Stuxnet Historical Foundation Scenario - Planning Guide

Stuxnet Historical Foundation Scenario

Complete preparation guide for expert-level historical scenario

This planning document provides comprehensive facilitation guidance for running the Stuxnet Historical Foundation scenario, featuring the first confirmed cyber attack on critical nuclear infrastructure, sophisticated nation-state malware with multiple zero-day exploits, air-gapped network penetration, and physical destruction of uranium enrichment equipment while evading all monitoring systems.

1. Quick Reference

Essential at-a-glance information for session setup

Element	Details
Malmon	Stuxnet (Nuclear/Electric dual-type)
Difficulty Tier	Tier 3 (Expert)
Scenario Variant	Historical Foundation - June 2010 Natanz Discovery
Organizational Context	Natanz Technical Facility: 285 employees, uranium enrichment facility, IAEA oversight
Primary Stakes	Nuclear facility safety + International relations + Critical infrastructure protection + Nation-state cyber warfare precedent
Recommended Formats	Full Game (minimum 120 min) or Advanced Challenge (150-170 min) Quick Demo and Lunch & Learn NOT recommended
Essential NPCs	Dr. Kaveh Afshari (Nuclear Safety Director), Reza Shahbazi (Control Systems Engineer), Mitra Rezaei (Industrial Cybersecurity Manager), Behnam Khalili (Centrifuge Operations Supervisor)
Optional NPCs	IAEA Inspector, Siemens Engineer, Federal Agency Representative (DOE/CISA equivalent)

Scenario Hook

Natanz Technical Facility’s uranium enrichment centrifuge arrays face mechanical failures that monitoring systems cannot explain. Security researchers have discovered sophisticated malware targeting industrial control systems worldwide—and the evidence suggests your facility is the target of a cyber weapon designed by nation-state adversaries with unprecedented resources and detailed intelligence about your facility.

Victory Condition

Team identifies nation-state cyber weapon targeting nuclear facility, determines centrifuge manipulation scope and timeline, protects facility from continued attack, coordinates international response to first confirmed cyber weapon against critical infrastructure, and establishes new paradigm for industrial cybersecurity without compromising nuclear safety or international relations.

2. Game Configuration Templates

Stuxnet’s historical significance requires sustained engagement. Only two formats are appropriate for this scenario:

Full Game Configuration (120-140 min) - RECOMMENDED MINIMUM

Pre-Configured Settings:

Number of Rounds: 5 rounds
Actions per Player: 2 actions per round
Investigation Structure: Complete with all role-specific discoveries
Response Structure: Creative with nuclear safety constraints
Team Size: 5-6 players (full role complement including Crisis Manager)
Success Mechanics: Complete evidence discovery and decision-making
Evidence Type: Sophisticated with layered discoveries
NPC Count: 4 (all essential)
Badge Tracking: On

Experience Focus: Complete immersive experience with sophisticated malware investigation, air-gapped security paradigm failure, physical centrifuge destruction, and international coordination. Players experience the genuine 2010 discovery moment with all its complexity and uncertainties.

Time Breakdown:

Introduction & Roles: 10 min
Scenario Briefing: 8 min
Round 1 (Malware Sophistication Discovery): 20 min
Round 2 (Air-Gap Penetration Investigation): 22 min
Round 3 (Physical Damage Assessment): 20 min
Round 4 (Attribution & Geopolitical Assessment): 25 min
Round 5 (Response Strategy & Facility Decisions): 20 min
Standard Debrief: 10 min
Extended Discussion: 10 min

Facilitation Notes: Allow time for players to grapple with uncertainty. In June 2010, incident responders didn’t know what they had. Resist urge to guide toward correct answers immediately. Let teams explore, make mistakes, and discover through investigation.

Advanced Challenge Configuration (150-170 min)

Pre-Configured Settings:

Number of Rounds: 6 rounds
Actions per Player: 2-3 actions per round
Investigation Structure: Complex multi-threaded with hidden connections
Response Structure: Innovative solutions required across technical, diplomatic, and safety domains
Team Size: 6+ players (expanded roles or specialized teams)
Success Mechanics: Complex status tracking (Nuclear Safety, Centrifuge Damage, Attribution Confidence, International Coordination)
Evidence Type: Sophisticated with layered red herrings and genuine uncertainties from 2010
Attack Complexity: Multi-stage nation-state operation unfolding over weeks
NPC Count: 5-6 with conflicting priorities and incomplete information
Badge Tracking: On with critical infrastructure achievements

Experience Focus: Definitive expert-level experience featuring nation-state cyber weapon discovery exactly as it unfolded in 2010. Maximum complexity with minimal guidance. Players experience genuine uncertainty, incomplete information, international coordination challenges, and decision-making that establishes the first cyber weapon precedent.

Time Breakdown:

Introduction & Roles: 12 min
Scenario Briefing: 12 min
Round 1 (Centrifuge Anomaly Discovery): 20 min
Round 2 (Malware Sophistication Analysis): 25 min
Round 3 (Air-Gap Penetration Investigation): 25 min
Round 4 (Physical Damage Timeline & Attribution): 25 min
Round 5 (International Coordination & Disclosure): 25 min
Round 6 (Facility Decisions & Nation-State Response): 25 min
Extended Debrief: 15 min
Advanced Discussion (2010 vs Today): 15 min

Facilitation Notes: Maximum authenticity with minimal heroic problem-solving. Introduce all five pressure points. Delay attribution confirmation until Round 4. Create genuine diplomatic uncertainty about response. Challenge assumptions about what cybersecurity “should” do. End with discussion: “In June 2010, the world had never seen this before. What precedent does Natanz establish?”

3. Scenario Overview

Opening Presentation

“It’s June 2010 at Natanz Technical Facility. Your facility operates uranium enrichment centrifuge arrays—the backbone of your nuclear program. Everything has been running normally. Or so your monitoring systems say.

But for the past week, Control Systems Engineer Reza Shahbazi has been watching something odd. Centrifuge failures are trending upward. Components wearing out faster than they should. Mechanical behavior that doesn’t match what the instruments are showing. You’ve brought in maintenance specialists—the centrifuges are genuinely failing, physically, in ways that don’t make sense for equipment at this stage of its lifecycle.

This morning, word reaches your facility that security researchers worldwide have discovered a piece of malware unlike anything seen before. It’s targeting industrial control systems globally. It has a specific name: Stuxnet.

By this afternoon, you’re seeing connections: centrifuge failures that defied explanation, control systems that reported normal operations while equipment physically deteriorated, malware discovered at exactly the moment your facility’s problems became impossible to ignore.

Your incident response team must determine what happened, ensure your facility remains safe to operate, protect your enrichment capability from what appears to be nation-state targeting, and navigate the geopolitical minefield that opens when a cyber weapon causes physical destruction of nuclear infrastructure for the first time in history.”

Initial Symptoms to Present

Centrifuge arrays showing mechanical anomalies – component failure rates higher than expected for equipment at this stage of its lifecycle
Control systems reporting normal operation while physical inspection reveals centrifuge behavior inconsistent with displayed parameters
Security researchers worldwide issuing alerts about a new piece of industrial malware with unusual characteristics – unlike any malware seen before
IT team noting occasional unexpected activity on systems believed to be isolated from external networks

Organizational Context Details

Organization Profile:

Name: Natanz Technical Facility (uranium enrichment center)
Type: Critical Infrastructure (Nuclear fuel enrichment)
Size: 285 employees, operates sophisticated centrifuge cascades
Key Assets: Uranium enrichment centrifuges, Siemens S7 PLC control systems, SCADA networks, frequency converters, air-gapped operational networks
Regulatory Environment: IAEA oversight, international nuclear non-proliferation agreements, national nuclear security, regional energy policy

Cultural Factors:

Nuclear facility operations require absolute reliability and safety culture
Control system stability is measured in years of uninterrupted operation
Centrifuge technology is proprietary and closely guarded intellectual property
International oversight creates transparency pressure and suspicion simultaneously
Any malfunction carries both operational and geopolitical implications

Malmon Characteristics in This Scenario

Stuxnet manifests as the first confirmed cyber weapon designed to compromise critical infrastructure with nation-state resources. The malware demonstrates unprecedented sophistication including multiple zero-day exploits, stolen digital certificates, detailed knowledge of proprietary industrial systems, USB-based air-gap penetration, peer-to-peer update mechanisms for isolated networks, and the ability to cause sustained physical damage to critical equipment while perfectly concealing activities from operators and monitoring systems.

Key Capabilities Demonstrated:

Multiple Zero-Day Exploits: Four zero-day vulnerabilities exploited simultaneously, each worth millions on the black market—indicating nation-state development resources
Supply Chain Compromise: Stolen digital certificates from legitimate hardware manufacturers used to make malware appear as trusted components
Industrial Targeting: Specific knowledge of Siemens S7 PLC architectures, centrifuge control configurations, and uranium enrichment operational procedures
Centrifuge Manipulation: Precise frequency converter control causing systematic mechanical stress on spinning equipment without obvious operational impact
Dual Monitoring Compromise: Malware manipulates both operational control systems AND monitoring systems simultaneously—operators and regulators see normal readings while equipment fails
Air-Gap Penetration: Spreads via USB drives inserted during legitimate maintenance, contractor equipment updates, and system administration procedures
Self-Limiting Spread: Deliberately constrained to not propagate widely—unusual for malware, indicating targeted weapon design not mass-deployment tool

Vulnerabilities to Exploit:

Field Observation: While SCADA displays can be perfectly falsified, actual physical centrifuge failures cannot be hidden from experienced operators and inspection
Operator Experience: Veteran control systems engineers detect subtle anomalies through years of understanding “normal” facility behavior that automated systems miss
Supply Chain Visibility: Digital certificate usage patterns eventually reveal compromise through analysis of driver signatures and component authenticity

4. NPC Reference

Essential NPCs (Must Include)

NPC 1: Dr. Kaveh Afshari (Nuclear Safety Director)

Position: Overall nuclear facility safety, responsible for IAEA coordination and safe operations
Personality: Formal, methodical, deeply concerned about safety implications, protective of facility reputation
Agenda: Needs to ensure facility is safe while coordinating with IAEA and federal agencies; balancing transparency with national security concerns
Knowledge: Nuclear safety regulations, IAEA reporting requirements, centrifuge operations, federal agency coordination
Pressure Point: Nuclear safety is non-negotiable; international reputation and career responsibility; pressure from both operational and diplomatic concerns
IM Portrayal Notes: Play Dr. Afshari as the safety-first director who will shut down operations rather than risk nuclear incident. He asks: “Can we guarantee this facility is safe, and can we guarantee to the world that we’re responding correctly?” Use him to introduce geopolitical and safety decision points.

NPC 2: Reza Shahbazi (Control Systems Engineer)

Position: Day-to-day control systems operations and troubleshooting
Personality: Technical expert, observant, first to notice anomalies, troubled by sophistication of attack, determined investigator
Agenda: Wants to understand what happened to “his” systems and restore normal operations
Knowledge: Centrifuge control operations, Siemens PLC architecture, normal operational parameters, system logs and monitoring
Pressure Point: Professional reputation tied to facility reliability; concern that he missed signs of attack; guilt about not catching it sooner
IM Portrayal Notes: Play Reza as the engineer who first noticed something was wrong. He says: “The numbers don’t make sense. The centrifuges are failing in ways that shouldn’t happen, and the SCADA is reporting nothing wrong.” Use him to provide technical discoveries and introduce physical/operational contradictions that drive investigation forward.

NPC 3: Mitra Rezaei (Industrial Cybersecurity Manager)

Position: Industrial control system security (relatively new role in 2010)
Personality: Security-focused, frustrated by difficulty of protecting air-gapped systems, learning as situation evolves
Agenda: Wants to understand attack vector and implement controls that prevent recurrence
Knowledge: Cybersecurity fundamentals, network architecture, air-gap isolation assumptions, incident response procedures
Pressure Point: Cybersecurity is still emerging for industrial systems in 2010; realizing traditional IT security doesn’t apply; career implications if security posture was inadequate
IM Portrayal Notes: Use Mitra to challenge assumptions about air-gap security and introduce modern cybersecurity thinking. She realizes: “Air-gapped systems aren’t truly isolated if USB drives are part of normal operations. We’ve been assuming physical isolation is enough, but it’s not.”

NPC 4: Behnam Khalili (Centrifuge Operations Supervisor)

Position: Day-to-day centrifuge operation and physical monitoring
Personality: Experienced operator, trusts field observations over instruments, practical problem-solver
Agenda: Wants centrifuges running reliably; concerned about equipment damage and operational continuity
Knowledge: Centrifuge mechanical behavior, normal operational signatures, component failure patterns, physical inspection findings
Pressure Point: Operational responsibility; concern about equipment damage; uncertainty about how to respond to “invisible” threats
IM Portrayal Notes: Play Behnam as the voice of field reality. He describes centrifuge behavior that contradicts SCADA readings: “The instruments say everything is normal, but when I listen to the centrifuges, they sound wrong. The mechanical stress patterns, the vibrations—something is damaging them.”

Optional NPCs (Add Depth)

NPC 5: IAEA Inspector

Position: International Atomic Energy Agency oversight and verification
Personality: Professional, focused on compliance and safety, concerned about international implications
Agenda: Needs to report incident to IAEA, coordinate international response, ensure nuclear safety
Knowledge: International nuclear regulations, IAEA inspection procedures, incident reporting requirements

NPC 6: Siemens Engineer

Position: Industrial control system manufacturer representative
Personality: Technical, protective of product reputation, learning about unprecedented attack
Agenda: Wants to understand how systems were compromised and help facility respond
Knowledge: Siemens S7 PLC architecture, zero-day vulnerabilities, typical attack patterns, system hardening options

NPC 7: Federal Agency Representative (DOE/CISA equivalent)

Position: National critical infrastructure and nuclear security coordination
Personality: Strategic thinker, concerned about nation-state implications, serious about consequences
Agenda: Wants to understand attack scope, coordinate national response, assess implications for other facilities
Knowledge: Critical infrastructure threats, attribution indicators, nation-state capabilities, coordinated response procedures

NPC Interaction Guidelines

When to introduce NPCs:

Dr. Afshari (Immediately): Opens scenario and provides facility context; appears periodically with pressure points and decision points
Reza Shahbazi (Immediately): Describes initial centrifuge failures and control system anomalies; provides ongoing technical consultation
Mitra Rezaei (Round 1-2): Consulted as investigation moves toward cybersecurity analysis; challenges air-gap security assumptions
Behnam Khalili (Round 1): Describes physical centrifuge behavior that contradicts SCADA readings; introduces field observation evidence
IAEA Inspector (Round 2-3): Contacted as international implications become clear; represents oversight obligations
Siemens Engineer (Round 2-3): Brought in for technical analysis of zero-day exploits and PLC-specific targeting
Federal Representative (Round 3-4): Appears when nation-state attribution becomes likely; handles strategic coordination

How NPCs advance the plot:

Dr. Afshari forces facility shutdown vs. continue operation decision with nuclear safety and international reputation at stake
Reza Shahbazi provides technical discoveries and validates investigation direction with evidence from control system analysis
Mitra Rezaei introduces cybersecurity perspective and challenges assumptions about what “isolation” means
Behnam Khalili grounds investigation in physical reality that operators cannot hide or deny
IAEA Inspector escalates international dimensions and creates transparency pressure
Siemens Engineer confirms zero-day sophistication and validates attribution indicators
Federal Representative frames nation-state implications and discusses coordinated response

5. Round-by-Round Investigation Guide

Round 1: “What sophisticated malware is targeting our facility?”

Detective Focus: Malware forensics reveal unprecedented sophistication combining multiple zero-day exploits worth millions on black market, indicating nation-state level resources and months of development investment.

Protector Focus: Control system monitoring shows normal operational status despite physical evidence of component failure, indicating malware has compromised both operational systems AND monitoring systems simultaneously.

Tracker Focus: Network analysis reveals infection vector through USB drives and maintenance procedures, with peer-to-peer update mechanism enabling malware evolution in air-gapped environments.

Communicator Focus: Facility NPCs describe the contradiction between what monitoring systems show (normal) and what physical observation reveals (catastrophic failure), introducing operator-vs.-instruments tension.

Crisis Manager Focus: Initiate federal agency notification chain and begin IAEA coordination on discovery obligations under international nuclear agreements.

Facilitation Notes: Establish that this is not typical malware. Four zero-day exploits, stolen certificates, targeting specificity—this represents nation-state capabilities. Players should feel that they’re investigating something unprecedented.

Round 2: “How did this cyber weapon reach our air-gapped systems?”

Detective Focus: Detailed forensic analysis shows malware specifically targets Siemens S7 PLCs with exact configuration used in uranium enrichment facilities, indicating detailed proprietary knowledge only available through extensive intelligence gathering.

Protector Focus: Air-gap analysis reveals systems believed fully isolated were accessed via USB drives during normal contractor maintenance, Siemens system updates, and routine administrative procedures—the “isolation” assumption was never absolute.

Tracker Focus: Infection timeline reconstruction shows malware likely infiltrated during recent maintenance activities or system updates, with peer-to-peer mechanism allowing silent evolution and spread without detected C2 communication.

Communicator Focus: IAEA officials and Siemens engineers confirm the malware had detailed knowledge of proprietary systems that should have been secret, escalating concern about intelligence gathering and facility reconnaissance.

Crisis Manager Focus: Coordinate facility shutdown decision considering nuclear safety constraints—operating compromised systems carries risks that must be weighed against operational continuity requirements.

Facilitation Notes: The air-gap breakthrough is the turning point. Players realize that “isolated” doesn’t mean “safe”—legitimate operational procedures create the vulnerability. Emphasize that this is exactly how the real attack worked.

Round 3: “What physical damage has this cyber weapon caused?”

Detective Focus: Sustained malware analysis reveals it was designed to cause physical centrifuge damage through systematic manipulation of speed and frequency—not data theft or espionage, but physical destruction.

Protector Focus: Timeline analysis shows weeks of systematic centrifuge operation at stress-inducing frequencies while SCADA monitoring displayed normal parameters—dual compromise of control AND monitoring systems perfected the concealment.

Tracker Focus: Malware behavior shows unusual self-limiting design—deliberately constrained to not propagate beyond target facility, suggesting targeted weapon rather than mass-deployment malware.

Communicator Focus: Behnam Khalili’s field inspections confirm sustained mechanical damage to centrifuge cascades, with component stress patterns indicating weeks of manipulation without detection by automated monitoring.

Crisis Manager Focus: Assess damage scope and safety implications; coordinate with Nuclear Safety Director on facility operational continuity decisions with incomplete damage assessment information.

Facilitation Notes: Physical damage is the inflection point that transforms this from “cyber incident” to “cyber weapon.” Make physical damage real—not abstract network compromise, but failed equipment, stressed components, equipment damage that requires replacement.

Round 4: “What are the geopolitical implications of this cyber weapon?”

Detective Focus: Attribution indicators accumulate: scale of resources, specificity of targeting, operational patience, detailed facility intelligence, and “self-limiting” malware design all point to nation-state level adversary with unprecedented cyber weapon capability.

Protector Focus: Full scope revelation: the facility’s security posture was built on assumptions (air-gap = safe, signed software = trusted, isolated systems = protected) that this malware systematically defeated—forcing fundamental reassessment of all industrial security assumptions.

Tracker Focus: Malware demonstrates nation-state capability to precisely target specific critical infrastructure facilities, cause physical damage, evade all detection, and operate silently for sustained periods without discovered C2 communication.

Communicator Focus: International implications become clear—this is the first confirmed cyber weapon causing physical destruction of nuclear infrastructure, establishing a precedent with no existing international law framework or response mechanisms.

Crisis Manager Focus: International disclosure obligations create diplomatic minefield—this isn’t just a cybersecurity incident, it’s a geopolitical event with nation-state implications affecting strategic relationships and nuclear policy.

Facilitation Notes: The geopolitical section transforms the scenario from “incident response” to “international crisis.” Emphasize that in June 2010, the world had no framework for responding to this. Players are establishing precedent for how nations respond to cyber attacks on nuclear facilities.

Round 5: “How should we respond strategically?”

All Roles Focus: Teams choose from response options (see Section 6) balancing immediate facility safety, operational continuity, international coordination, and strategic defense implications.

Facilitation Notes: Decisions made in Round 5 have cascading effects for all roles and the broader geopolitical implications. Support teams in making well-reasoned choices while respecting the gravity of deciding facility shutdown, international disclosure timing, and strategic response.

6. Response Options

Option A: Emergency Facility Shutdown

Effectiveness: Super effective – ensures nuclear safety and complete malware removal

Immediate complete shutdown of all centrifuge operations
Full system validation and forensic analysis before restart
International transparency with IAEA and partner nations
Significant operational disruption and timeline impact
Sets precedent for nuclear facility safety in response to cyber attacks
International credibility and safety assurance

Option B: Accelerated Parallel Response

Effectiveness: Moderately effective – balances operations with security

Selective isolation of compromised systems while maintaining essential operations
Rapid forensic analysis and malware removal in parallel with continued production
Coordinated IAEA notification with damage assessment information
Continued centrifuge operations with risk management
Operational continuity with managed risk
International coordination during active operations

Option C: Selective System Isolation with Phased Recovery

Effectiveness: Partially effective – maintains operations but extends risk

Targeted system isolation and malware removal while resuming critical operations
Phased restart of centrifuge cascades with continuous monitoring validation
IAEA notification after initial assessment and control restoration
Extended operational capability but prolonged facility risk exposure
Strategic continuity with ongoing security concerns
International explanation challenged by continued operations during active threat

7. Debrief Facilitation Guide

Historical Context & Modernization Prompts

What Actually Happened:

In June 2010, security researchers discovered Stuxnet attacking uranium enrichment facilities in Iran. It was a sophisticated nation-state cyber weapon—the first confirmed attack using multiple zero-day exploits to cause physical destruction of critical infrastructure equipment. The attack took years to develop, months to execute, and required detailed knowledge of proprietary industrial systems. In 2010, the world had no framework to respond.

Then vs. Now:

Infrastructure Evolution: How has critical infrastructure security changed since 2010? Are systems more or less vulnerable to sophisticated attacks?
Attack Sophistication: In 2010, four zero-day exploits were unprecedented. Today, what’s the threat landscape for critical infrastructure?
Detection Capabilities: How have threat detection and incident response capabilities evolved since the world discovered Stuxnet?
Response Coordination: Compare 2010 international response framework to modern critical infrastructure incident coordination.
Physical Impact: Why do cyber attacks on different infrastructure (power grids, water systems, nuclear facilities) create different consequences?
Attribution Confidence: What made Stuxnet attribution so difficult in 2010, and how have attribution capabilities evolved?

Learning Validation

Check Understanding:

Players grasp unprecedented nature of first cyber weapon using multiple zero-days
Team understands air-gapped systems remain vulnerable to USB-based attacks
Group appreciates physical consequences of cyber attacks on critical infrastructure
Team demonstrates understanding of nation-state cyber capabilities
Players discuss international coordination requirements for cyber weapon response
Debrief includes discussion of how 2010 situation differs from modern equivalent scenarios

8. Troubleshooting

“Teams underestimate malware sophistication”

Prompt: “Security researchers have identified that this malware uses FOUR zero-day exploits—each worth millions of dollars on the black market. The attackers also stole digital certificates from companies like Realtek and JMicron to make malware appear as trusted components. This level of sophistication and resource investment only appears in nation-state cyber operations. What does this tell you about who is attacking you?”

“Air-gapped security assumptions go unchallenged”

Prompt: “Your facility is air-gapped—completely isolated from the internet. Yet the malware reached you through USB drives used for contractor maintenance and Siemens system updates. These are normal operational procedures you can’t avoid. What does this mean for your assumption that physical isolation guarantees security?”

“Physical world consequences are overlooked”

Prompt: “Centrifuge Operations Supervisor Behnam Khalili reports that this malware has been systematically manipulating centrifuge speeds for weeks—sometimes too fast, sometimes too slow—causing cumulative mechanical stress and physical damage. This isn’t espionage or data theft. This is a cyber weapon causing actual equipment failure. How does this physical impact change your understanding of the threat?”

“Geopolitical implications are ignored”

Prompt: “This is the first time in history that a cyber weapon has caused physical destruction of nuclear infrastructure. International law has no framework for responding to this. National intelligence assessments must determine attribution. Diplomatic channels must be engaged for response strategy. This is no longer an incident response problem—it’s a geopolitical crisis. How does your organization respond?”

“Timeline pressure overwhelms safety considerations”

Prompt: “Nuclear Safety Director Dr. Afshari tells you: ‘I understand the operational pressure. I understand the international relationships at stake. But I will not operate equipment I cannot guarantee is safe. What can you tell me that allows me to say with confidence that this facility is not putting people at risk?’”

Cross-References

Scenario Card: Stuxnet Historical Foundation Scenario Card

Presentation Slides: Stuxnet Historical Foundation Scenario Slides

Handout A: SCADA Diagnostics showing frequency converter manipulation

Handout B: USB Device Installation Log showing air-gap penetration

Handout C: Certificate Validation Log showing stolen manufacturer certificates

Scenario Customization Notes

For High-Expertise Groups:

Add technical depth on Siemens S7 PLC architecture, zero-day vulnerability mechanics, industrial frequency converter frequency range safety margins, and uranium enrichment centrifuge physics. Introduce specific CVE numbers and technical attack analysis.

For Beginner Groups:

Simplify to core concepts: sophisticated malware, air-gap vulnerability, physical equipment damage, nation-state capability. De-emphasize technical specifics; emphasize facility safety decisions and international coordination.

For Time-Constrained Groups:

Compress Rounds 3-4 into single “damage assessment and attribution” round. Focus on key discoveries without extensive facilitation. Accelerate toward facility shutdown decision and geopolitical discussion.

For Groups Familiar with ICS/OT Security:

Assume prior knowledge of SCADA architecture and industrial control systems. Emphasize geopolitical and attribution analysis. Introduce more sophisticated attack vectors and detection evasion techniques.

This planning document supports experienced IMs in delivering comprehensive facilitation for the most technically dense and historically significant scenario in the library.