls while providing false normal readings to operators

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Stuxnet Water Treatment Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Stuxnet Water Treatment SCADA Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Metro Water Authority: Critical Infrastructure Under EPA Compliance Deadline

Organization Profile

  • Type: Regional municipal water utility providing drinking water treatment, distribution infrastructure management, wastewater processing, and public health protection services for metropolitan service area encompassing 500,000 residential, commercial, and industrial customers across three-county jurisdiction
  • Size: 300 employees distributed across operational functions including 85 water treatment plant operators managing chemical dosing systems, filtration processes, and water quality monitoring on rotating 24/7 shifts maintaining continuous treatment operations, 60 field service technicians maintaining distribution pipeline infrastructure, valve operations, and leak detection systems spanning 2,800 miles of water mains, 45 SCADA systems engineers and control room operators monitoring automated treatment processes including chlorination dosing, pH adjustment, and fluoride addition requiring microsecond precision timing, 35 water quality laboratory technicians conducting EPA-mandated testing protocols analyzing samples for bacterial contamination, chemical compliance, and regulatory reporting, 25 wastewater treatment operators managing sewage processing facilities serving 350,000 residents, 20 engineering and capital projects staff coordinating infrastructure modernization including $45 million SCADA system upgrade replacing 30-year-old legacy control systems, 15 regulatory compliance specialists managing EPA reporting requirements and Safe Drinking Water Act obligations, 10 emergency response coordinators maintaining water supply contingency plans, 5 cybersecurity and IT infrastructure personnel implementing critical infrastructure protection measures, and additional administrative support coordinating public communications, customer service, and utility billing operations
  • Annual Operations: Treating and distributing 65 million gallons of drinking water daily serving 500,000 residents with zero tolerance for contamination events that could create public health emergencies, operating five water treatment plants processing raw water from reservoirs through coagulation, sedimentation, filtration, and disinfection stages requiring precise chemical dosing calibrated to

EPA Maximum Contaminant Level standards, maintaining SCADA systems controlling 340 automated processes including chlorine injection pumps dosing 1,200 pounds of disinfectant daily with ±2% precision requirements preventing both under-chlorination (bacterial contamination risk) and over-chlorination (toxic exposure hazard), managing distribution pressure zones maintaining 40-80 PSI throughout pipeline network preventing contamination backflow while avoiding pipe ruptures from excessive pressure, conducting 15,000 water quality tests monthly analyzing samples for 90+ regulated contaminants including coliform bacteria, lead, arsenic, disinfection byproducts, and emerging contaminants under EPA oversight, processing 28 million gallons of wastewater daily through biological treatment removing organic matter and pathogens before discharge to receiving waters under National Pollutant Discharge Elimination System permits, coordinating emergency water supply alternatives including interconnections with neighboring utilities providing redundancy during treatment disruptions or contamination events, implementing $45 million SCADA modernization project replacing Siemens programmable logic controllers and upgrading human-machine interface systems to meet EPA cybersecurity requirements and improve operational resilience, maintaining regulatory compliance with Safe Drinking Water Act requirements enforced through quarterly EPA inspections and annual Safe Drinking Water Information System reporting, supporting critical facilities including hospitals, schools, emergency services, and essential businesses dependent on continuous water availability, and implementing public health protection protocols requiring immediate notification to health departments if water quality violations threaten consumer safety - Critical Infrastructure Designation: Metro Water Authority operates EPA-designated critical infrastructure under Department of Homeland Security sector-specific protections requiring enhanced physical security, cybersecurity controls, and incident reporting—water systems represent high-value targets for nation-state adversaries seeking to create public health crises, undermine public confidence in government services, and demonstrate capacity for critical infrastructure disruption during geopolitical conflicts or as precursor to kinetic military operations - Current EPA Compliance Crisis: Environmental Protection Agency issued compliance order requiring Metro Water Authority to complete SCADA system modernization within 14 days (deadline: Monday two weeks from today)—EPA inspectors discovered that legacy 30-year-old control systems lacked required cybersecurity protections mandated under America’s Water Infrastructure Act of 2018, creating violations subject to federal enforcement actions including $25,000 per day civil penalties, potential criminal prosecution of utility executives for willful noncompliance, mandatory EPA emergency oversight of operations, and possible federal takeover of water system management if compliance not achieved - Technology Infrastructure: Operating Supervisory Control and Data Acquisition systems managing automated water treatment processes including chlorine injection pumps requiring microsecond timing precision, pH adjustment chemical dosing maintaining 6.5-8.5 range, fluoride addition for dental health at 0.7 mg/L target concentration, coagulation polymer dosing optimizing particle removal, and filtration backwash cycles preventing filter clogging—these industrial control systems utilize Siemens S7-300 programmable logic controllers executing real-time treatment recipes that human operators cannot manually replicate due to complex interdependencies between chemical dosing rates, flow rates, and water chemistry parameters, implementing air-gapped network architecture physically isolating critical treatment control systems from corporate IT networks and external internet connectivity through strict prohibition of wireless devices and removable media within secure control rooms, maintaining water quality monitoring infrastructure including online turbidity sensors detecting particulate contamination, chlorine residual analyzers ensuring adequate disinfection, and pH meters triggering automated dosing adjustments, supporting emergency shutdown systems capable of halting treatment operations within 30 seconds if sensor readings indicate dangerous conditions threatening public health, and coordinating with regional water quality laboratories conducting independent verification testing validating that automated SCADA processes maintain EPA compliance throughout distribution system

Key Assets & Impact

Impossible Decision Framework - Every Choice Creates Catastrophic Outcomes:

Metro Water Authority faces three simultaneously critical imperatives where protecting one asset category necessarily compromises others, creating impossible tradeoffs during EPA compliance deadline crisis:

Asset Category 1: Public Water Safety & EPA Regulatory Compliance

  • What’s at stake: 500,000 residents depend on Metro Water Authority for safe drinking water meeting EPA Maximum Contaminant Level standards—any compromise to SCADA system integrity means utility cannot verify whether chemical dosing systems operate within specification tolerances or whether water quality violations exist that automated monitoring failed to detect due to malware manipulation of sensor readings and database records, creating public health crisis where contaminated water could reach consumers before laboratory testing reveals violations
  • Current vulnerabilities discovered: Stuxnet malware successfully infiltrated air-gapped SCADA networks controlling chlorine injection systems, manipulating dosing parameters to introduce variations of 15% from target concentrations that exceed EPA safe drinking water tolerances—malware simultaneously modified sensor database records to show compliance readings despite actual chlorine levels fluctuating between dangerously low concentrations (creating bacterial contamination risk) and excessively high concentrations (creating toxic exposure hazard requiring public notification)
  • Cascading failure scenario if compromised: Delivering under-chlorinated water to 500,000 residents creates bacterial contamination risk potentially causing waterborne disease outbreak affecting thousands of consumers requiring hospitalization, EPA emergency response including mandatory boil-water notices disrupting businesses and essential services, public health crisis eroding community confidence in water utility competence, potential outbreak of Legionnaires’ disease, giardiasis, or cryptosporidiosis creating CDC investigation and media coverage, wrongful death litigation from families of vulnerable populations including infants, elderly, and immunocompromised individuals experiencing fatal infections, EPA enforcement action including $25,000 per day civil penalties multiplied by violation duration, criminal prosecution of utility executives under Safe Drinking Water Act provisions for willful endangerment, federal takeover of water system operations if EPA determines management incapable of protecting public health, and Metro Water Authority’s operational credibility permanently destroyed if community perceives utility cannot maintain basic water safety obligations

Asset Category 2: EPA Compliance Deadline & Federal Enforcement Exposure

  • What’s at stake: EPA compliance order requires SCADA modernization completion within 14 days or Metro Water Authority faces $25,000 daily civil penalties beginning immediately after deadline—but Stuxnet infection discovered during final system testing means completing modernization requires removing compromised controllers, forensic investigation to determine infection scope, and comprehensive validation that new SCADA systems operate with integrity before declaring compliance achievement, consuming time the EPA deadline doesn’t allow
  • Current vulnerabilities discovered: Stuxnet infiltrated new Siemens S7-300 PLCs during installation through infected USB drives used by contractor technicians commissioning upgraded control systems—malware remained dormant for 45 days after installation before activating manipulation capabilities, meaning EPA compliance deadline approach triggered the exact scenario where infection would be discovered too late for remediation before regulatory deadline expiration
  • Cascading failure scenario if compromised: Missing EPA deadline triggers immediate $25,000 daily civil penalties totaling $175,000 per week, $750,000 per month, and $9.1 million annually if violations continue—EPA escalation to federal enforcement includes compliance order modification requiring third-party oversight of all water treatment operations at Metro Water Authority expense, mandatory quarterly reporting to EPA demonstrating progress toward cybersecurity compliance, potential criminal referral to Department of Justice if EPA determines utility executives demonstrated willful disregard for public health protection, designation as high-risk water system requiring intensive EPA scrutiny affecting future grant funding eligibility, and community perception that Metro Water Authority management is incapable of meeting basic regulatory obligations potentially influencing local election outcomes for utility board members appointed through municipal governance processes

Asset Category 3: SCADA Operational Integrity & Treatment Process Reliability

  • What’s at stake: Water treatment operations require absolute confidence that chemical dosing systems operate within EPA specification tolerances—any compromise to PLC programming means Metro Water Authority cannot verify whether chlorine concentrations, pH levels, fluoride dosing, and filtration processes meet safety standards or whether process deviations exist that automated monitoring systems failed to detect due to malware manipulation of sensor interfaces and control logic
  • Current vulnerabilities discovered: Stuxnet specifically targeted chlorine injection PLC programming, introducing parameter variations synchronized with water flow rate changes that created dosing fluctuations difficult to detect through normal process monitoring—malware modified both controller setpoints and sensor calibration databases, meaning even independent verification testing might not reveal manipulation if laboratory samples were collected during brief periods when dosing happened to align with target specifications by chance
  • Cascading failure scenario if compromised: Continuing water treatment operations without complete SCADA validation means potentially delivering contaminated water to 500,000 residents while incorrectly believing automated safety systems are protecting public health, delayed discovery of contamination after consumers experience illness creates massive public health response requiring whole-system flushing of distribution network consuming 780 million gallons of treated water at $2.8 million cost, EPA emergency intervention including mandatory third-party oversight of all operations until system integrity validated, community loss of confidence in tap water safety leading to bottled water purchases depleting regional supplies and creating panic buying, essential services including hospitals and schools unable to rely on municipal water requiring emergency supply alternatives, and Metro Water Authority’s fundamental mission of public health protection becomes compromised if technical systems cannot be trusted to maintain safety standards

The Fundamental Impossibility:

Any prioritization sequence necessarily creates cascading failures across other asset categories—meeting EPA compliance deadline requires certifying SCADA system integrity without comprehensive forensic validation risking public health if malware manipulation remains undetected, halting operations for thorough investigation guarantees missing EPA deadline triggering federal enforcement and daily penalties, and disclosing SCADA compromise to EPA triggers emergency oversight potentially including federal takeover of utility management. Every path forward through this crisis requires accepting catastrophic consequences in at least one critical domain while attempting to minimize damage across competing imperatives during 14-day window before EPA deadline expires.

Immediate Business Pressure: The EPA Compliance Deadline Creating Public Health Stakes

Monday Morning, 7:30 AM - The Final System Testing Discovery:

Dr. James Rodriguez, Metro Water Authority’s Director of Operations, stood in the main control room watching the final validation testing of the new SCADA system that represented two years of planning and $45 million in infrastructure investment. The EPA compliance deadline loomed exactly fourteen days away—Monday two weeks from today at 5:00 PM. After that deadline, $25,000 daily civil penalties would begin accumulating, EPA enforcement actions would escalate, and federal oversight would transform Metro Water Authority from independent municipal utility into supervised critical infrastructure under emergency federal management.

Sarah Chen, the lead control systems engineer, initiated the automated chlorine dosing test sequence. The new Siemens S7-300 programmable logic controllers should execute precise chemical injection synchronized with water flow rates—maintaining target chlorine residual of 1.2 mg/L throughout the distribution system serving 500,000 residents. The test ran for thirty seconds. Chlorine pump activated. Flow sensor responded. Chemical dosing calculated. All systems appeared normal.

Then Sarah’s expression shifted from routine validation to professional alarm. “Dr. Rodriguez, I’m seeing anomalous behavior in the PLC process variables. The chlorine dosing calculations show correct values in the operator interface, but when I query the controller directly through diagnostic mode, the actual setpoints being executed are 15% higher than displayed values.”

James felt his stomach tighten. Fifteen percent chlorine overdosing would push concentrations above EPA Maximum Contaminant Level of 4.0 mg/L—creating toxic exposure hazard requiring immediate public notification and potential health effects in vulnerable populations. But the SCADA operator screens showed perfect compliance. Sensors reported normal readings. Alarm systems remained silent. How could the system be simultaneously violating safety standards while displaying perfect operation?

The Nation-State Infrastructure Attack:

By 10:45 AM, forensic analysis revealed findings that transformed routine system testing into national security crisis. The Siemens PLCs controlling chlorine injection contained sophisticated malware specifically designed to manipulate water treatment processes while concealing manipulation from human operators and automated safety monitoring.

Marcus Webb, Metro Water Authority’s cybersecurity consultant brought in for the SCADA modernization project, presented his findings to emergency executive meeting. “This is Stuxnet variant customized for water treatment infrastructure. The malware exploits zero-day vulnerabilities in Siemens PLC firmware, uses stolen digital certificates making it appear as legitimate manufacturer updates, and implements rootkit techniques hiding its presence from standard industrial control system security tools.”

The malware’s technical sophistication indicated nation-state capabilities. It intercepted commands from the supervisory control system, modified chlorine dosing setpoints, executed altered chemical injection rates, then reported false data back to the operator interface making it appear that target specifications were maintained. The modifications were carefully calibrated—sometimes reducing chlorine to dangerous lows creating bacterial contamination risk, other times increasing dosing to toxic levels creating disinfection byproduct hazards.

Most alarmingly, forensic evidence suggested the malware had infiltrated Metro Water Authority’s systems during contractor installation of the new SCADA equipment six weeks ago. USB drives used by Siemens technicians to load PLC programming contained the malware embedded in commissioning files. It remained dormant for 45 days, establishing persistence and mapping network architecture, before activating manipulation capabilities during final pre-compliance testing period.

Dr. Rodriguez processed the implications with growing horror. “How did nation-state malware target our water utility specifically during our EPA compliance upgrade?”

Marcus displayed intelligence briefings on the conference room screen. “Water infrastructure represents strategic target for geopolitical adversaries. Your $45 million SCADA modernization was publicly announced through municipal bond issuance documents. Adversaries monitor these procurement activities specifically to time infrastructure attacks during system transitions when air-gapped security controls are temporarily relaxed for contractor access. The EPA compliance deadline creates maximum pressure for completing installation without thorough security validation—exactly the vulnerability this attack exploits.”

The strategic targeting precision terrified James more than the technical sophistication. This wasn’t opportunistic malware—it was deliberate nation-state operation against U.S. critical infrastructure timed to maximize disruption during regulatory compliance pressure.

The 14-Day Impossible Calculation:

Jennifer Martinez, Metro Water Authority’s General Manager, outlined the impossible choice confronting utility leadership. “We have fourteen days until EPA compliance deadline. Our options are:

Option 1: Complete SCADA installation per original schedule, certify EPA compliance, but accept that malware-compromised controllers may be delivering contaminated water to 500,000 residents while safety monitoring shows false normal readings.

Option 2: Halt modernization to conduct comprehensive forensic investigation, guarantee missing EPA deadline triggering $25,000 daily penalties and federal enforcement escalation potentially including EPA takeover of operations.

Option 3: Disclose SCADA compromise to EPA seeking deadline extension, trigger emergency federal response including mandatory third-party oversight, media coverage creating public panic about water safety, and community loss of confidence in utility competence.

Every option creates catastrophic outcome. Every delay makes all options worse. We have fourteen days to choose which type of failure Metro Water Authority will experience.”

The conference room silence carried weight of 500,000 residents depending on safe drinking water, EPA regulatory authority, and potential public health crisis. Dr. Rodriguez recognized that his next decision would define Metro Water Authority’s future—and potentially determine whether contaminated water reached consumers before utility discovered the manipulation.

Critical Timeline & Operational Deadlines

Pre-Crisis Timeline: - Six weeks ago: Contractor installation of new Siemens S7-300 PLCs, malware infiltration via infected USB drives - Day -45 to Day -7: Malware dormancy period establishing persistence - Last week: Malware activation during final pre-compliance testing

Immediate Crisis Timeline: - Monday, 7:30 AM (Session Start): Final SCADA validation testing discovers anomalous chlorine dosing behavior - Monday, 10:45 AM: Forensic analysis confirms Stuxnet variant infection - Monday, 2:00 PM: Emergency executive meeting convened - EPA Compliance Deadline: Monday +14 days, 5:00 PM - SCADA modernization must be complete or $25,000/day penalties begin

Decision Deadlines: - 48 hours: Window for EPA notification if seeking deadline extension - 14 days total: Complete compliance or face federal enforcement

Cultural & Organizational Factors: How EPA Compliance Pressure Created SCADA Vulnerability

Factor 1: Contractor installation schedule pressure bypassed USB security controls during SCADA commissioning

Factor 2: EPA deadline urgency created organizational pressure to complete system testing quickly rather than thoroughly

Factor 3: Air-gapped architecture created false confidence that physical isolation provided adequate security

Factor 4: Critical infrastructure operational continuity requirements prevented complete system shutdown for comprehensive security validation

Operational Context: Municipal Water Utility Under Federal Oversight

Metro Water Authority operates as municipally-owned utility serving public health mission under EPA regulatory oversight enforcing Safe Drinking Water Act requirements—federal compliance framework mandates water quality standards, treatment technology requirements, monitoring protocols, and public notification procedures creating legal obligations beyond normal business operations where public health protection takes absolute priority over financial considerations or operational convenience.

Key Stakeholders & Their Conflicting Imperatives

Stakeholder 1: Dr. James Rodriguez - Director of Operations Stakeholder 2: Sarah Chen - Control Systems Engineer Stakeholder 3: Jennifer Martinez - General Manager Stakeholder 4: EPA Regional Administrator (External Authority)

Why This Matters

You’re not just removing malware from water treatment systems—you’re determining whether critical infrastructure protection obligations override operational compliance deadlines when EPA enforcement creates pressure to certify systems before security validation is complete.

You’re not just meeting regulatory requirements—you’re defining whether public health safety standards mean accepting federal penalties to ensure water quality integrity, or prioritizing compliance deadlines through system certification carrying contamination risks.

You’re not just responding to SCADA compromise—you’re demonstrating whether municipal utilities can protect critical infrastructure against nation-state adversaries, or whether water systems represent vulnerable targets requiring federal security mandates.

IM Facilitation Notes

1. Emphasize public health stakes—500,000 residents depending on safe drinking water makes technical decisions directly impact community safety

2. Make EPA compliance pressure tangible through specific penalty calculations and federal enforcement escalation pathways

3. Use Dr. Rodriguez to create operational expertise perspective prioritizing public health over regulatory convenience

4. Present nation-state adversary targeting as strategic infrastructure attack rather than opportunistic malware

5. Address tension between EPA cybersecurity compliance requirements and actual cybersecurity effectiveness

6. Celebrate transparent response prioritizing public health notification and federal cooperation over regulatory deadline preservation

Opening Presentation

“It’s Monday morning at Metro Water Authority, and the new SCADA system that will modernize water treatment operations for 500,000 residents is nearly operational. The system must demonstrate EPA compliance within two weeks, but water operations staff are noticing subtle inconsistencies between chemical dosing commands and actual treatment levels. Initial investigation suggests that sophisticated malware may have compromised the industrial control systems during the installation process, potentially threatening both public water safety and federal regulatory compliance.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Water treatment chemical dosing showing slight discrepancies between commanded and actual levels”
  • “SCADA monitoring displays showing normal operations while field measurements suggest different chemical concentrations”
  • “Network monitoring detecting unexpected communication patterns on water treatment control networks”
  • “System installation contractors reporting unusual behavior during recent SCADA deployment activities”

Key Discovery Paths:

Detective Investigation Leads:

  • Forensic analysis reveals sophisticated malware specifically designed for water treatment industrial controls
  • SCADA system examination shows manipulation of chemical dosing controls with concealed monitoring
  • Installation timeline analysis reveals compromise during system modernization and network integration

Protector System Analysis:

  • Water treatment monitoring reveals discrepancies between control commands and actual chemical processes
  • Industrial control system integrity analysis shows potential manipulation of safety-critical treatment functions
  • Network security assessment reveals compromise of air-gapped water treatment control networks

Tracker Network Investigation:

  • Traffic analysis reveals covert command and control communication through water treatment networks
  • Chemical process monitoring shows subtle manipulation patterns designed to avoid detection
  • Attribution analysis suggests nation-state-level sophistication targeting critical water infrastructure

Communicator Stakeholder Interviews:

  • Water treatment operators describe subtle inconsistencies in chemical dosing and system responses
  • SCADA installation contractors explain procedures that may have introduced compromise vectors
  • Regulatory compliance staff describe federal requirements for water safety monitoring and incident reporting

Mid-Scenario Pressure Points:

  • Hour 1: Water quality lab reports trace chemical levels slightly outside normal treatment parameters
  • Hour 2: EPA regional administrator calls to schedule compliance verification for new SCADA system
  • Hour 3: Operations manager discovers that backup monitoring systems show different readings than primary SCADA displays
  • Hour 4: Public health department inquires about water quality reports after receiving citizen complaints about taste changes

Evolution Triggers:

  • If malware manipulation continues, water quality could degrade beyond safe drinking standards
  • If EPA compliance deadline is missed, federal penalties and regulatory intervention become inevitable
  • If attack involves nation-state adversary targeting water infrastructure, federal security agencies and critical infrastructure protection protocols activate

Resolution Pathways:

Technical Success Indicators:

  • Team identifies sophisticated malware and industrial control system manipulation
  • Water treatment process integrity restored through comprehensive system validation and malware removal
  • SCADA system security enhanced to prevent future compromise while maintaining EPA compliance capabilities

Business Success Indicators:

  • Public water safety maintained throughout cybersecurity incident response and system recovery
  • EPA compliance demonstration completed on schedule with verified system integrity
  • Federal regulatory requirements met while addressing sophisticated cybersecurity threat

Learning Success Indicators:

  • Team understands nation-state threats to critical infrastructure and advanced persistent threat capabilities
  • Participants recognize water treatment cybersecurity challenges and public safety implications
  • Group demonstrates coordination between cybersecurity, public health, and regulatory compliance

Common IM Facilitation Challenges:

If Public Safety Impact Is Minimized:

“While you’re analyzing the technical details, Dr. Kim just confirmed that water treatment chemical levels are outside normal parameters, potentially affecting drinking water for 500,000 residents. How do you balance cybersecurity investigation with immediate public health protection?”

If Regulatory Complexity Is Overwhelming:

“The EPA compliance details are complex, but the fundamental question is simple: can the water authority demonstrate that their new monitoring systems are accurate and trustworthy for protecting public health?”

If Critical Infrastructure Context Is Missed:

“Alexandra just realized that this attack specifically targets water treatment controls - not random systems. What does this suggest about the threat actor’s objectives and the broader implications for critical infrastructure?”

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 3 investigation rounds, 1 decision round Focus: Core SCADA compromise discovery and immediate water safety response Simplified Elements: Streamlined EPA compliance complexity and water treatment chemistry details Key Actions: Identify malware targeting water treatment controls, implement emergency safety verification, coordinate public health notification decision

Round-by-Round Breakdown:

Setup & Opening (5 minutes):

Present the water treatment crisis: Metro Water Authority completing new SCADA system for 500,000 residents with EPA compliance deadline in 2 weeks. Linda Zhang notices chemical dosing anomalies. Dr. Foster discovers monitoring shows false readings. Alexandra Wu realizes installation compromise. Michael Park expects compliance demonstration.

Investigation Round 1 (10 minutes) - “How is malware manipulating water treatment chemical dosing?”

  • Detective discoveries: SCADA displays show normal while field measurements detect chemical deviations
  • Protector findings: Chemical dosing controls subtly manipulated affecting water quality
  • Tracker analysis: Installation created temporary air-gap vulnerabilities
  • Communicator insights: Water operators describe inconsistencies between commanded and actual levels

Teaching moment: ICS malware targets both operational controls AND monitoring systems to conceal public health threats.

Investigation Round 2 (10 minutes) - “What public safety implications threaten drinking water for 500,000 residents?”

  • Detective discoveries: Chlorine and fluoride levels drifting outside safe parameters
  • Protector findings: Water quality degradation potential if manipulation continues
  • Tracker analysis: Nation-state targeting water infrastructure during modernization
  • Communicator insights: Water Quality Director describes public health protection requirements

Teaching moment: Water infrastructure attacks have direct civilian population impact through contaminated drinking water.

Investigation Round 3 (10 minutes) - “What immediate response protects public water safety?”

  • Detective discoveries: Independent testing requirements beyond compromised SCADA
  • Protector findings: Manual verification protocols for treatment processes
  • Tracker analysis: Attack concealment sophistication indicates advanced threat
  • Communicator insights: EPA Regional Administrator expects compliance demonstration

Teaching moment: Compromised monitoring requires independent physical verification beyond affected control systems.

Decision Round (5 minutes) - “Water safety approach?”

Present three response options:

  • Option A: Emergency shutdown with manual control and boil-water advisory (Super effective - ensures safety but public concern)
  • Option B: Accelerated response with enhanced monitoring (Moderately effective - balances safety with operations)
  • Option C: Selective isolation with independent verification (Partially effective - maintains operations but extended risk)

Debrief focus: Water infrastructure targeting, chemical dosing manipulation, monitoring concealment, public health protection, EPA compliance requirements.

Lunch & Learn (75-90 minutes)

Structure: 5 investigation rounds, 2 decision rounds Focus: Comprehensive industrial control investigation and public water safety response Added Depth: SCADA system modernization vulnerabilities and regulatory compliance protocols Key Actions: Complete forensic analysis of installation compromise, coordinate with EPA and public health, restore water treatment integrity with verification

Round-by-Round Breakdown:

Setup & Opening (8 minutes):

Present comprehensive water context: Metro Water Authority 300 employees serving 500,000 residents. Linda Zhang balances public safety with modernization. Dr. Foster ensures treated water standards. Alexandra Wu leads SCADA deployment discovering compromise. Michael Park represents EPA regulatory authority expecting compliance in 2 weeks.

Investigation Round 1 (15 minutes) - “How did SCADA installation create air-gapped water treatment network vulnerability?”

  • Detective discoveries: New control system deployment last week created temporary access windows for contractors
  • Protector findings: Installation process reduced normal security isolation for system integration
  • Tracker analysis: Nation-state actors monitor infrastructure modernization timing attacks
  • Communicator insights: Installation contractors explain procedures creating brief compromise windows

Teaching moment: Critical infrastructure upgrades create temporary vulnerability windows. Nation-states time attacks to exploit reduced security during modernization.

Investigation Round 2 (15 minutes) - “What chemical dosing manipulation threatens drinking water quality for half million residents?”

  • Detective discoveries: Malware subtly manipulating chlorine and fluoride dosing - chemicals ensuring safe drinking water
  • Protector findings: SCADA displays show normal levels while actual concentrations drift outside parameters
  • Tracker analysis: Manipulation of life-safety systems indicates attack objectives beyond data theft
  • Communicator insights: Water quality lab reports trace chemical levels outside treatment standards

Teaching moment: Water infrastructure attacks manipulate treatment processes affecting public health. Physical consequences impact civilian populations through contaminated water.

Investigation Round 3 (12 minutes) - “What EPA compliance and public health coordination is required?”

  • Detective discoveries: Federal reporting requirements for water safety incidents
  • Protector findings: EPA demonstration deadline in 2 weeks with new SCADA system
  • Tracker analysis: Public health department coordination for water quality verification
  • Communicator insights: Regulatory staff explain compliance complexity and enforcement

Teaching moment: Water safety incidents require federal regulatory coordination balancing public health protection with operational requirements.

Decision Round 1 (8 minutes) - “Immediate water safety approach?”

Guide team toward decision on manual control vs. enhanced monitoring. Discuss EPA compliance deadline, 500,000 resident dependency, public health notification requirements.

Investigation Round 4 (12 minutes) - “What monitoring system concealment requires independent verification?”

  • Detective discoveries: Malware alters monitoring displays hiding manipulation from operators
  • Protector findings: Dual-target approach means attack could continue indefinitely without detection
  • Tracker analysis: Independent field measurements reveal actual manipulation beyond SCADA
  • Communicator insights: Operations manager explains normal oversight completely bypassed

Teaching moment: Sophisticated ICS malware targets operational controls AND monitoring creating false normality. Verification requires independent measurement.

Investigation Round 5 (12 minutes) - “What long-term water infrastructure security prevents installation compromise?”

  • Detective discoveries: Enhanced contractor security protocols and installation procedures
  • Protector findings: Improved air-gap integrity during modernization windows
  • Tracker analysis: Threat intelligence sharing across water utility sector
  • Communicator insights: Industry coordination for critical infrastructure protection

Teaching moment: Water infrastructure protection requires enhanced installation security and industry-wide coordination.

Decision Round 2 (8 minutes) - “EPA compliance and long-term security approach?”

Present comprehensive options balancing emergency halt vs. accelerated validation vs. conditional demonstration. Discuss public health priorities, regulatory requirements, security transformation.

Debrief focus: SCADA installation vulnerability exploitation, chemical dosing manipulation, monitoring concealment, public health protection prioritization, EPA regulatory coordination, independent verification requirements, long-term infrastructure security.

Full Game (120-140 minutes)

Structure: 7 investigation rounds, 3 decision rounds Focus: Complete nation-state critical infrastructure attack investigation with federal coordination Full Complexity: EPA regulatory oversight, public safety communication strategy, long-term water infrastructure security enhancement Key Actions: Comprehensive nation-state attribution and damage assessment, coordinate federal regulatory and security response, implement enhanced critical infrastructure protection while maintaining water safety

Round-by-Round Breakdown:

Setup & Opening (10 minutes):

Present complete water infrastructure crisis: Metro Water Authority 300 employees serving 500,000 residents with new SCADA system. EPA compliance deadline 2 weeks. Linda Zhang notices chemical anomalies balancing safety with modernization. Dr. Foster responsible for water standards discovers monitoring manipulation. Alexandra Wu leads deployment realizing installation compromise. Michael Park expects compliance demonstration. Nation-state malware from installation manipulates treatment while concealing activities.

Investigation Round 1 (18 minutes) - “How did infrastructure modernization window enable nation-state SCADA compromise?”

  • Detective discoveries: Installation last week created temporary contractor access to air-gapped water treatment networks for system integration and testing
  • Protector findings: Modernization process reduced security isolation allowing malware infiltration during legitimate deployment activities
  • Tracker analysis: Nation-state reconnaissance identified SCADA upgrade timing as vulnerability window for penetration
  • Communicator insights: Contractors describe installation procedures creating brief security reduction while integrating new control systems

Teaching moment: Infrastructure modernization creates planned vulnerability windows requiring enhanced security. Nation-states monitor modernization activities timing attacks to exploit temporary access.

Investigation Round 2 (15 minutes) - “What precision chemical dosing manipulation achieves public health compromise?”

  • Detective discoveries: Systematic manipulation of chlorine and fluoride dosing controls - treatment chemicals ensuring safe drinking water for 500,000 residents
  • Protector findings: SCADA monitoring displays show normal chemical levels while independent field measurements reveal concentrations drifting outside safe parameters
  • Tracker analysis: Manipulation targeting life-safety treatment processes indicates attack objectives causing civilian harm through water contamination
  • Communicator insights: Water Quality Director describes how continued manipulation could degrade water quality to unsafe levels affecting half million people

Teaching moment: Water infrastructure attacks manipulate treatment processes with direct public health consequences. Unlike data theft, these attacks physically threaten civilian populations.

Investigation Round 3 (15 minutes) - “What dual-system targeting conceals manipulation from operational oversight?”

  • Detective discoveries: Malware simultaneously manipulates chemical dosing controls AND alters monitoring systems hiding activities from operators
  • Protector findings: Dual-target approach creates false sense of normality while causing real water quality degradation
  • Tracker analysis: Monitoring concealment sophistication means attack could continue indefinitely without detection through normal operations
  • Communicator insights: Operations manager explains independent field measurements required to discover manipulation beyond compromised SCADA displays

Teaching moment: Sophisticated ICS attacks target both operational controls and monitoring systems. False displays conceal manipulation requiring independent physical verification for detection.

Decision Round 1 (12 minutes) - “Emergency water safety response balancing public health with EPA compliance?”

Guide team through safety decision: complete shutdown vs. accelerated validation vs. independent monitoring. Introduce pressure: Water quality lab confirms trace chemicals outside normal parameters. Discuss 500,000 resident safety, EPA deadline, boil-water advisory implications.

Investigation Round 4 (15 minutes) - “What federal regulatory and public health coordination addresses water safety incident?”

  • Detective discoveries: EPA reporting requirements, public health department notification protocols, federal coordination for critical infrastructure
  • Protector findings: EPA compliance demonstration deadline creating regulatory pressure during active security incident
  • Tracker analysis: Federal security agencies coordination for nation-state critical infrastructure targeting
  • Communicator insights: Regulatory staff navigate EPA, public health, federal security coordination complexity

Teaching moment: Water safety incidents require multi-agency coordination balancing regulatory compliance, public health protection, security investigation, operational continuity.

Investigation Round 5 (15 minutes) - “What nation-state attribution connects infrastructure targeting to strategic adversary?”

  • Detective discoveries: Technical sophistication, installation timing exploitation, water infrastructure targeting indicate state-level capabilities
  • Protector findings: Attack objectives (public health compromise), targeting (critical infrastructure modernization) serve strategic competition
  • Tracker analysis: Attribution synthesizes technical indicators with strategic intelligence assessment
  • Communicator insights: Federal intelligence provides geopolitical context for critical infrastructure targeting

Teaching moment: Nation-state infrastructure attribution analyzes technical evidence within strategic context connecting capabilities and objectives to known adversary patterns.

Decision Round 2 (12 minutes) - “Public health coordination balancing water safety with communication strategy?”

Guide team through stakeholder coordination: EPA regulatory compliance, public health protection, federal security partnership, public notification decision. Introduce pressure: Public health receives citizen complaints about taste changes. Discuss transparency requirements, safety priorities, regulatory obligations.

Investigation Round 6 (12 minutes) - “What water infrastructure security architecture prevents modernization exploitation?”

  • Detective discoveries: Enhanced installation security protocols, contractor vetting requirements
  • Protector findings: Improved air-gap integrity procedures during modernization windows
  • Tracker analysis: Continuous monitoring for installation-phase compromise indicators
  • Communicator insights: Industry discusses balancing modernization benefits with security requirements

Teaching moment: Water infrastructure modernization requires enhanced security during installation - contractor management, air-gap protocols, continuous monitoring beyond operational controls.

Investigation Round 7 (12 minutes) - “What water sector coordination addresses persistent critical infrastructure targeting?”

  • Detective discoveries: Water utility threat intelligence sharing, industry-wide security coordination
  • Protector findings: EPA security standards evolution addressing nation-state threats
  • Tracker analysis: Federal-private partnership for water infrastructure protection
  • Communicator insights: Sector coordination balancing utility independence with security collaboration

Teaching moment: Water infrastructure protection requires sector-wide coordination, regulatory evolution, federal partnership addressing persistent nation-state targeting.

Decision Round 3 (15 minutes) - “Comprehensive EPA compliance decision and water infrastructure security transformation?”

Present final decision synthesizing investigation: EPA compliance demonstration approach, security architecture redesign, federal partnership, public health protection. Balance regulatory timeline, safety assurance, security transformation, public communication. Discuss lessons for water infrastructure protection.

Debrief focus: Complete nation-state infrastructure targeting understanding, modernization window exploitation, chemical dosing precision manipulation, dual-system monitoring concealment, public health direct consequences, federal multi-agency coordination, attribution strategic assessment, water infrastructure modernization security, sector-wide protection coordination.

Advanced Challenge (150-170 minutes)

Structure: 8-9 investigation rounds, 4 decision rounds Expert Elements: Water treatment chemistry technical depth, SCADA system architecture complexity, nation-state infrastructure targeting Additional Challenges: Mid-scenario public health complaints, EPA compliance deadline pressure, water quality parameter deviation management Key Actions: Complete investigation under public safety constraints, coordinate multi-agency federal response, implement comprehensive water infrastructure defense while ensuring continuous safe drinking water delivery

Round-by-Round Breakdown:

Setup & Opening (12 minutes):

Present expert-level water infrastructure crisis with full complexity: Metro Water Authority regional water treatment 300 employees serving 500,000 residents. New SCADA system modernization meeting updated EPA monitoring requirements with compliance deadline 2 weeks. Linda Zhang (Water Operations Manager) notices subtle chemical level anomalies must balance public safety with system modernization and EPA compliance. Dr. Samuel Foster (Water Quality Director) responsible for treated water safety standards discovers monitoring systems may not show accurate chemical dosing. Alexandra Wu (SCADA Systems Engineer) leads deployment realizes sophisticated malware compromised industrial controls during installation phase. Michael Park (EPA Regional Administrator) expects compliance demonstration represents federal regulatory authority and public health protection. Installation last week created temporary vulnerabilities in air-gapped treatment networks. Nation-state adversary specifically targets water infrastructure during system modernization. Malware manipulates chemical dosing while providing false normal readings concealing attack.

Investigation Round 1 (15 minutes) - “How did SCADA modernization create systematic air-gapped water treatment compromise?”

  • Detective deep forensics: Installation contractor access for system integration testing created temporary bridges to air-gapped treatment networks, malware infiltrated during legitimate deployment reducing normal isolation
  • Protector technical analysis: New control system required network connectivity for configuration, contractor diagnostic tools, software deployment creating unintended attack surface
  • Tracker modernization timeline: Nation-state reconnaissance monitored water infrastructure modernization identifying SCADA upgrade as penetration opportunity timing attack precisely
  • Communicator contractor procedures: Installation teams explain legitimate integration requirements creating brief security reduction, trusted access exploited as attack vector

Teaching moment: Critical infrastructure modernization creates planned temporary vulnerabilities. Nation-states systematically monitor infrastructure upgrades timing attacks to exploit security reductions during legitimate deployment activities.

Investigation Round 2 (15 minutes) - “What precision chemical dosing manipulation achieves gradual public health degradation?”

  • Detective chemistry forensics: Systematic manipulation of chlorine (disinfection) and fluoride (dental health) dosing - critical treatment chemicals ensuring drinking water safety for 500,000 residents
  • Protector parameter analysis: SCADA displays show nominal chemical concentrations while independent field measurements reveal gradual drift outside EPA safe drinking water standards
  • Tracker health impact: Subtle manipulation designed to degrade water quality slowly avoiding obvious contamination triggering immediate investigation, maximizing exposure before detection
  • Communicator water quality: Dr. Foster describes how continued manipulation could cause chlorine levels dropping below disinfection effectiveness allowing bacterial contamination, or fluoride excess causing health effects

Teaching moment: Water treatment attacks manipulate life-safety chemical dosing achieving gradual public health compromise. Subtle manipulation maximizes civilian exposure before detection unlike obvious contamination.

Investigation Round 3 (15 minutes) - “What comprehensive dual-target concealment creates operator blind spots?”

  • Detective concealment forensics: Malware simultaneously manipulates chemical dosing controls AND SCADA monitoring displays, operator interface shows false normal readings while actual treatment deviates
  • Protector blind spot analysis: Dual manipulation creates complete disconnect between perceived and actual facility status, operators lack visibility into real treatment processes
  • Tracker persistence mechanics: Monitoring concealment allows indefinite attack continuation - operators trust SCADA displays unaware of manipulation requiring external trigger for detection
  • Communicator operational paradigm: Operations manager describes existential challenge - if monitoring cannot be trusted to reflect actual treatment, how ensure public water safety? Fundamentally undermines operational trust.

Teaching moment: Sophisticated ICS malware achieves comprehensive concealment targeting operational controls AND monitoring creating operator blind spots. When trust in monitoring compromised, entire operational paradigm requires rethinking.

Decision Round 1 (12 minutes) - “Emergency water safety response under EPA deadline and public health uncertainty?”

Guide team through complex decision under public safety priority: complete shutdown with boil-water advisory vs. accelerated independent validation vs. enhanced monitoring with manual controls. Introduce: Water quality lab reports 15% samples show trace chemical deviations. Discuss 500,000 resident safety vs. public concern from advisory, EPA compliance deadline pressure, operational impact.

Investigation Round 4 (13 minutes) - “What federal regulatory framework addresses water safety during nation-state attack?”

  • Detective regulatory coordination: EPA Safe Drinking Water Act reporting requirements, public health department notification protocols, federal security agency coordination for critical infrastructure targeting
  • Protector compliance complexity: EPA demonstration deadline creating regulatory pressure during active investigation, potential enforcement actions while addressing security incident
  • Tracker multi-agency framework: EPA regulatory oversight, public health protection authority, FBI counterintelligence investigation, CISA critical infrastructure support requiring coordinated response
  • Communicator bureaucratic navigation: Regulatory staff coordinate EPA compliance, public health transparency, federal security investigation, operational continuity balancing competing requirements

Teaching moment: Water safety incidents require comprehensive federal coordination integrating regulatory compliance, public health protection, security investigation, operational requirements. Multiple agencies with different authorities must coordinate.

Investigation Round 5 (13 minutes) - “What multi-source attribution synthesizes infrastructure targeting with strategic adversary?”

  • Detective technical indicators: SCADA compromise sophistication, chemical dosing precision, monitoring concealment, installation timing exploitation indicate nation-state capabilities
  • Protector strategic analysis: Attack objectives (public health compromise), targeting (water infrastructure modernization), gradual impact (maximizing exposure) serve strategic competition
  • Tracker intelligence synthesis: Combining technical forensics with strategic context, capability assessment, geopolitical competition patterns, infrastructure targeting known to adversaries
  • Communicator attribution confidence: Intelligence assessment connects technical evidence to nation-state adversary with high confidence through multi-source correlation

Teaching moment: High-confidence nation-state attribution requires synthesizing technical forensic evidence with strategic intelligence assessment examining capabilities, objectives, geopolitical context beyond technical indicators.

Decision Round 2 (12 minutes) - “Public health coordination balancing transparency with EPA compliance and security?”

Guide team through stakeholder coordination: EPA regulatory compliance demonstration, public health protection notification, federal security partnership, public communication strategy. Introduce: Public health department receives multiple citizen complaints about water taste and appearance changes. Discuss transparency legal requirements, public safety priorities, regulatory obligations, security investigation sensitivity.

Investigation Round 6 (12 minutes) - “What water infrastructure modernization security prevents installation-phase exploitation?”

  • Detective installation security: Enhanced contractor vetting, background checks, security clearance requirements for critical infrastructure access
  • Protector air-gap protocols: Improved isolation integrity during modernization - temporary bridging minimization, enhanced monitoring, rapid security restoration post-deployment
  • Tracker deployment monitoring: Continuous behavioral analytics during installation phase detecting anomalous activity, reconnaissance indicators, compromise attempts
  • Communicator modernization balance: Water sector discusses balancing SCADA advancement benefits (efficiency, monitoring, EPA compliance) with security requirements (contractor management, air-gap integrity, installation protocols)

Teaching moment: Water infrastructure modernization requires specialized installation-phase security - contractor management, air-gap integrity protocols, deployment monitoring beyond operational security controls.

Investigation Round 7 (12 minutes) - “What independent verification distinguishes compromised from trustworthy treatment data?”

  • Detective validation methodology: Multiple independent measurement equipment, laboratory analysis, field sampling protocols providing verification beyond compromised SCADA systems
  • Protector assume-breach verification: When monitoring compromised, independent physical testing becomes critical integrity anchor - water quality cannot rely on digital displays
  • Tracker validation sources: Statistical analysis across independent sources detecting systematic manipulation, experimental correlation, baseline deviation identifying concealed attacks
  • Communicator operational rigor: Water quality teams explain validation ensuring public safety despite SCADA compromise - independent verification maintaining trust when digital systems fail

Teaching moment: When water treatment monitoring compromised, independent physical verification becomes critical. Multiple independent validation sources ensure public safety when digital control systems cannot be trusted.

Decision Round 3 (12 minutes) - “Water infrastructure modernization balancing advancement with nation-state threats?”

Guide team through strategic decision: continued SCADA advancement with enhanced security vs. conservative approach limiting automation vs. hybrid selective modernization. Introduce: Authority Director asks whether water utilities can modernize safely under nation-state targeting. Discuss modernization benefits, attack surface expansion, long-term security strategy.

Investigation Round 8 (12 minutes) - “What water sector ecosystem coordination addresses persistent infrastructure targeting?”

  • Detective industry coordination: Water utility sector ISAC establishing threat intelligence sharing, installation security standards, incident response protocols
  • Protector regulatory evolution: EPA security standards adapting to nation-state threats, mandatory SCADA security controls, modernization security requirements
  • Tracker federal partnership: CISA-water utility partnership models, EPA regulatory support, FBI coordination protocols for ongoing nation-state campaigns
  • Communicator sector collaboration: Industry coordination balancing utility operational independence with security collaboration requirements for critical infrastructure protection

Teaching moment: Water infrastructure protection requires sector-wide coordination - threat intelligence sharing, installation security standards, regulatory evolution, federal partnership exceeding individual utility capabilities.

Investigation Round 9 (Optional, 10 minutes) - “What lessons from water treatment targeting inform contemporary infrastructure security?”

  • Detective threat evolution: How have nation-state capabilities evolved? IoT sensor targeting, cloud-based SCADA, remote access exploitation represent advancing threats
  • Protector modernization challenges: Balancing water infrastructure advancement (smart sensors, predictive maintenance, remote monitoring) with security in persistent adversarial environment
  • Tracker verification principles: Independent validation methodologies, assume-breach monitoring, multi-source correlation principles extending beyond water to other critical sectors
  • Communicator resilience focus: Evolution from prevention to resilience - assuming compromise, rapid detection, response capabilities, public safety assurance under attack

Teaching moment: Water treatment targeting provides foundation for contemporary critical infrastructure security. Understanding adversary evolution, modernization security requirements, independent verification principles informs ongoing defense.

Decision Round 4 (15 minutes) - “Comprehensive EPA compliance decision and water infrastructure defense transformation?”

Present final comprehensive decision synthesizing all investigation: EPA compliance demonstration approach with verified water safety, security architecture transformation, federal partnership framework, public health protection assurance, sector coordination mechanisms. Balance regulatory compliance demonstration, public safety continuous assurance, security implementation, public communication transparency, long-term modernization strategy. Address how installation compromise lessons inform contemporary water infrastructure protection.

Debrief focus: Comprehensive expert-level nation-state water infrastructure targeting, modernization installation-phase systematic exploitation, precision chemical dosing gradual public health manipulation, comprehensive dual-target monitoring concealment creating operator blind spots, federal multi-agency regulatory and security coordination framework, attribution synthesizing technical and strategic intelligence, water infrastructure modernization security requirements, independent verification critical when monitoring compromised, water sector ecosystem coordination necessities, regulatory evolution addressing nation-state threats, lessons informing contemporary critical infrastructure defense protecting civilian populations.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Progressive hints to maintain engagement and learning momentum:

If team is uncertain where to start investigation:

“SCADA Systems Engineer Alexandra Wu has been reviewing the installation timeline. The malware infiltrated during the new control system deployment last week - precisely when contractors had temporary access to air-gapped water treatment networks for system integration and testing. The installation process created a brief window where normal security isolation was reduced. What does this tell you about how sophisticated attackers identify and exploit infrastructure modernization windows?”

Teaching moment: Critical infrastructure upgrades and modernization projects create temporary vulnerability windows when new systems are integrated. Nation-state actors monitor these activities and time attacks to exploit reduced security during installation phases.

If team misses public safety implications:

“Water Quality Director Dr. Foster has completed independent testing. The malware is subtly manipulating chlorine and fluoride dosing controls - the chemicals that ensure safe drinking water for 500,000 residents. The SCADA displays show normal levels, but actual chemical concentrations are drifting outside safe parameters. If this continues undetected, water quality could degrade to unsafe levels. How does this manipulation of life-safety systems change your understanding of the attack objectives and response urgency?”

Teaching moment: Nation-state attacks on water infrastructure aim to compromise public health by manipulating treatment processes. Unlike data theft, these attacks have direct physical consequences affecting civilian populations through contaminated drinking water.

If team overlooks detection evasion sophistication:

“Operations Manager Linda Zhang has discovered something alarming: the malware doesn’t just manipulate water treatment processes - it also alters the monitoring systems to hide its activities. Operators see normal chemical levels on SCADA displays while independent field measurements reveal the actual manipulation. This dual-target approach means the attack could continue indefinitely without detection through normal operational oversight. How does this monitoring concealment change your approach to verifying water treatment integrity?”

Teaching moment: Sophisticated ICS/SCADA malware targets both operational controls AND monitoring systems, creating a false sense of normality while causing real-world harm. Verification requires independent measurement beyond compromised control systems.

Pre-Defined Response Options

Three balanced response approaches with trade-offs:

Option A: Emergency Water System Shutdown & Complete SCADA Rebuild

  • Action: Immediately halt all automated water treatment operations and revert to manual control protocols, implement comprehensive malware removal and SCADA system rebuild from verified sources, coordinate complete system validation with EPA before restoring automated treatment, issue precautionary boil-water advisory to 500,000 residents.
  • Pros: Ensures absolute certainty of water safety and control system integrity, provides thorough investigation of nation-state compromise, demonstrates unwavering commitment to public health protection, eliminates sophisticated malware persistence completely.
  • Cons: Delays EPA compliance demonstration by 4-6 weeks, triggers federal regulatory scrutiny and potential enforcement, causes public concern through boil-water advisory affecting half million residents, requires intensive manual operations and continuous water quality monitoring.
  • Type Effectiveness: Super effective against APT malmon type; complete SCADA system restoration prevents nation-state manipulation and ensures water safety with zero compromise risk.

Option B: Accelerated Parallel Response & Conditional EPA Demonstration

  • Action: Conduct intensive 10-day malware removal and independent water quality validation using all available resources, implement enhanced monitoring and redundant safety verification protocols, coordinate expedited assessment with EPA for conditional compliance authorization while maintaining elevated public health oversight.
  • Pros: Balances water safety with EPA compliance timeline requirements, provides compressed but thorough security response and treatment verification, demonstrates agile incident management under regulatory pressure, maintains public confidence while addressing nation-state threat.
  • Cons: Requires extraordinary resource commitment and sustained 24/7 water quality operations, compressed timeline increases risk of incomplete malware removal or missed monitoring manipulation, maintains some uncertainty during EPA demonstration phase, intensive coordination stress across technical and regulatory teams.
  • Type Effectiveness: Moderately effective against APT malmon type; addresses immediate water safety concerns while meeting compliance requirements, but compressed timeline may not fully eliminate sophisticated nation-state SCADA compromise mechanisms.

Option C: Selective System Isolation & Phased SCADA Recovery

  • Action: Isolate compromised chemical dosing controls from critical safety functions, implement continuous independent water quality monitoring and manual verification protocols, proceed with EPA compliance demonstration using verified monitoring segments while conducting thorough malware investigation on isolated networks, coordinate phased security restoration aligned with public health priorities.
  • Pros: Maintains EPA compliance timeline and avoids federal penalties, allows water safety demonstration with independent verification, provides time for comprehensive nation-state threat investigation, demonstrates sophisticated risk management balancing public health and regulatory requirements.
  • Cons: Operates with partially compromised SCADA systems under enhanced monitoring, requires sustained independent verification and manual oversight increasing operational complexity, extended security risk window during phased recovery, depends on effectiveness of isolation measures and independent monitoring reliability.
  • Type Effectiveness: Partially effective against APT malmon type; addresses immediate water safety requirements through isolation and independent verification, but extended presence of nation-state malware creates ongoing public health risk and potential for monitoring concealment escalation if isolation fails.