Stuxnet Power Plant Maintenance Window - Planning Guide

Stuxnet Power Plant Maintenance Window

Complete preparation guide for advanced nuclear critical infrastructure scenario

This planning document provides comprehensive facilitation guidance for running the Stuxnet Power Plant Maintenance Window scenario, featuring sophisticated air-gapped network compromise, industrial control system manipulation, and nation-state threat attribution during a critical maintenance window.

1. Quick Reference

Essential at-a-glance information for session setup

Element Details
Malmon Stuxnet (Nuclear/Electric dual-type)
Difficulty Tier Tier 3 (Expert)
Scenario Variant Critical Infrastructure: Nuclear Power Plant
Organizational Context Columbia River Power Station: 1,200 employees, regional power generation, nuclear safety regulatory environment
Primary Stakes Nuclear safety systems + Regional power grid + National security
Recommended Formats Full Game / Advanced Challenge
Essential NPCs Dr. Catherine Walsh (Plant Manager), Robert Chen (Chief Nuclear Officer), Maria Rodriguez (Control Systems Engineer)
Optional NPCs Andrew Thompson (Contractor Supervisor), Federal NRC Inspector, Regional Grid Operator, Nation-State Attribution Analyst

Scenario Hook

Columbia River Power Station is completing annual maintenance with safety systems temporarily bypassed when sophisticated malware—introduced via contractor USB drives—begins spreading through air-gapped industrial control networks, threatening safe reactor restart and regional power supply.

Victory Condition

Team identifies sophisticated malware penetration of air-gapped networks, ensures nuclear safety systems are clean and trustworthy before reactor restart, maintains regulatory compliance, and provides actionable nation-state threat intelligence without compromising regional power grid operations.

2. Game Configuration Templates

Pre-configured settings for different session formats

Quick Demo Configuration (35-40 min)

Not recommended for this scenario. The complexity of air-gapped network compromise, nuclear safety systems, and nation-state attribution requires longer formats. Consider using a simpler Stuxnet variant for demonstration purposes.

Lunch & Learn Configuration (60-75 min)

Not recommended for this scenario. Nuclear critical infrastructure and sophisticated APT investigation requires sustained attention and cannot be adequately experienced in abbreviated format.

Full Game Configuration (120-140 min)

Pre-Configured Settings:

  • Number of Rounds: 3 rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Open with guided nuclear safety checkpoints
  • Response Structure: Creative with regulatory compliance constraints
  • Team Size: 5-6 players (full role complement)
  • Success Mechanics: Dice/Cards with nuclear safety modifiers
  • Evidence Type: Subtle with sophisticated concealment
  • NPC Count: 4-5 (essential + 1-2 optional)
  • Badge Tracking: On

Experience Focus: Complete immersive experience with sophisticated APT investigation, air-gapped network analysis, and nuclear safety considerations. Players balance technical investigation with regulatory compliance and national security implications.

Time Breakdown:

  • Introduction & Roles: 10 min
  • Scenario Briefing: 10 min
  • Round 1 (Initial Discovery & Air-Gap Analysis): 30 min
  • Round 2 (Deep Investigation & Attribution): 35 min
  • Round 3 (Response & Safe Restart Decision): 30 min
  • Standard Debrief: 10 min
  • Advanced Discussion: 10 min

Facilitation Notes: Emphasize the unique challenge of air-gapped network compromise. Guide players to understand nuclear safety cannot be compromised for speed. Introduce nation-state attribution complexity progressively. Allow team to grapple with restart decision timeline pressure.

Advanced Challenge Configuration (150+ min)

Pre-Configured Settings:

  • Number of Rounds: 4 rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Complex multi-threaded (technical + regulatory + geopolitical)
  • Response Structure: Innovative solutions required across multiple domains
  • Team Size: 6+ players (expanded roles or specialized teams)
  • Success Mechanics: Complex (Nuclear Safety Status + Network Security Status tracking)
  • Evidence Type: Subtle with red herrings and nation-state operational security
  • Attack Complexity: Multi-stage with zero-day exploits and physical manipulation
  • NPC Count: 6+ with conflicting priorities
  • Badge Tracking: On with critical infrastructure achievements

Experience Focus: Sophisticated challenge featuring advanced persistent threat analysis, zero-day exploit investigation, international attribution complexity, and critical infrastructure protection decision-making under extreme time pressure.

Time Breakdown:

  • Introduction & Roles: 15 min
  • Scenario Briefing: 15 min
  • Round 1 (Initial Discovery & Anomaly Detection): 30 min
  • Round 2 (Air-Gap Compromise Investigation): 35 min
  • Round 3 (Attribution & Scope Assessment): 35 min
  • Round 4 (Restart Decision & Long-Term Response): 30 min
  • Extended Debrief: 20 min
  • Advanced Discussion: 15 min

Facilitation Notes: Maximum complexity with minimal guidance. Introduce zero-day exploit analysis, nation-state operational security tradecraft, international incident response coordination, and regulatory reporting requirements. Challenge assumptions about air-gapped security. Facilitate difficult restart decision with incomplete information.

3. Scenario Overview

Opening Presentation

“It’s Wednesday morning at Columbia River Power Station. The annual maintenance outage is in its final 72 hours—nuclear reactors are offline, safety systems are being methodically tested, and dozens of contractors are completing equipment upgrades before the plant must restart to meet regional power demands.

Control Systems Engineer Maria Rodriguez is conducting routine safety system verification when she notices something unsettling. Centrifuge controls are responding… differently. Not wrong exactly, but with subtle timing variations she’s never seen before. When she mentions it to her supervisor, they discover similar anomalies in cooling system controls.

Within the hour, the cybersecurity team finds something far more alarming: network traffic on industrial control systems that should be completely air-gapped. Forensic analysis of contractor USB drives reveals sophisticated malware specifically designed for industrial control systems.

Plant Manager Dr. Catherine Walsh calls an emergency meeting. The maintenance window closes in 72 hours. The regional power grid is counting on reactor restart. Federal nuclear regulators are arriving for scheduled post-maintenance inspection. And sophisticated nation-state malware may have compromised the very systems that keep a nuclear facility safe.

Your incident response team has been called in to determine what happened, how deep the compromise goes, and whether it’s safe to restart a nuclear power plant while a nation-state adversary may still have access to critical safety systems.”

Initial Symptoms to Present

  • Industrial control systems showing subtle anomalies during safety system testing that experienced engineers find “concerning but not obviously wrong”
  • Centrifuge and cooling system controls responding with microsecond-level timing variations different from baseline behavior
  • Network monitoring detecting unexpected traffic patterns on supposedly air-gapped industrial networks during maintenance diagnostics
  • Contractor USB drives triggering security alerts when scanned with updated antivirus systems after maintenance work completion
  • System logs showing access patterns inconsistent with scheduled maintenance activities and authorized personnel workflows
  • Backup verification processes revealing unauthorized modifications to industrial control system configuration files

Organizational Context Details

Organization Profile:

  • Name: Columbia River Power Station
  • Type: Critical Infrastructure (Nuclear Power Generation)
  • Size: 1,200 employees, two reactor units, regional power generation capacity serving 2+ million people
  • Key Assets: Nuclear reactor control systems, industrial safety systems, air-gapped SCADA networks, regional power grid integration
  • Regulatory Environment: Nuclear Regulatory Commission oversight, NERC CIP compliance, national security reporting requirements

Cultural Factors:

  • Nuclear safety culture creates “stop work authority” where any safety concern halts operations regardless of business pressure
  • Engineering excellence tradition means staff trust their instincts about “something not being right” with system behavior
  • Maintenance window scheduling creates predictable periods when security controls are reduced for legitimate operational access
  • Contractor integration necessary for specialized nuclear equipment creates supply chain security vulnerabilities

Malmon Characteristics in This Scenario

Stuxnet manifests as a sophisticated multi-stage attack specifically designed to compromise air-gapped industrial control networks during predictable maintenance windows when security is temporarily reduced. The malware demonstrates nation-state capabilities including four zero-day exploits, stolen digital certificates, and the ability to manipulate physical industrial processes while concealing attack signatures from operators.

Key Capabilities Demonstrated:

  • Air-Gap Crossing: Uses infected USB drives introduced during contractor maintenance access to bridge isolated networks, spreading through removable media and local network protocols
  • Industrial Control Manipulation: Targets specific industrial control systems (centrifuges, cooling systems) with precise understanding of normal operational parameters, causing physical changes while displaying false normal readings to operators
  • Sophisticated Concealment: Employs rootkit techniques, stolen digital certificates, and zero-day exploits to evade detection while maintaining persistent access across system reboots and security scans

Vulnerabilities to Exploit:

  • Specific Targeting: Malware is designed for particular industrial control system models, making it detectable through behavior analysis on systems it wasn’t specifically designed to compromise
  • Physical Manifestation: While software concealment is sophisticated, actual physical manipulation of industrial processes (timing variations, unusual equipment behavior) creates observable anomalies that experienced operators notice

4. NPC Reference

Essential NPCs (Must Include)

NPC 1: Dr. Catherine Walsh (Plant Manager)

  • Position: Overall plant operations manager, responsible for safe maintenance completion and restart authorization
  • Personality: Decisive, safety-focused, comfortable making difficult calls under pressure but absolutely refuses to compromise nuclear safety for business timelines
  • Agenda: Wants to restart on schedule to meet grid needs, but will extend maintenance indefinitely if safety is uncertain—needs team to give her confident answer about control system integrity
  • Knowledge: Understands plant systems, regulatory requirements, and business pressures; knows maintenance window scheduling is predictable and could be targeted
  • Pressure Point: Her professional reputation and nuclear license depend on never authorizing unsafe restart, but regional power shortages affect millions
  • IM Portrayal Notes: Play her as the ultimate decision-maker who needs clear, confident technical assessment. She asks direct questions: “Can I safely restart these reactors, yes or no?” Use her to create tension between business timelines and absolute safety requirements.

NPC 2: Robert Chen (Chief Nuclear Officer)

  • Position: Oversees all nuclear safety systems, regulatory compliance, and federal reporting requirements
  • Personality: Methodical, regulation-focused, conservative in risk assessment, deeply concerned about nation-state threats to critical infrastructure
  • Agenda: Wants comprehensive investigation and federal coordination before restart; concerned about regulatory reporting requirements and potential national security implications
  • Knowledge: Nuclear safety protocols, NRC reporting requirements, critical infrastructure protection guidelines; understands nation-state targeting of nuclear facilities
  • Pressure Point: Personal and professional responsibility for nuclear safety, federal regulatory career implications, concern about broader targeting of nuclear infrastructure
  • IM Portrayal Notes: Use Robert to raise regulatory and national security considerations. He introduces federal reporting requirements and asks about attribution: “If this is nation-state activity, we need FBI and DHS involvement immediately.”

NPC 3: Maria Rodriguez (Control Systems Engineer)

  • Position: Industrial control system specialist, responsible for safety system testing and validation during maintenance
  • Personality: Detail-oriented, intuitive about system behavior, trusts her technical instincts even when data looks normal
  • Agenda: Wants to understand the subtle anomalies she’s detecting; concerned that something sophisticated is hiding in plain sight
  • Knowledge: Deep technical knowledge of industrial control systems, normal operational baselines, air-gapped network architecture; detected initial anomalies through experience-based intuition
  • Pressure Point: Professional pride in catching subtle problems others miss; concern that sophisticated attack could cause physical damage she’d feel responsible for
  • IM Portrayal Notes: Maria is the technical detective who noticed something others missed. Use her to provide deep technical insights and validation of player investigation approaches. She says things like: “The timing is off by milliseconds—most people wouldn’t notice, but I’ve worked with these systems for fifteen years.”

Optional NPCs (Add Depth)

NPC 4: Andrew Thompson (Contractor Supervisor)

  • Position: Third-party maintenance contractor supervisor managing equipment upgrades during outage
  • Personality: Defensive about security protocols, concerned about liability, cooperative once he understands severity
  • Agenda: Wants to demonstrate contractors followed proper procedures; concerned about blame and future contract relationships
  • Knowledge: Contractor access procedures, USB device usage during maintenance, equipment upgrade processes
  • Pressure Point: Professional reputation, contract renewal, potential legal liability for security breach
  • IM Portrayal Notes: Initially defensive (“We follow all your security procedures!”) but becomes helpful ally when he realizes the sophistication of the threat. Can provide crucial timeline and access information.

NPC 5: Federal NRC Inspector

  • Position: Nuclear Regulatory Commission safety inspector conducting scheduled post-maintenance verification
  • Personality: By-the-book regulator, concerned about cybersecurity implications for nuclear safety
  • Agenda: Must verify plant safety before restart authorization; concerned about precedent of cyber-compromised nuclear facility
  • Knowledge: Federal nuclear safety regulations, industry-wide cybersecurity concerns, reporting requirements
  • Pressure Point: Federal regulatory authority, public safety responsibility, potential national security implications

NPC 6: Regional Grid Operator

  • Position: Manages regional electrical grid and coordinates power generation schedules
  • Personality: Operationally focused, concerned about grid stability, doesn’t understand cybersecurity nuances
  • Agenda: Needs plant restart to meet increasing electricity demand; concerned about potential rolling blackouts
  • Knowledge: Regional power supply situation, alternative generation capacity, public impact of power shortages
  • Pressure Point: Responsibility for regional grid stability, public pressure during power shortage warnings

NPC Interaction Guidelines

When to introduce NPCs:

  • Dr. Walsh (Immediately): Opens scenario by briefing team on maintenance status and anomaly discovery
  • Robert Chen (Round 1): Appears when initial investigation suggests sophisticated attack, raises regulatory/national security concerns
  • Maria Rodriguez (Round 1-2): Available throughout for technical consultation, provides deep system behavior insights
  • Andrew Thompson (Round 2): Called in when investigation focuses on infection vector and contractor access
  • Federal Inspector (Round 2-3): Arrives for scheduled inspection, becomes aware of incident, raises regulatory stakes
  • Grid Operator (Round 3): Calls during response phase to inquire about restart schedule, creates time pressure

How NPCs advance the plot:

  • Dr. Walsh forces restart decision point in Round 3: “I need your recommendation—restart or extend maintenance?”
  • Robert Chen escalates national security implications: “If this is nation-state targeting of nuclear infrastructure, federal agencies need immediate notification”
  • Maria Rodriguez provides technical validation and breakthrough insights when team investigation approaches correct answers
  • NPC conflicts create realistic pressure: Grid operator wants speed, NRC inspector wants certainty, plant manager must balance both

5. Investigation Timeline

Guided evidence delivery for structured formats (Full Game, Advanced Challenge)

Round 1: Discovery Phase

Automatic Reveals (present to all teams):

  • Control System Anomalies: Industrial control systems showing subtle timing variations in centrifuge controls and cooling systems—not failures, but measurable differences from established baseline behavior during safety testing
  • Network Traffic Discovery: Monitoring systems detect unexpected communication patterns on air-gapped industrial networks during maintenance diagnostics, suggesting network isolation has been compromised

Detective Investigation Leads:

  • Forensic analysis of contractor USB drives reveals sophisticated multi-component malware with digital signatures from legitimate software vendors (stolen certificates)
  • Timeline correlation shows malware presence began within 48 hours of maintenance window opening when contractor access increased
  • Code analysis reveals malware specifically targets industrial control system models used in nuclear facilities—not generic malware but purpose-built for critical infrastructure

Protector System Analysis:

  • Industrial control system integrity verification reveals unauthorized configuration modifications to centrifuge speed controls and cooling system parameters
  • Security baseline comparison shows four previously unknown vulnerabilities being exploited (zero-day exploits) across industrial control platforms
  • Air-gap architecture review reveals temporary network bridges created during maintenance for legitimate software updates became attack vector

Tracker Network Investigation:

  • Network traffic analysis shows covert peer-to-peer communication across supposedly isolated systems using local network protocols designed for air-gapped environments
  • Command structure analysis reveals sophisticated multi-stage infection: reconnaissance phase complete, currently in persistence establishment phase
  • No external command and control detected—malware operates autonomously with pre-programmed objectives suggesting advanced persistent threat planning

Communicator Stakeholder Insights:

  • Maria Rodriguez explains she first noticed anomalies because “the timing felt wrong” during safety system testing—experienced operator intuition detected what automated systems missed
  • Maintenance contractors describe standard procedures that inadvertently created opportunities: “We always update software during outages—air-gap security gets relaxed for legitimate maintenance access”
  • Nuclear regulatory staff emphasize federal reporting requirements: “Cyber incidents affecting nuclear safety systems require immediate NRC and DHS notification”

Crisis Manager Coordination Discoveries:

  • Maintenance window timeline: 72 hours remaining until scheduled reactor restart, with regional grid counting on power generation resumption
  • Impact assessment: If restart is delayed, regional grid has 96-hour reserve capacity before potential rolling blackouts affecting 2+ million people
  • Scope evaluation: Both reactor units affected, all air-gapped industrial control networks potentially compromised, complete system validation required before safe restart

Threat Hunter Proactive Findings:

  • Malware code analysis reveals nation-state indicators: four zero-day exploits, stolen digital certificates, specific targeting of nuclear industrial control systems
  • Similar attack patterns identified in intelligence reports of nation-state targeting of critical infrastructure during predictable maintenance windows
  • Advanced persistent threat methodology suggests long-term planning, extensive reconnaissance, and potential broader campaign against nuclear facilities

Round 2: Investigation Phase

Automatic Reveals:

  • Scope Expansion: Additional forensic analysis reveals malware has established persistence across all major industrial control systems—not just centrifuges and cooling, but also reactor protection systems and emergency shutdown controls
  • Physical Manipulation Evidence: Detailed system logs show malware has been conducting subtle “tests” of physical manipulation capabilities—brief microsecond-level changes to equipment speeds that were concealed from operators

Detective Investigation Leads:

  • Deep malware analysis reveals multi-stage attack plan embedded in code: Stage 1 (infiltration—complete), Stage 2 (reconnaissance and persistence—current), Stage 3 (physical manipulation during reactor restart—scheduled)
  • Attribution forensics identify code signatures, language artifacts, and targeting priorities consistent with specific nation-state advanced persistent threat group
  • Incident timeline reconstruction shows sophisticated operational security: attack planned around publicly available maintenance schedules, activated during window when security controls predictably reduced

Protector System Analysis:

  • Comprehensive industrial control system scan reveals malware rootkit components hiding in firmware layers beneath standard antivirus detection
  • Safety system validation testing shows malware capability to display false normal readings while manipulating actual physical processes—sophisticated sensor spoofing
  • Recovery analysis indicates complete system rebuild required from verified clean backups, estimated 7-10 days for full industrial control network restoration

Tracker Network Investigation:

  • Network forensics reveal complete map of air-gapped network compromise: every isolated system reached through USB propagation during maintenance contractor access
  • Command logic analysis shows malware designed to activate physical manipulation during reactor startup sequence—targeting moment of maximum vulnerability
  • No persistent external access required—malware operates as autonomous weapon system with pre-programmed attack objectives

Communicator Stakeholder Insights:

  • Andrew Thompson (Contractor Supervisor) provides detailed timeline of maintenance activities and USB device usage, inadvertently mapping infection vector
  • Federal NRC Inspector arrives for scheduled post-maintenance safety verification, becomes aware of incident, expresses concern about national precedent of cyber-compromised nuclear facility
  • Regional Grid Operator begins inquiring about restart schedule, mentioning increased electricity demand and limited alternative generation capacity

Crisis Manager Coordination Discoveries:

  • Federal reporting requirements initiated: NRC, DHS CISA, FBI all require formal incident notification and ongoing coordination
  • Business impact assessment: Each day of maintenance extension costs $2M in replacement power, but unsafe restart risks catastrophic consequences
  • Media management concern: Nuclear cybersecurity incident will attract significant public and media attention once federal reporting becomes public

Threat Hunter Proactive Findings:

  • Intelligence analysis suggests this specific facility may have been targeted due to strategic importance to regional power grid and national defense infrastructure
  • Broader threat assessment identifies similar targeting patterns at other nuclear facilities—potential coordinated campaign against critical infrastructure
  • Geopolitical context analysis reveals nation-state adversary motivations: demonstrate critical infrastructure vulnerability, gather intelligence on industrial control systems, potential future disruption capability

Round 3: Response Phase

Automatic Reveals:

  • Decision Point: Plant Manager Dr. Walsh formally requests incident response team recommendation: “72-hour maintenance window expires in 18 hours. Based on your investigation, can I safely authorize reactor restart, or must we extend maintenance indefinitely?”
  • Pressure Escalation: Regional Grid Operator reports electricity demand forecasts require plant restart within 48 hours to avoid potential rolling blackouts affecting residential and hospital power

Evidence Based on Player Actions:

  • If team recommends comprehensive system rebuild: Dr. Walsh supports decision, extends maintenance 10 days, coordinates with grid operator for alternative power arrangements
  • If team attempts rapid malware removal: Maria Rodriguez expresses concern that sophisticated rootkit components may remain hidden in firmware layers
  • If team focuses on attribution: Robert Chen coordinates federal intelligence sharing but emphasizes immediate priority is safe plant operations
  • If team proposes partial restart: NRC Inspector indicates federal regulations prohibit reactor restart with any uncertainty about safety system integrity

Malware Behavior Evolution:

  • If detection approaches succeed: Malware remains dormant in persistence mode, attempting to avoid triggering additional security alerts
  • If restart is attempted without complete remediation: Malware activates physical manipulation routines during startup sequence, creating safety system anomalies that force emergency shutdown
  • If comprehensive system rebuild initiated: Malware eradication successful, but 10-day timeline and federal investigation create sustained operational impact

Final Complications (Advanced Challenge):

  • Intelligence agencies request team preserve evidence for attribution analysis, potentially conflicting with rapid recovery priorities
  • Media reports emerge about “cybersecurity incident at nuclear facility,” creating public concern and political pressure
  • Nation-state adversary becomes aware of detection, may attempt additional compromise or destruction of evidence

6. Response Options

Pre-defined approaches for guided formats, inspiration for open formats

Type-Effective Approaches

Most Effective (Electric/Behavioral Strength):

  • Comprehensive System Rebuild from Verified Clean Backups: Complete industrial control system restoration using offline verified backups, 7-10 day timeline—most reliable method for sophisticated rootkit eradication (DC 12, high success rate but extended timeline)
  • Behavior-Based Anomaly Detection with Experienced Operator Validation: Leverage Maria Rodriguez’s expertise to establish sophisticated baseline monitoring that detects subtle manipulation attempts even if malware remains (DC 14, requires ongoing vigilance but enables safer restart)

Moderately Effective:

  • Targeted Malware Removal with Firmware Validation: Focus on identifying and removing specific malware components while validating firmware integrity—faster than full rebuild but risks missing sophisticated persistence mechanisms (DC 16, partial success likely)
  • Enhanced Air-Gap Security with Physical USB Control: Implement strict physical security controls for removable media and temporary network connections, preventing future compromise but doesn’t address current infection (DC 12 for prevention, doesn’t resolve immediate threat)

Least Effective (Nuclear Resistance):

  • Signature-Based Antivirus Detection: Sophisticated nation-state malware uses zero-day exploits and stolen certificates to evade signature detection—standard antivirus tools cannot detect or remove this threat (DC 20, very low success rate)
  • Rapid Restart with “Enhanced Monitoring”: Attempting reactor restart while sophisticated malware maintains potential safety system access creates unacceptable nuclear safety risk (Automatic failure, NRC Inspector prohibits)

Creative Response Guidance

Encourage player innovation in these areas:

  • Hybrid Operating Modes: Team might propose partial facility restart using only verified clean systems while compromised systems undergo comprehensive rebuild—creative risk management balancing grid needs with safety
  • Deception and Honeypot Techniques: Setting up monitored decoy systems to observe malware behavior and gather attribution intelligence while protecting actual safety systems
  • International Coordination: Engaging with other nuclear facilities and international partners who may have faced similar targeting to gather intelligence and coordinate defensive strategies

Common creative solutions players develop:

  • Staged Restart with Progressive Validation: Proposing incremental reactor startup with extensive monitoring at each phase, allowing early detection of manipulation attempts before reaching dangerous operational states
  • External Expert Augmentation: Requesting specialized industrial control system forensics teams from national labs or federal agencies to accelerate investigation and validation timeline
  • Parallel Track Strategy: Simultaneously pursuing comprehensive system rebuild (slow but certain) while attempting targeted remediation (fast but risky) to maintain restart optionality

7. Round-by-Round Facilitation Guide

Round 1: Discovery

Opening Narration:

“It’s Wednesday morning at Columbia River Power Station. Plant Manager Dr. Catherine Walsh calls you into an emergency meeting. ‘We have 72 hours until scheduled reactor restart,’ she begins, ‘but our control systems engineer just reported something concerning. During routine safety testing, she noticed subtle anomalies—nothing obviously broken, but timing variations she’s never seen before. Then cybersecurity found network traffic on systems that should be completely air-gapped. We need to know what’s happening and whether it’s safe to restart these reactors.’ She looks directly at your team. ‘The regional grid is counting on us, but nuclear safety is non-negotiable. Tell me what you find.’”

IM Questions to Ask:

  • “Maria Rodriguez is describing the subtle timing anomalies she detected during centrifuge testing. What aspects of her technical description interest you, and how would you verify her concerns?”
  • “You’re looking at industrial control systems that should be completely isolated from any network. How does malware spread across air-gapped systems, and what does that tell you about this threat?”
  • “The malware code shows four zero-day exploits and stolen digital certificates. What does that level of sophistication suggest about who’s behind this attack and their capabilities?”

Expected Player Actions:

  • Forensic Analysis of USB Devices: Reveal multi-stage malware specifically designed for industrial control systems with nation-state sophistication indicators
  • Industrial Control System Integrity Verification: Discover unauthorized configuration modifications to safety systems and rootkit-level persistence
  • Network Traffic Analysis: Map complete scope of air-gapped network compromise through contractor-introduced infection vectors
  • Stakeholder Interviews: Gather timeline information about maintenance window access patterns and procedural vulnerabilities

Malmon Identification Moment:

“As you analyze the malware code, the pieces come together. This isn’t opportunistic cybercrime—it’s Stuxnet, the sophisticated nation-state weapon specifically designed to compromise air-gapped industrial control systems. The USB infection vector, the zero-day exploits, the targeting of nuclear facility equipment during predictable maintenance windows—all signature Stuxnet capabilities. You’re dealing with a nation-state adversary who planned this attack specifically to compromise nuclear safety systems.”

Round Conclusion:

“Your initial investigation reveals the scope of the compromise: malware has spread across all air-gapped industrial control networks, established persistence in critical safety systems, and appears designed to manipulate physical processes during reactor restart. Dr. Walsh’s expression is grim. ‘So we have sophisticated nation-state malware in our nuclear safety systems, and I’m supposed to restart two reactors in 54 hours?’ She looks to Robert Chen, the Chief Nuclear Officer. ‘Get federal agencies involved immediately. And find out exactly what this malware is capable of doing to our reactors.’ The investigation deepens as you race against both the maintenance deadline and a nation-state adversary.”

Round 2: Investigation

Situation Update:

“Eighteen hours into the investigation, the picture becomes more concerning. Deep forensic analysis reveals the malware has a multi-stage attack plan embedded in its code—and you’re currently in Stage 2. Stage 3 is scheduled to activate during reactor startup sequence. Maria Rodriguez explains: ‘The malware has been conducting micro-tests of physical manipulation capabilities while we’ve been in maintenance mode. Brief microsecond changes to equipment speeds, hidden from operators by falsified sensor readings. It’s been preparing to do something during reactor restart.’ The Federal NRC Inspector has arrived for scheduled post-maintenance verification and is now aware of the incident. The maintenance window expires in 54 hours.”

IM Questions to Ask:

  • “The malware code shows Stage 3 activates during reactor startup. What are you most concerned about regarding physical manipulation of nuclear safety systems during that critical transition phase?”
  • “You’ve found sophisticated rootkit components hiding in firmware layers beneath standard detection tools. What does that mean for remediation options and timeline to safe restart?”
  • “Attribution analysis points to a specific nation-state adversary. How does that change your response strategy, and what additional considerations come into play?”

Pressure Points to Introduce:

  • Federal Regulatory Requirement: NRC Inspector emphasizes that federal regulations absolutely prohibit reactor restart with any uncertainty about safety system integrity—no exceptions for business timelines
  • Grid Operator Concern: Regional Grid Operator calls to confirm restart schedule, mentions forecast requiring plant power within 48 hours to prevent potential rolling blackouts
  • Intelligence Request: FBI and DHS request team preserve attack evidence for attribution analysis and intelligence gathering about nation-state capabilities

Round Conclusion:

“Your deep investigation has mapped the complete attack: sophisticated nation-state malware across all air-gapped systems, rootkit persistence in firmware layers, embedded attack plan targeting reactor startup, and evidence suggesting broader campaign against nuclear facilities. You understand both the threat capabilities and the remediation challenges. Dr. Walsh calls another meeting. ‘I need your recommendation. We have three options: attempt rapid malware removal and meet the 72-hour restart deadline, pursue comprehensive system rebuild with 10-day maintenance extension, or find some middle ground. Tell me what’s technically feasible and what’s safe.’ The moment of decision approaches.”

Round 3: Response

Critical Decision Point:

“The maintenance window expires in 18 hours. Dr. Catherine Walsh sits across from your team with the Chief Nuclear Officer, the Federal NRC Inspector, and representatives from the Regional Grid Operator. ‘I need your formal recommendation,’ she states clearly. ‘Can we safely restart these reactors within the maintenance window, or must we extend maintenance indefinitely? I will not compromise nuclear safety, but I need to understand our realistic options. What do you recommend, and what’s your confidence level?’”

IM Questions to Ask:

  • “What level of certainty about safety system integrity do you need before recommending nuclear reactor restart, and can you achieve that within the remaining timeline?”
  • “How do you balance the competing priorities: regional power grid reliability, absolute nuclear safety, federal regulatory compliance, and intelligence gathering about nation-state threats?”
  • “If you recommend extended maintenance, what specific validation criteria would you require before authorizing reactor restart?”

Success and Failure Branches:

If team recommends comprehensive system rebuild:

“Dr. Walsh nods decisively. ‘I agree. We don’t restart with any uncertainty about nuclear safety systems.’ She turns to the Regional Grid Operator. ‘Coordinate alternative power arrangements for 10 days. We’re extending maintenance until complete system validation.’ The NRC Inspector supports the decision. Your team coordinates the comprehensive rebuild from verified clean backups, working with federal forensics teams to preserve attribution evidence while ensuring complete malware eradication. The restart delay creates regional power challenges, but nuclear safety is maintained throughout.”

If team proposes innovative staged approach:

“Dr. Walsh considers your proposal carefully. ‘So you’re suggesting we validate specific safety-critical systems first, restart with enhanced monitoring, and complete comprehensive rebuild of secondary systems during operation?’ She looks to the NRC Inspector, who responds: ‘That could work if—and only if—you can demonstrate absolute confidence in reactor protection system integrity.’ Your team develops detailed validation protocols, working with Maria Rodriguez to establish sophisticated behavior-based monitoring. It’s a high-wire act balancing safety and operational needs, but your careful approach succeeds.”

If team attempts rapid remediation without sufficient validation:

“The NRC Inspector intervenes. ‘I cannot authorize reactor restart without complete validation of safety system integrity. The regulations are clear, and given the sophistication of this nation-state threat, I need certainty, not speed.’ Dr. Walsh supports the regulatory position. ‘We extend maintenance until we’re confident. The grid will manage.’ Your team’s technical approach was sound, but you learned that in nuclear operations, regulatory compliance and absolute safety requirements override business timelines.”

Resolution Narration:

“Two weeks later, Columbia River Power Station completes reactor restart with completely validated industrial control systems. Your comprehensive response not only protected nuclear safety but provided critical intelligence about nation-state critical infrastructure targeting. The FBI attributes the attack, DHS shares defensive intelligence across the nuclear sector, and your team’s MalDex entry on Stuxnet air-gapped network compromise becomes required reading for critical infrastructure defenders nationwide. The regional grid experienced temporary challenges during the extended maintenance, but the alternative—a cyber-compromised nuclear facility—was unthinkable. Dr. Walsh sends a personal message: ‘Thank you for helping us make the right decision when the pressure was enormous.’”

Round 4+ (Advanced Challenge Only)

Round 4: Long-Term Response and Sector Coordination

“Three months after the incident, you’re called back to Columbia River Power Station. Your successful response has led to a broader mission: DHS and the Nuclear Regulatory Commission want you to help develop sector-wide defenses against nation-state targeting of nuclear facilities. Intelligence suggests the attack on Columbia River was part of a broader campaign—reconnaissance for potential future disruption of critical infrastructure.”

Advanced Challenge Elements:

  • Develop comprehensive air-gapped network security protocols that maintain operational requirements while preventing USB-based compromise vectors
  • Create behavior-based anomaly detection systems that leverage experienced operator expertise (like Maria Rodriguez) to catch sophisticated manipulation attempts
  • Design incident response playbooks for nuclear sector that balance competing priorities: safety, regulatory compliance, intelligence gathering, and operational continuity
  • Coordinate international information sharing about nation-state critical infrastructure targeting while protecting sensitive operational details

Nation-State Adversary Evolution:

  • Intelligence reveals adversary becomes aware their attack was detected and analyzed, potentially accelerates development of more sophisticated industrial control system malware
  • Geopolitical context evolves: diplomatic channels address nation-state critical infrastructure targeting, creating tension between intelligence attribution and diplomatic considerations
  • Broader critical infrastructure protection: What you learned at nuclear facility has implications for power grid, water systems, and other industrial control environments

8. Pacing & Timing Notes

Time Management Strategies

If Running Long:

  • Condense Round 2 attribution analysis—provide nation-state intelligence as automatic reveal rather than requiring deep investigation
  • Streamline NPC interactions—combine Federal Inspector and Grid Operator into single pressure point conversation
  • Fast-forward through technical malware analysis details—provide summary of capabilities rather than detailed forensic walkthrough
  • Abbreviate final resolution narration—focus on immediate restart decision rather than extended sector-wide implications

If Running Short:

  • Expand technical investigation with detailed malware code analysis, zero-day exploit examination, and firmware rootkit investigation
  • Add NPC complexity: introduce conflicting priorities between Plant Manager (safety), Grid Operator (reliability), and Federal Inspector (regulatory compliance)
  • Develop attribution investigation: deep dive into nation-state adversary tradecraft, intelligence indicators, and geopolitical context
  • Extend response planning: have team develop comprehensive recovery timeline with detailed validation checkpoints

If Team is Stuck:

  • On air-gap compromise mechanism: Have Maria Rodriguez explain: “The only thing that crosses air gaps is removable media—USB drives that contractors use during maintenance for legitimate software updates”
  • On malware sophistication: Provide automatic reveal of zero-day exploits and stolen certificates: “This level of sophistication indicates nation-state resources and advanced persistent threat capabilities”
  • On restart decision: Have Dr. Walsh ask directly: “Given what you know about malware persistence and the 18-hour timeline, what’s your confidence level we can achieve safe restart?”
  • On nuclear safety implications: Have NRC Inspector emphasize: “The regulations are absolute—we don’t restart with any uncertainty about safety system integrity, regardless of business pressure”

Engagement Indicators

Positive Signs:

  • Team debates restart decision with genuine consideration of competing priorities (safety vs. grid reliability vs. timeline)
  • Players demonstrate understanding of air-gapped network security concepts and why USB-based compromise is significant
  • Discussion includes nation-state attribution implications and critical infrastructure protection beyond immediate incident
  • Team coordinates role-based investigation (Detective on malware forensics, Protector on system integrity, Tracker on network scope)

Warning Signs:

  • Team attempts to oversimplify nuclear safety (“just scan for the malware and restart”)—intervention needed to convey sophistication of rootkit persistence
  • Confusion about air-gapped networks and infection vectors—Maria Rodriguez can clarify technical concepts
  • Frustration with regulatory constraints or timeline pressure—Dr. Walsh can emphasize that nuclear safety culture is non-negotiable
  • Team avoids attribution discussion, missing nation-state implications—Robert Chen can raise national security considerations

9. Debrief Discussion Points

Critical Learning Objectives

Technical Concepts:

  • Air-Gapped Network Security: Understanding that physical network isolation (air gaps) can be compromised through removable media, temporary connections, and supply chain vectors—no system is perfectly isolated
  • Industrial Control System Vulnerabilities: Learning how malware specifically designed for industrial environments can manipulate physical processes while concealing attack signatures from operators
  • Nation-State APT Capabilities: Recognizing sophistication indicators (zero-day exploits, stolen certificates, specific targeting) that distinguish nation-state threats from conventional cybercrime
  • Rootkit Persistence: Understanding how sophisticated malware can establish firmware-level persistence beneath standard detection tools, requiring comprehensive system rebuild rather than simple removal

Collaboration Skills:

  • Multi-Stakeholder Coordination: Balancing competing priorities from plant operations (restart timeline), federal regulators (absolute safety), grid operators (reliability), and intelligence agencies (attribution)
  • Role-Based Technical Investigation: Coordinating Detective (malware forensics), Protector (system integrity), Tracker (network scope), and Threat Hunter (attribution analysis) expertise for comprehensive threat assessment
  • Decision-Making Under Uncertainty: Making critical recommendations (restart vs. extend maintenance) with incomplete information and significant time pressure

Reflection Questions

Scenario-Specific:

  • “When Maria Rodriguez first mentioned subtle timing anomalies that ‘felt wrong,’ what made you take that seriously versus dismissing it as operator perception? What does that tell you about the value of experienced expertise in detecting sophisticated threats?”
  • “You discovered malware designed to activate during reactor startup—the moment of maximum operational vulnerability. What does that level of targeting specificity tell you about nation-state threat planning and reconnaissance?”
  • “Dr. Walsh asked for your restart recommendation with 18 hours remaining in the maintenance window. Walk through your decision-making process: what factors did you weigh, and what gave you confidence (or lack of confidence) in your recommendation?”
  • “The attack compromised air-gapped networks during a predictable maintenance window when security controls were temporarily reduced. What does that reveal about operational security challenges in critical infrastructure environments?”

Real-World Connections:

  • “The real Stuxnet attack on Iranian nuclear facilities in 2010 demonstrated nation-state capability to compromise air-gapped industrial control systems and cause physical damage. How does that historical precedent inform current critical infrastructure protection strategies?”
  • “What are the implications of nation-state adversaries developing sophisticated industrial control system malware for long-term critical infrastructure security? How should organizations balance operational requirements with security in air-gapped environments?”
  • “In your professional environment, where do you have systems or processes that rely on ‘air-gap’ security assumptions? What would USB-based compromise vectors mean for those security models?”
  • “This scenario involved balancing nuclear safety (absolute priority), regulatory compliance (non-negotiable), business timelines (important), and intelligence gathering (strategic). How do you handle similar competing priorities in real incident response?”

MalDex Documentation Prompts

Encourage teams to document:

  • Air-Gap Compromise Investigation: Techniques for detecting and analyzing removable media-based infection vectors in supposedly isolated industrial control networks
  • Behavior-Based Anomaly Detection: How experienced operator expertise (like Maria Rodriguez’s intuition) can detect sophisticated manipulation attempts that automated systems miss
  • Nation-State Attribution Analysis: Sophistication indicators (zero-day exploits, stolen certificates, specific targeting) that distinguish advanced persistent threats from conventional malware
  • Critical Infrastructure Decision Framework: Approach for balancing competing priorities (safety, compliance, operations, intelligence) when making restart/recovery recommendations under time pressure
  • Rootkit Persistence Remediation: Lessons learned about comprehensive system rebuild requirements for firmware-level malware versus attempted rapid removal
  • Regulatory Coordination: Best practices for working with federal agencies (NRC, DHS, FBI) during critical infrastructure cybersecurity incidents

10. Facilitator Quick Reference

Type Effectiveness Chart

Stuxnet (Nuclear/Electric dual-type):

Strong Against:

  • Bug-type defenses (signature detection overwhelmed by zero-day exploits)
  • Normal-type security (conventional controls ineffective against nation-state sophistication)
  • Water-type systems (cooling and fluid control systems specifically targeted)

Weak Against:

  • Electric-type defenses (behavior-based anomaly detection can spot manipulation attempts)
  • Steel-type controls (physical security and air-gap enforcement prevents USB infection vectors)
  • Psychic-type analysis (experienced operator intuition detects subtle anomalies automated systems miss)

Resists:

  • Fire-type responses (aggressive rapid removal risks missing rootkit components)
  • Grass-type containment (malware designed to spread across air-gapped systems through USB propagation)

Vulnerable To:

  • Electric-type comprehensive system rebuild from verified clean backups
  • Psychic-type behavior analysis leveraging experienced operator baseline knowledge

Common Facilitation Challenges

Challenge 1: Team oversimplifies nuclear safety or underestimates sophistication

IM Response: “Maria Rodriguez pulls up the detailed forensic analysis. ‘Look at this code—four zero-day exploits, stolen digital certificates, rootkit persistence in firmware layers. This isn’t something we can just scan and remove. And these centrifuge manipulations during startup? That’s when nuclear safety systems are most critical. We can’t guess about this.’”

Challenge 2: Team paralyzed by competing priorities or regulatory complexity

IM Response: “Dr. Walsh recognizes your dilemma. ‘Let me simplify the decision framework: nuclear safety is non-negotiable—that’s regulatory and moral reality. Within that absolute constraint, we optimize for grid reliability and timeline. So the question becomes: what do you need to be confident about safety, and how fast can you get there?’”

Challenge 3: Team focuses exclusively on technical investigation and misses attribution/strategic implications

IM Response: “Robert Chen interrupts the technical discussion. ‘I need you to understand something: if a nation-state adversary is targeting nuclear facilities during maintenance windows, this isn’t just about Columbia River Power Station. This is about national security and critical infrastructure protection across the sector. Your investigation has implications beyond this incident.’”

Challenge 4: Team wants to attempt rapid restart without sufficient validation

IM Response: “The Federal NRC Inspector speaks clearly: ‘I understand the grid pressure, but federal regulations exist for a reason. You’ve found nation-state malware in reactor protection systems with rootkit persistence and physical manipulation capabilities. I cannot—will not—authorize restart without complete validation of safety system integrity. Nuclear safety is absolute.’”

Dice/Success Mechanics Guidelines

For this scenario:

DC Ranges:

  • Malware Forensic Analysis: DC 14 (sophisticated nation-state code with obfuscation)
  • Industrial Control System Integrity Verification: DC 15 (rootkit detection in firmware layers)
  • Air-Gap Compromise Investigation: DC 12 (USB infection vector detectable with proper forensics)
  • Nation-State Attribution Analysis: DC 16 (operational security tradecraft requires expert analysis)
  • Comprehensive System Rebuild: DC 12 (time-consuming but technically straightforward from clean backups)
  • Rapid Malware Removal: DC 18 (high risk of missing sophisticated persistence mechanisms)

Type Effectiveness Modifiers:

  • Electric-type approaches (behavior analysis, system rebuild): -3 to DC
  • Psychic-type approaches (expert operator validation): -2 to DC
  • Steel-type approaches (physical air-gap security): -2 to DC
  • Fire-type approaches (aggressive rapid removal): +3 to DC
  • Bug-type approaches (signature-based detection): +5 to DC

Automatic Success Conditions:

  • Comprehensive system rebuild from verified clean backups (with appropriate timeline)
  • Federal NRC Inspector approval for restart (if team demonstrates complete safety validation)
  • Maria Rodriguez validation of behavior-based monitoring (if team develops sophisticated baseline approach)

Automatic Failure Conditions:

  • Attempting reactor restart without addressing rootkit persistence in safety systems
  • Relying solely on signature-based antivirus for nation-state malware detection
  • Ignoring federal regulatory requirements due to business timeline pressure

11. Scenario Customization Notes

Difficulty Adjustments

Make Easier:

  • Reduce nation-state sophistication: present malware with fewer zero-day exploits and more conventional detection methods
  • Simplify nuclear regulatory context: focus on technical investigation without complex federal compliance requirements
  • Extend timeline: provide 10-day maintenance window instead of 72-hour pressure for more investigation time
  • Provide clearer attribution: make nation-state indicators more obvious rather than requiring deep analysis

Make Harder:

  • Add active adversary response: nation-state becomes aware of detection and attempts evidence destruction or additional compromise
  • Introduce conflicting intelligence: multiple possible attribution scenarios requiring careful analysis to identify correct adversary
  • Add insider threat complexity: suggestion that nation-state may have recruited insider to assist in maintenance window targeting
  • Expand scope: evidence suggests multiple nuclear facilities targeted simultaneously, requiring sector-wide coordination

Industry Adaptations

For Manufacturing/Industrial Context:

  • Replace nuclear safety with production safety and equipment protection—same air-gap compromise but different safety implications
  • Adjust regulatory environment from NRC nuclear oversight to OSHA industrial safety and EPA environmental compliance
  • Modify timeline pressure from regional power grid to production deadlines and supply chain commitments

For Water Treatment Context:

  • Adapt scenario to water treatment SCADA systems—similar air-gap architecture but water quality and public health safety focus
  • Change NPCs to water treatment operators, public health officials, and EPA representatives
  • Adjust stakes from regional power to municipal water supply affecting hundreds of thousands of residents

For Defense Contractor Context:

  • Shift focus to classified system compromise during facility security upgrade window
  • Replace nuclear safety with national security and classified information protection
  • Adjust regulatory environment to DoD security clearances, counterintelligence, and classification requirements

Experience Level Adaptations

For Novice Teams:

  • Simplify air-gap concepts with clear explanations: “Air-gapped means physically isolated—no network connections. Malware crosses via USB drives.”
  • Reduce sophistication: present malware with obvious indicators rather than sophisticated concealment requiring deep forensics
  • Provide guided investigation path with Maria Rodriguez offering frequent technical validation and direction
  • Streamline competing priorities: focus on safety vs. timeline rather than complex multi-stakeholder coordination

For Expert Teams:

  • Add technical depth: detailed zero-day exploit analysis, firmware rootkit investigation, advanced forensic tradecraft
  • Introduce counterintelligence complexity: sophisticated nation-state operational security requires advanced attribution techniques
  • Expand strategic implications: broader critical infrastructure protection beyond immediate incident, international coordination, diplomatic considerations
  • Require innovative solutions: no pre-defined response options work perfectly, team must develop creative hybrid approaches

12. Cross-References

Related Handbook Content

  • Stuxnet Malmon Detail Page: im-handbook/resources/malmon-details/stuxnet.qmd - Complete technical reference for Stuxnet capabilities, type effectiveness, and educational context
  • Chapter 6: Identifying Malmon Types: Understanding Nuclear/Electric dual-type characteristics and industrial control system targeting patterns
  • Chapter 8: Strategic Response Planning: Framework for balancing competing priorities (safety, compliance, operations) in critical infrastructure incident response
  • Type Effectiveness Guide: Nuclear and Electric type strengths and weaknesses for response strategy development

Additional Scenario Variants

Additional Resources

MITRE ATT&CK Techniques Demonstrated:

  • T1091 (Replication Through Removable Media): USB-based infection vector for air-gapped network compromise
  • T1205 (Traffic Signaling): Covert communication across isolated industrial control networks
  • T1601 (Modify System Image): Firmware rootkit persistence beneath standard detection layers
  • T1565 (Data Manipulation): Industrial control system parameter modification while concealing from operators

Real-World Incident References:

  • Stuxnet (2010): Nation-state attack on Iranian nuclear facilities demonstrating air-gap compromise and industrial control system manipulation
  • CRASHOVERRIDE/Industroyer (2016): Sophisticated industrial control system malware targeting electrical grid infrastructure
  • TRITON/TRISIS (2017): Safety instrumented system malware targeting petrochemical facility with potential for physical damage

Professional Development Connections:

  • ICS/SCADA security certifications (GICSP)
  • Critical infrastructure protection frameworks (NIST Cybersecurity Framework for Critical Infrastructure)
  • Nation-state threat intelligence analysis and advanced persistent threat hunting
  • Nuclear sector cybersecurity regulations and compliance (NRC requirements)

Community Contributions

[Space for community-developed variations, MalDex entries, and shared experiences running this scenario]

Notes for IM Customization

What worked well:

What to modify next time:

Creative player solutions to remember:

Timing adjustments needed: