WannaCry Scenario: Transportation Peak Season
Planning Resources
Scenario Details for IMs
TransGlobal Logistics: Supply Chain Crisis During Holiday Peak Season
Organization Profile
- Type: Regional shipping and logistics hub providing package sorting, transportation coordination, and last-mile delivery services for e-commerce retailers, business shippers, and consumer packages across eight-state service area
- Size: 800 employees including 320 package handlers and sorters operating automated conveyor systems on three rotating shifts, 180 delivery drivers managing route optimization and customer delivery windows, 120 logistics coordinators tracking shipment status and managing customer inquiries, 85 IT systems administrators maintaining package tracking databases and route optimization software, 45 warehouse operations managers supervising facility safety and productivity metrics, 30 customer service representatives handling delivery exceptions and business account support, 15 fleet maintenance technicians servicing 450 delivery vehicles, and 5 cybersecurity personnel managing network infrastructure
- Annual Operations: Processing 12 million packages annually with peak holiday season volumes reaching 180,000 packages daily, operating 24/7 sorting facilities utilizing automated conveyor systems synchronized with package tracking barcodes, maintaining real-time delivery tracking systems providing customers with estimated delivery windows and proof-of-delivery confirmations, coordinating route optimization software calculating efficient delivery sequences minimizing fuel costs and maximizing on-time performance, supporting critical just-in-time supply chains for manufacturing customers requiring precise delivery coordination, and managing $420 million annual revenue with 65% concentrated in November-December holiday shipping season
- Current Holiday Crisis: Peak shipping season three days away—Black Friday through Christmas represents 65% of annual revenue, with contractual delivery commitments to 4,200 business customers including major e-commerce retailers depending on TransGlobal’s infrastructure for holiday fulfillment operations affecting millions of consumer purchases
Key Assets & Impact
Impossible Decision Framework:
Asset Category 1: Holiday Delivery Commitments & Revenue Concentration - 65% annual revenue depends on November-December operations, ransomware encryption three days before peak season threatens $273 million revenue loss, 4,200 business customers with contractual service level agreements
Asset Category 2: Package Tracking & Sorting Infrastructure - Automated systems process 180,000 packages daily during peak, manual sorting capacity limited to 40,000 daily creating 140,000 package backlog, customer delivery commitments become impossible without tracking systems
Asset Category 3: Supply Chain Continuity For Business Customers - Manufacturing customers depend on just-in-time delivery precision, retail customers require holiday inventory arrivals, package delays cascade into consumer purchase cancellations
Immediate Business Pressure: The Black Friday Countdown
Friday Morning, 6:30 AM - Three Days Before Peak Season:
Operations Director Maria Santos discovered ransomware encryption affecting package tracking, sorting automation, and route optimization systems. WannaCry message demanded $680,000 bitcoin payment with 72-hour deadline. Black Friday—busiest shipping day of the year—was scheduled for Monday.
Without tracking systems, TransGlobal faced impossible choice: pay ransom enabling holiday operations versus refusing payment guaranteeing operational collapse during peak season affecting thousands of businesses and millions of consumers.
Critical Timeline & Operational Deadlines
- Friday, 6:30 AM (Session Start): Ransomware discovery
- Friday-Sunday (72 hours): Ransom payment deadline
- Monday (Peak Season Start): Black Friday—180,000 packages expected, annual revenue concentration begins
- Monday-December 24: Peak season window, 65% of annual revenue at stake
Cultural & Organizational Factors
Factor 1: Operational uptime priority delayed security patches to avoid 24/7 service disruptions Factor 2: Peak season temporary systems and contractors introduced vulnerabilities Factor 3: Package tracking and sorting shared network infrastructure without segmentation Factor 4: Holiday revenue concentration created organizational pressure prioritizing operational continuity
Operational Context
TransGlobal operates in highly competitive logistics market where service reliability determines customer retention—operational disruptions during peak season permanently damage business relationships as customers migrate to competitors demonstrating superior operational resilience.
Key Stakeholders
Stakeholder 1: Maria Santos - Operations Director Stakeholder 2: James Park - IT Director Stakeholder 3: Robert Chen - CEO Stakeholder 4: Major E-Commerce Customer Representative
Why This Matters
You’re not just deciding on ransomware payment—you’re determining whether supply chain operational continuity obligations override security policy when seasonal revenue concentration creates existential business pressure.
You’re not just recovering encrypted systems—you’re defining whether logistics infrastructure resilience means accepting criminal demands to preserve customer commitments, or demonstrating operational alternatives despite massive capacity constraints.
IM Facilitation Notes
1. Emphasize revenue concentration—65% annual revenue in two-month window creates genuine existential pressure 2. Make customer impact tangible—4,200 businesses and millions of consumers affected by delivery failures 3. Use peak season timing to create authentic time pressure forcing decisions under uncertainty 4. Present manual processing capacity limits as hard technical constraint preventing simple workarounds 5. Address tension between ransomware payment policy and business survival imperatives 6. Celebrate creative operational alternatives demonstrating resilience without validating criminal business model
Opening Presentation
“It’s Wednesday morning at TransGlobal Logistics, and the regional hub is operating at peak holiday capacity with conveyor belts running 24/7 and trucks departing every hour for delivery routes. But since Tuesday evening, package sorting systems have been displaying ransom messages, customer tracking databases are becoming inaccessible, and delivery routing systems are failing across the facility. With thousands of businesses depending on holiday deliveries and millions of packages in the system, this cybersecurity incident threatens to disrupt the entire regional supply chain.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Major retail client calls demanding explanation for delayed holiday shipment tracking
- Hour 2: Package sorting facility reports 50% reduction in processing capacity
- Hour 3: Delivery drivers unable to access route optimization, causing traffic delays and missed deliveries
- Hour 4: Regional VP warns that operational disruptions will affect annual performance and customer contracts
Evolution Triggers:
- If package sorting systems fail completely, thousands of packages cannot be processed or delivered
- If customer tracking remains down, service commitments to major retail clients are violated
- If delivery routing is compromised, operational efficiency drops below sustainable levels
Resolution Pathways:
Technical Success Indicators:
- Team implements emergency network segmentation protecting critical package processing systems
- Worm propagation contained through strategic isolation and backup system activation
- Alternative tracking and routing procedures maintain operational continuity during recovery
Business Success Indicators:
- Package delivery operations maintained at sufficient capacity to meet holiday commitments
- Customer service capabilities preserved through manual tracking and communication procedures
- Major retail client relationships protected through effective crisis communication and alternative solutions
Learning Success Indicators:
- Team understands worm propagation through logistics networks and interconnected operational systems
- Participants recognize cybersecurity challenges in 24/7 operations and supply chain management
- Group demonstrates coordination between IT security, logistics operations, and customer service
Common IM Facilitation Challenges:
If Operational Impact Is Underestimated:
“While you’re analyzing network traffic, Carlos reports that package sorting capacity has dropped by 60%, and thousands of holiday packages are backing up in the facility. How do you balance cybersecurity response with operational continuity?”
If Customer Impact Is Ignored:
“Robert just received calls from three major retail clients threatening to switch carriers if their holiday shipments aren’t tracked and delivered on schedule. What’s your customer communication strategy?”
If Supply Chain Complexity Is Overwhelming:
“Sarah needs to know: can TransGlobal meet its holiday delivery commitments, or should backup contingency plans with partner carriers be activated immediately?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish logistics peak season crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing worm propagation patterns and supply chain operational vulnerabilities.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of logistics and supply chain cybersecurity challenges. Use the full set of NPCs to create realistic peak season operation pressures. The two rounds allow WannaCry to spread toward customer service systems, raising stakes. Debrief can explore balance between delivery operations and security controls.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing holiday delivery commitments, customer service, operational continuity, and supply chain relationships. The three rounds allow for full narrative arc including worm’s logistics-specific propagation and critical operational impact.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate logistics system updates causing unrelated tracking issues). Make containment ambiguous, requiring players to justify customer-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of worm behavior and supply chain security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Network forensics reveal WannaCry ransomware worm exploiting unpatched Windows SMB vulnerability (MS17-010) in package tracking systems. The worm is spreading autonomously through TransGlobal’s interconnected logistics network during peak holiday operations, affecting package sorting, delivery routing, and customer tracking systems across the regional hub.”
Clue 2 (Minute 10): “File system analysis shows systematic encryption of delivery routes, customer data, and operational databases. Timeline analysis reveals the attack began Tuesday evening during overnight shift when network traffic was highest, and package sorting capacity has now dropped by 60% with thousands of holiday packages backing up in the facility.”
Clue 3 (Minute 15): “Real-time monitoring shows WannaCry propagating toward vehicle tracking and customer communication systems. Network topology analysis reveals TransGlobal prioritized operational uptime over security updates to maintain 24/7 package processing, creating widespread vulnerability across critical logistics infrastructure and supply chain operations.”
Pre-Defined Response Options
Option A: Emergency Network Segmentation & Operations Priority
- Action: Immediately implement network segmentation isolating critical package sorting and delivery routing systems, stop worm propagation through strategic disconnection, activate backup tracking procedures, establish manual delivery coordination for customer service.
- Pros: Completely stops worm spread and protects core package delivery operations; enables continued holiday shipping through secure isolated systems.
- Cons: Requires rapid network isolation affecting inter-system communication; some automated logistics functions shift to manual procedures during peak season.
- Type Effectiveness: Super effective against Worm type malmons like WannaCry; prevents autonomous propagation through network isolation and operational segmentation.
Option B: Selective System Isolation & Delivery Continuity
- Action: Quarantine confirmed infected systems, implement enhanced monitoring on package sorting networks, maintain critical delivery operations using verified clean systems while accelerating malware removal and customer tracking recovery.
- Pros: Allows continued holiday logistics operations and customer service delivery; protects major retail client relationships through delivery continuity.
- Cons: Risks continued worm propagation in connected logistics areas; may not fully protect customer tracking during selective isolation.
- Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate autonomous spread across interconnected supply chain infrastructure.
Option C: Ransom Payment & Rapid Operations Recovery
- Action: Pay ransomware demand to obtain decryption key, attempt rapid system recovery to restore full logistics capabilities and customer tracking while implementing security improvements.
- Pros: Potentially fastest path to full operational recovery for peak season delivery commitments; maintains customer service and retail client relationships.
- Cons: No guarantee decryption will work or complete in time for holiday shipping; funds criminal enterprise; doesn’t address underlying worm propagation or systemic operational security weaknesses.
- Type Effectiveness: Not effective against Worm malmon type; addresses encryption symptom but not worm propagation; ethically problematic for supply chain operations.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Emergency Logistics Containment & Delivery Operations (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Network monitoring shows massive SMB traffic surge across logistics systems. IT Director Linda Zhang reports, “We’re seeing automated port 445 scanning from infected package tracking servers spreading to sorting equipment, delivery routing, and customer service systems - this is autonomous worm propagation through our entire 24/7 logistics network.”
- Clue 2 (Minute 10): Security logs reveal successful exploitation of EternalBlue vulnerability (MS17-010) on unpatched Windows systems throughout the hub. The worm spreads without user interaction during peak holiday operations - every unpatched logistics system is vulnerable.
- Clue 3 (Minute 15): Operations Manager Carlos Martinez reports critical delivery impact: “Package sorting capacity has dropped 60% with systems encrypting. We have thousands of holiday packages backing up. Delivery routes cannot be optimized. This is threatening our entire peak season operation.”
- Clue 4 (Minute 20): Customer Service Director Robert Johnson receives escalating client pressure: “Major retail clients are calling about delayed shipment tracking. Holiday delivery commitments are at risk. If we cannot provide tracking and timely delivery, we’ll lose these accounts.”
Response Options:
- Option A: Emergency Network Segmentation with Operations Priority - Immediately segment the logistics network isolating critical package sorting and delivery routing systems, disconnect non-essential administrative systems, prioritize protection of operational infrastructure during peak season.
- Pros: Halts worm propagation to core logistics systems; protects package processing capabilities; enables continued holiday delivery operations.
- Cons: Requires rapid network isolation affecting integrated systems; customer tracking and automated functions shift to manual procedures; inter-system communication disrupted.
- Type Effectiveness: Super effective against Worm - prevents autonomous spread to delivery systems but creates operational challenges during peak season.
- Option B: Deploy Kill Switch with Operational Continuity - Register or access the domain found in WannaCry malware code to activate kill switch, halting encryption while maintaining logistics network connectivity for continued peak season operations.
- Pros: Immediately stops encryption without network disruption; allows continued package processing and delivery routing; elegant technical solution enabling holiday operations.
- Cons: Only effective against this specific WannaCry variant; doesn’t remove existing infections; requires rapid execution during 24/7 operations crisis.
- Type Effectiveness: Highly effective against WannaCry Ransomware specifically; stops further encryption but doesn’t recover encrypted logistics data.
- Option C: Delivery Priority with Selective Recovery - Focus resources on maintaining package sorting and delivery capabilities, implement manual tracking procedures for customer service, accept temporary worm spread in lower-priority administrative areas.
- Pros: Ensures holiday delivery continuity through operational focus; addresses immediate supply chain obligations; demonstrates delivery-first logistics values.
- Cons: Worm continues propagating to other logistics systems; may compromise customer data and service capabilities; creates differential security across operations.
- Type Effectiveness: Partially effective - addresses delivery impact but allows continued worm propagation threatening broader logistics infrastructure.
Round 2: Supply Chain Recovery & Customer Service Restoration (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (segmentation) was chosen: Delivery coordinators report inability to access automated routing optimization. “Manual route planning is taking three times longer. We’re missing delivery windows and falling behind schedule.”
- Clue 5 (Minute 30): If Option B (kill switch) was chosen: While encryption has stopped, approximately 40% of customer tracking data and delivery route history remain encrypted. Recovery from backups required during peak operations.
- Clue 5 (Minute 30): If Option C (delivery focus) was chosen: The worm has now spread to vehicle tracking systems and customer communication platforms. Real-time package visibility is compromised affecting service quality.
- Clue 6 (Minute 40): Regional VP Sarah Park receives notification from major retail client threatening to shift volume to competitor carriers if tracking and delivery reliability doesn’t improve. “This account represents 30% of our peak season revenue.”
- Clue 7 (Minute 50): IT assessment reveals logistics backup systems were not fully isolated due to 24/7 operational requirements, and some backup data may be compromised. Recovery strategy must account for potential backup issues while maintaining delivery operations.
- Clue 8 (Minute 55): Analysis shows that peak season temporary systems and contractor access created additional vulnerabilities. Comprehensive security remediation conflicts with operational demands of holiday shipping season.
Response Options:
- Option A: Comprehensive Logistics Emergency Response - Activate company emergency operations center, coordinate with partner carriers for overflow capacity, implement full network remediation across logistics infrastructure, establish interim manual procedures for package processing and customer service.
- Pros: Full supply chain incident response with industry coordination; ensures delivery continuity through carrier partnerships; demonstrates responsible logistics security practices.
- Cons: Major operational complexity requiring emergency coordination; partner carrier involvement creates cost and competitive concerns; public disclosure of security failures.
- Type Effectiveness: Super effective for Logistics Worm Incidents - comprehensive response ensuring delivery operations and supply chain continuity.
- Option B: Staged Operations Recovery with Service Continuity - Maintain essential package delivery using manual procedures, implement phased network restoration prioritizing sorting then routing then tracking systems, coordinate with retail clients for realistic delivery expectations.
- Pros: Balances delivery operations with security recovery; minimizes customer impact through manual backup procedures; targeted approach to complex logistics challenges.
- Cons: Extended recovery timeline affecting operational efficiency; staff burden from manual procedures during peak season; potential service quality impacts.
- Type Effectiveness: Moderately effective - maintains delivery operations while enabling gradual secure logistics recovery.
- Option C: Accelerated Patch Deployment with Accept Risk - Immediately deploy EternalBlue patches to all logistics systems regardless of operational testing requirements, accept short-term stability risks to prevent continued worm spread, implement enhanced monitoring for system performance issues.
- Pros: Fastest path to closing vulnerability across all logistics infrastructure; demonstrates decisive security action; minimizes worm propagation window during peak season.
- Cons: May cause package sorting and routing system instability; potential operational disruptions from unvalidated patching; risk to delivery capabilities.
- Type Effectiveness: Effective against Worm propagation but creates significant logistics operational and delivery reliability risks.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether TransGlobal faces network isolation challenges (segmentation approach), kill switch dependency concerns (domain-based solution), or continued worm propagation threats (selective approach). Regardless of choice, the situation evolves when major retail client threatens to shift business to competitors if delivery tracking and reliability don’t improve. Regional VP Sarah Park faces revenue pressure during the most critical shipping period of the year. IT assessment reveals that 24/7 operational requirements led to inadequate backup isolation and peak season temporary systems created additional vulnerabilities. The team discovers that this is not just a technical incident but a test of supply chain resilience, customer relationship management, competitive positioning, and operational reliability - all while containing a rapidly spreading worm during peak holiday shipping season when logistics capacity cannot be interrupted.
Debrief Focus:
- Recognition of worm propagation mechanics across logistics networks and operational technology
- Balance between delivery operations, customer service, and comprehensive security response
- Logistics-specific challenges including 24/7 uptime requirements, peak season pressure, and supply chain dependencies
- Kill switch discovery and deployment as emergency response technique for operational environments
- Importance of network segmentation and backup isolation in continuous operations infrastructure
Full Game Materials (120-140 min, 3 rounds)
Round 1: Peak Season Crisis & Emergency Operations Response (35-40 min)
Opening Scenario:
It’s Wednesday morning at TransGlobal Logistics regional hub during the busiest week of holiday shipping season. The massive facility is operating at 300% normal capacity with conveyor belts running continuously, trucks departing every 30 minutes, and package sorting equipment processing thousands of shipments per hour for major retail clients.
Operations Manager Carlos Martinez is coordinating the morning shift changeover when his radio crackles with urgent messages from multiple supervisors. “The package sorting screens are showing error messages,” one reports. “Customer tracking database is down,” another adds. Carlos heads to the IT control room where he finds Linda Zhang staring at network alerts.
“This started during overnight shift,” Linda explains. “I’m seeing ransom messages across systems. Package routing, customer tracking, delivery optimization - it’s all encrypting. And it’s spreading through the network faster than I can contain it.”
Robert Johnson bursts in from customer service. “Major retail clients are calling about shipment tracking delays. It’s the holiday season - they need real-time visibility for millions of packages. What do I tell them?”
Regional VP Sarah Park joins via video call. “This is our critical revenue period. TransGlobal’s annual performance depends on holiday season execution. We cannot afford operational disruptions that affect delivery commitments or customer relationships. What’s happening and how do we fix it immediately?”
Team Action: Each player takes 2 actions to investigate the incident using their role’s capabilities. The IM should track what the team discovers based on their investigation choices.
Investigation Discoveries (based on role and approach):
Detective-focused investigations:
- Network forensics reveal WannaCry ransomware worm exploiting EternalBlue vulnerability (MS17-010) in unpatched package tracking systems
- File analysis shows systematic encryption of delivery routes, customer data, operational databases, and logistics management systems
- Timeline reconstruction indicates initial infection during overnight shift Tuesday, followed by rapid propagation through interconnected logistics infrastructure
- Malware analysis discovers embedded kill switch domain name that could halt WannaCry encryption if properly activated
Protector-focused investigations:
- Real-time monitoring shows worm spreading faster than containment - dozens of logistics systems infected per hour during peak operations
- Critical system assessment reveals package sorting equipment, delivery route optimization, and vehicle tracking systems at imminent risk
- Network architecture review shows minimal segmentation due to 24/7 operational requirements and integrated logistics design
- Backup integrity assessment discovers some logistics backup systems may be compromised due to continuous operations and limited isolation
Tracker-focused investigations:
- Traffic analysis reveals automated SMB vulnerability exploitation creating network storm affecting logistics connectivity and operational systems
- Propagation mapping shows worm moving from package tracking toward delivery coordination and customer service platforms
- External communication analysis indicates potential spread to partner carrier networks and retail client integration systems
- Network topology assessment reveals legacy Windows systems on operational equipment cannot be easily patched during continuous 24/7 operations
Communicator-focused investigations:
- Operations staff interviews reveal overnight shift work created infection opportunity when management oversight was minimal
- Customer service team describes immediate impact on major retail clients expecting real-time package tracking during critical holiday season
- IT staff explain security update challenges when logistics operations cannot tolerate downtime for patching and testing
- Retail client contacts reveal competitive pressure and willingness to shift business if delivery reliability is compromised
NPC Interactions:
- Carlos Martinez (Operations Manager): Focused on delivery continuity. “We’re processing 300% normal volume during peak season. Package sorting capacity has dropped 60% with systems failing. Thousands of holiday packages are backing up. We cannot meet delivery commitments if operations don’t recover immediately.”
- Linda Zhang (IT Director): Overwhelmed by operational complexity. “The worm is spreading through logistics infrastructure faster than manual containment. We designed everything for maximum uptime and integration - not security. Now that operational convenience is enabling rapid worm propagation.”
- Robert Johnson (Customer Service Director): Managing customer crisis. “Major retail clients demand real-time tracking for holiday shipments. Without tracking data, they cannot manage their own operations. Some are already threatening to shift volume to competitors if we cannot demonstrate reliability.”
- Sarah Park (Regional VP): Protecting revenue and competitive position. “Holiday season determines annual performance. This hub serves the entire region. If we fail during peak season, clients will move business permanently to competitors. I need solutions that maintain delivery operations.”
Pressure Events:
- Minute 10: Major retail client emails demanding explanation for tracking system outage affecting millions of dollars in holiday merchandise
- Minute 20: Package sorting supervisor reports facility backup reaching critical levels - physical storage space filling with unprocessed packages
- Minute 30: Delivery drivers unable to access optimized routes - manual coordination causing delays and missed delivery windows
- Minute 35: Competitor carrier contacts retail clients offering to take overflow volume and guarantee delivery reliability
Round 1 Response Strategy:
Teams must develop initial response balancing immediate worm containment with critical delivery operations for peak season. Options might include emergency network segmentation, kill switch deployment, selective operational prioritization, or aggressive backup activation. The team must decide whether to recommend partner carrier contingency plans or attempt full internal recovery.
Facilitation Questions:
- “How do you balance stopping worm propagation with maintaining critical package delivery operations during peak season?”
- “What is your recommendation to Sarah Park about delivery capability and major retail client commitments?”
- “How do you address 24/7 operational requirements while the worm is actively spreading through logistics infrastructure?”
Victory Conditions:
- Worm propagation contained before reaching all critical logistics and delivery systems
- Package processing operations maintained at sufficient capacity for holiday commitments
- Clear communication established with leadership about delivery capability and customer service restoration
Round 2: Supply Chain Coordination & Customer Service Recovery (35-40 min)
Opening Scenario:
The team’s Round 1 response has created a new operational reality. If they chose network segmentation, logistics systems are now isolated creating coordination challenges. If they deployed the kill switch, encryption has stopped but 40% of tracking data remains inaccessible. If they chose selective operations, the worm continues spreading to customer-facing systems.
Sarah Park convenes emergency operations meeting. “We need comprehensive strategy addressing delivery commitments, customer relationships, competitive positioning, and recovery timeline. Major retail clients are asking hard questions about reliability. What is our complete response plan?”
Investigation Clues:
- Clue 1 (Minute 45): Analysis reveals many logistics operational systems cannot accept immediate patches without extensive testing due to integrated supply chain dependencies and 24/7 uptime requirements.
- Clue 2 (Minute 50): Operations assessment shows that even with partial system recovery, manual procedures reduce sorting efficiency by 70% and delivery route optimization by 60% - unsustainable during peak season volume.
- Clue 3 (Minute 55): Customer service discovers that encrypted tracking data includes critical delivery history and customer preferences needed for service quality and relationship management.
- Clue 4 (Minute 60): Partner carrier outreach reveals limited overflow capacity during industry-wide peak season - contingency options are expensive and may not provide sufficient volume support.
NPC Interactions:
- Carlos Martinez: Calculating operational alternatives. “We can maintain partial delivery operations using manual coordination, but efficiency drops dramatically. We’ll miss some delivery windows and service commitments. It addresses immediate customer needs but creates quality concerns.”
- Robert Johnson: Managing customer communications. “I can be transparent with retail clients about the incident and realistic recovery timelines, or minimize the situation trying to retain confidence. Honesty may cost short-term business but builds long-term trust.”
- Linda Zhang: Planning technical recovery. “Comprehensive remediation requires patching all logistics systems, rebuilding operational databases, and implementing proper network segmentation - that’s weeks of work during peak season when we cannot afford downtime.”
- Sarah Park: Evaluating business decisions. “We can accept reduced operational efficiency and revenue loss during peak season while implementing proper recovery, or push systems hard accepting security risks to maintain delivery commitments. This is a strategic business decision with long-term competitive implications.”
Pressure Events:
- Minute 70: Major retail client formally notifies TransGlobal of delivery service level violation and penalty assessment
- Minute 80: Industry logistics publication reports on regional shipping delays affecting holiday deliveries
- Minute 85: Competitor carrier increases advertising highlighting delivery reliability during peak season
- Minute 90: Retail client requests meeting to discuss contingency plans for shifting volume to alternative carriers
Round 2 Response Strategy:
Teams must develop comprehensive logistics recovery strategy addressing technical remediation, operational continuity, customer service, competitive positioning, and supply chain resilience. The response should balance immediate delivery needs with long-term infrastructure security.
Facilitation Questions:
- “How do you coordinate system recovery, operational continuity, and customer service simultaneously during peak season?”
- “What is your recommendation to Sarah Park about balancing delivery commitments versus comprehensive security remediation?”
- “How do you ensure supply chain reliability and customer relationships while implementing network recovery?”
Victory Conditions:
- Comprehensive logistics response strategy balancing all operational stakeholder needs
- Clear plan for delivery operations maintaining critical customer commitments
- Path forward addressing immediate peak season demands and long-term logistics security
Round 3: Logistics Infrastructure Resilience & Operational Security (35-40 min)
Opening Scenario:
The incident has evolved from immediate operational crisis into fundamental questions about logistics infrastructure security, supply chain resilience, and continuous operations cybersecurity. The team’s previous responses have shaped delivery capability, but now they must address how to protect 24/7 operations, prevent future incidents, and maintain competitive positioning.
Sarah Park addresses the team. “Beyond this immediate crisis, we must answer bigger questions. How do we secure logistics infrastructure that cannot tolerate downtime? How do we compete when security investments affect operational efficiency? How do we build supply chain resilience while maintaining cost competitiveness?”
Investigation Clues:
- Clue 1 (Minute 100): Comprehensive assessment reveals the worm exploited systemic logistics IT weaknesses: integrated networks for operational efficiency, delayed patching for 24/7 uptime requirements, minimal segmentation for system integration, and peak season temporary systems creating additional vulnerabilities.
- Clue 2 (Minute 110): Financial analysis shows proper logistics security infrastructure, isolated backups, and adequate IT security staffing would require significant investment affecting operational cost structure and competitive pricing.
- Clue 3 (Minute 115): Review of logistics industry practices reveals many carriers face similar cybersecurity challenges balancing security with 24/7 operational requirements and competitive cost pressures.
- Clue 4 (Minute 120): Analysis indicates that customer contracts and service level agreements don’t adequately account for cybersecurity incidents - creating gaps between operational commitments and realistic security recovery timelines.
NPC Interactions:
- Carlos Martinez: Considering operational changes. “I can design logistics workflows with better security controls, but additional procedures and system separations reduce operational efficiency. In a competitive industry with tight margins, efficiency directly affects profitability.”
- Robert Johnson: Evaluating customer relationships. “We can renegotiate service level agreements to include cybersecurity incident provisions, but that conversation acknowledges vulnerability and may affect competitive positioning versus carriers who don’t raise the issue.”
- Linda Zhang: Planning IT transformation. “I can implement resilient logistics IT architecture with proper segmentation, isolated backups, and comprehensive security monitoring. But that requires investment, changes operational procedures, and creates friction with efficiency-focused logistics culture.”
- Sarah Park: Weighing strategic decisions. “The logistics industry operates on thin margins and fierce competition. Security investments affect cost structure and operational efficiency. How do we justify cybersecurity spending when competitors may not make similar investments and can undercut our pricing?”
Pressure Events:
- Minute 125: Industry logistics security working group requests TransGlobal participation in developing supply chain cybersecurity standards
- Minute 130: Cyber insurance carrier reviews policy and indicates premium increases following the incident
- Minute 135: Major retail client sends updated IT security requirements for carrier qualification
- Minute 138: Board of directors schedules review of cybersecurity strategy and operational security investments
Round 3 Response Strategy:
Teams must develop recommendations addressing not just technical recovery but broader questions of logistics infrastructure security, supply chain resilience, competitive positioning in security-conscious markets, and sustainable cybersecurity for continuous operations environments.
Facilitation Questions:
- “How do you recommend TransGlobal balance cybersecurity investments with operational efficiency and competitive cost pressures?”
- “What operational changes would prevent similar incidents while respecting 24/7 logistics requirements and supply chain integration?”
- “How should logistics carriers approach cybersecurity given continuous operations constraints, tight margins, and competitive industry dynamics?”
Victory Conditions:
- Comprehensive recovery plan restoring all logistics operations securely
- Sustainable cybersecurity strategy appropriate for 24/7 operations and competitive realities
- Clear communication to customers and stakeholders about incident response, prevention, and operational reliability
- Recommendations addressing systemic logistics cybersecurity challenges beyond immediate technical fixes
Debrief Focus:
- Technical understanding of worm propagation through operational technology and logistics networks
- Recognition of logistics industry’s unique challenges: 24/7 uptime requirements, competitive cost pressure, supply chain integration
- Balance between immediate operational response and long-term infrastructure resilience
- Coordination between IT security, logistics operations, customer service, and competitive positioning
- Industry-specific considerations in cybersecurity decision-making and operational security investment
Advanced Challenge Materials (150-170 min)
Additional Complexity Elements:
Red Herrings & Misdirection
- Equipment Failures: Some package sorting mechanical failures are coincidental equipment issues unrelated to the cyber attack, creating confusion about operational versus security problems.
- Seasonal System Load: Legitimate system slowdowns from peak season traffic volume create ambiguity about whether performance issues are attack-related or capacity constraints.
- Contractor Issues: Temporary peak season contractors report various system access problems that may be normal onboarding issues or security-related complications.
- Competitor Activity: Reports of competitor carrier aggressive client outreach could be opportunistic business development or deliberate exploitation of TransGlobal’s difficulties.
Removed Resources & Constraints
- No External Threat Intelligence: Remove access to pre-existing WannaCry knowledge - team must deduce worm behavior, kill switch mechanism, and vulnerability details from logistics environment investigation alone.
- Limited IT Expertise: IT Director Zhang has logistics systems knowledge but limited advanced cybersecurity incident response experience - team cannot rely on NPC security guidance.
- Operational Constraints: Operations Manager Martinez prioritizes delivery continuity and will resist security measures disrupting logistics flow - creating tension between security and operations.
- Budget Limitations: Regional VP Park manages profit-and-loss responsibility and questions expensive emergency solutions during peak revenue season - cost approvals face business case scrutiny.
Enhanced Pressure & Consequences
- Customer Relationship Impact: Specific major retail client stories showing potential permanent business loss if holiday delivery commitments are not met - personalizes the competitive pressure.
- Employee Impact: Delivery drivers and warehouse staff facing reduced hours or potential layoffs if operational capacity cannot be maintained - humanizes the business consequences.
- Supply Chain Cascade: Evidence that TransGlobal’s difficulties are affecting downstream retail operations and consumer holiday shopping - demonstrates broader supply chain impact.
- Media Attention: Local news coverage of shipping delays affecting holiday deliveries creates public relations pressure and brand reputation concerns.
Ethical Dilemmas
- Operational Safety vs Security: Should TransGlobal accept potential security risks to maintain delivery operations, or implement strict security controls potentially causing package delivery failures and customer losses?
- Customer Transparency: Should the company immediately disclose the cyber incident to retail clients risking business relationships, or minimize communications attempting to resolve quietly?
- Employee Security: Should temporary contractors have system access restricted creating operational inefficiency, or maintain access accepting security risks during investigation?
- Competitive Response: Should TransGlobal coordinate with competitor carriers on industry security challenges, or maintain information privacy to protect competitive positioning?
Advanced Investigation Challenges
- Operational Technology Complexity: Logistics systems blend IT and operational technology creating unique forensic challenges in distinguishing attack impact from normal system behavior.
- 24/7 Operations Constraints: Investigation must occur while systems remain operational for continuous package processing - cannot take systems offline for thorough analysis.
- Multi-Location Scope: Worm spread across multiple transportation hubs and delivery centers requires coordinated investigation across geographically distributed infrastructure.
- Third-Party Integration: Logistics systems integrate with partner carriers, retail clients, and service providers creating complex attribution and propagation analysis.
Complex Recovery Scenarios
- Data Integrity Questions: Recovery from backups reveals discrepancies in package tracking records requiring decisions about accepting data gaps versus extended recovery validation.
- Vendor Dependencies: Operational logistics systems require vendor support but vendors have limited availability during industry-wide peak season creating recovery timeline challenges.
- Contract Obligations: Service level agreements have specific performance requirements that may conflict with security remediation timelines - creating legal and business tensions.
- Capacity Planning: Even with technical recovery, operational efficiency reductions may require volume management or partner carrier coordination to meet delivery commitments.
Advanced Debrief Topics
- Continuous Operations & Cybersecurity: How should industries with 24/7 operational requirements approach cybersecurity when systems cannot tolerate downtime for security maintenance?
- Supply Chain Security: What unique challenges do logistics and transportation industries face in cybersecurity compared to traditional IT environments?
- Competitive Security Investment: How can companies justify cybersecurity investments in competitive industries with tight margins when security spending affects cost structure?
- Operational Technology Protection: How should organizations balance IT security principles with operational technology realities in logistics, manufacturing, and critical infrastructure?
- Peak Demand Vulnerabilities: How can seasonal or cyclical operations maintain security during peak periods when systems are under maximum load and operational focus?
Advanced Challenge Debrief Questions:
- “How did 24/7 operational requirements and peak season pressure affect your incident response decision-making differently than standard business environments?”
- “What different approaches might logistics industries require for cybersecurity compared to traditional IT-focused organizations?”
- “How do you balance operational efficiency and competitive cost structure with comprehensive cybersecurity in tight-margin industries?”
- “What systemic changes would make supply chain and logistics operations more resilient to cybersecurity threats while respecting operational and competitive realities?”