Stuxnet Water Treatment SCADA Deployment - Planning Guide
Stuxnet Water Treatment SCADA Deployment
Complete preparation guide for advanced water infrastructure scenario
This planning document provides comprehensive facilitation guidance for running the Stuxnet Water Treatment SCADA Deployment scenario, featuring sophisticated industrial control system compromise during SCADA modernization, chemical treatment manipulation, and nation-state critical infrastructure targeting with public health implications.
1. Quick Reference
Essential at-a-glance information for session setup
| Element | Details |
|---|---|
| Malmon | Stuxnet (Nuclear/Electric dual-type) |
| Difficulty Tier | Tier 3 (Expert) |
| Scenario Variant | Critical Infrastructure: Municipal Water Treatment |
| Organizational Context | Metro Water Authority: 300 employees, serves 500,000 residents, EPA compliance environment |
| Primary Stakes | Public water safety + EPA compliance + Critical infrastructure protection |
| Recommended Formats | Full Game / Advanced Challenge |
| Essential NPCs | Linda Zhang (Water Operations Manager), Dr. Samuel Foster (Water Quality Director), Alexandra Wu (SCADA Systems Engineer) |
| Optional NPCs | Michael Park (EPA Regional Administrator), Public Health Official, DHS CISA Critical Infrastructure Coordinator, Affected Resident Representative |
Scenario Hook
Metro Water Authority is completing new SCADA system installation to modernize water treatment and meet EPA compliance when sophisticated malware—introduced during system deployment—begins manipulating chemical dosing controls while concealing activities from monitoring systems, threatening public water safety for 500,000 residents.
Victory Condition
Team identifies sophisticated SCADA compromise and chemical treatment manipulation, ensures public water safety throughout response, meets EPA compliance requirements, and protects critical infrastructure from nation-state targeting without disrupting essential water services.
2. Game Configuration Templates
Quick Demo Configuration (35-40 min)
Not recommended for this scenario. Water treatment chemistry, SCADA security, public health implications, and critical infrastructure protection complexity requires sustained investigation beyond demonstration format capabilities.
Lunch & Learn Configuration (60-75 min)
Not recommended for this scenario. Municipal water infrastructure security, EPA compliance requirements, and nation-state critical infrastructure targeting requires depth that abbreviated format cannot support.
Full Game Configuration (120-140 min)
Pre-Configured Settings:
- Number of Rounds: 3 rounds
- Actions per Player: 2 actions per round
- Investigation Structure: Open with public safety checkpoints
- Response Structure: Creative with EPA compliance constraints
- Team Size: 5-6 players (full role complement)
- Success Mechanics: Dice/Cards with public safety modifiers
- Evidence Type: Subtle with sophisticated concealment
- NPC Count: 4-5 (essential + 1-2 optional)
- Badge Tracking: On
Experience Focus: Complete immersive experience with sophisticated SCADA investigation, water treatment process analysis, and public safety protection. Players balance technical investigation with EPA compliance, public health protection, and essential service continuity.
Time Breakdown:
- Introduction & Roles: 10 min
- Scenario Briefing: 10 min
- Round 1 (Discovery & Chemical Anomaly Investigation): 30 min
- Round 2 (SCADA Compromise & Attribution): 35 min
- Round 3 (Public Safety Response & System Recovery): 30 min
- Standard Debrief: 10 min
- Advanced Discussion: 10 min
Facilitation Notes: Emphasize tension between SCADA timeline and public safety validation. Guide players to understand water safety cannot be compromised for compliance deadlines. Introduce nation-state critical infrastructure targeting progressively. Allow team to grapple with essential service continuity during response.
Advanced Challenge Configuration (150+ min)
Pre-Configured Settings:
- Number of Rounds: 4 rounds
- Actions per Player: 2 actions per round
- Investigation Structure: Complex multi-threaded (technical + public health + regulatory)
- Response Structure: Innovative solutions required across multiple domains
- Team Size: 6+ players (expanded roles or specialized teams)
- Success Mechanics: Complex (Water Safety Status + SCADA Security Status tracking)
- Evidence Type: Subtle with red herrings and sophisticated operational security
- Attack Complexity: Multi-stage with chemical manipulation and concealment
- NPC Count: 6+ with conflicting priorities
- Badge Tracking: On with critical infrastructure achievements
Experience Focus: Sophisticated challenge featuring nation-state critical infrastructure targeting, advanced SCADA forensics, water treatment chemistry analysis, and critical decision-making about public safety under EPA compliance pressure.
Time Breakdown:
- Introduction & Roles: 15 min
- Scenario Briefing: 15 min
- Round 1 (Chemical Anomaly Discovery): 30 min
- Round 2 (SCADA Compromise Investigation): 35 min
- Round 3 (Attribution & Public Safety Assessment): 35 min
- Round 4 (System Recovery & Long-Term Protection): 30 min
- Extended Debrief: 20 min
- Advanced Discussion: 15 min
Facilitation Notes: Maximum complexity with minimal guidance. Introduce water treatment chemistry details, EPA regulatory coordination, public health incident reporting, and nation-state infrastructure targeting strategies. Challenge assumptions about SCADA security. Facilitate difficult public notification decisions with incomplete information.
3. Scenario Overview
Opening Presentation
“It’s Monday morning at Metro Water Authority. The new SCADA system that will modernize water treatment operations for 500,000 residents is in final deployment—two weeks from EPA compliance demonstration. Water Operations Manager Linda Zhang has worked for 18 months on this modernization project, bringing decades-old water treatment controls into the digital age.
But during routine chemical dosing verification this morning, experienced operators notice something unusual. Chemical levels don’t quite match what the new SCADA displays are showing. Not obviously wrong—just slightly off from field measurements.
When SCADA Systems Engineer Alexandra Wu investigates, she finds something far more concerning: sophisticated malware in the industrial control systems that shouldn’t be there. Network traffic on systems that were supposed to be isolated. Evidence that chemical dosing controls may have been manipulated while displaying false normal readings to operators.
Water Quality Director Dr. Samuel Foster calls an emergency meeting. The EPA compliance deadline is in two weeks. The water treatment system serves 500,000 residents who depend on safe drinking water every day. And sophisticated malware may be manipulating chemical treatment processes while hiding from the very monitoring systems meant to protect public health.
Your incident response team must determine what happened, ensure water safety for half a million people, meet federal compliance requirements, and protect critical infrastructure from what appears to be nation-state targeting of municipal water systems.”
Initial Symptoms to Present
- Water treatment chemical dosing showing slight discrepancies between SCADA commanded levels and actual field measurements during operator verification
- SCADA monitoring displays showing normal operations and passing standard safety checks while independent laboratory analysis suggests different chemical concentrations
- Network monitoring detecting unexpected communication patterns on water treatment control networks installed during SCADA modernization
- System installation contractor reports about unusual behavior during recent SCADA deployment activities and network integration phases
- Backup manual monitoring systems showing different chemical treatment levels than primary automated SCADA displays
- Timeline analysis revealing anomalies began shortly after new SCADA system was brought online and integrated with existing treatment processes
Organizational Context Details
Organization Profile:
- Name: Metro Water Authority (municipal water utility)
- Type: Critical Infrastructure (Municipal Water Treatment & Distribution)
- Size: 300 employees, serves 500,000 residents, processes 50 million gallons daily
- Key Assets: Water treatment SCADA systems, chemical dosing controls, distribution monitoring, public health protection infrastructure
- Regulatory Environment: EPA Safe Drinking Water Act compliance, state public health reporting, AWWA standards, DHS critical infrastructure protection
Cultural Factors:
- Public service mission creates absolute priority for water safety over all other considerations including timeline and budget
- Experienced operator expertise valued—staff trust field observations even when automated systems show “normal”
- SCADA modernization represents major investment and EPA compliance requirement, creating pressure to complete deployment on schedule
- Critical infrastructure status means system disruption affects essential public service for hundreds of thousands of residents
Malmon Characteristics in This Scenario
Stuxnet manifests as sophisticated nation-state malware designed to compromise water treatment SCADA systems during predictable modernization and upgrade periods when new systems are being integrated and security controls are in transition. The malware demonstrates industrial control expertise including chemical process manipulation, sensor data falsification, and the ability to cause public health consequences while concealing attack signatures from operators and regulatory monitoring.
Key Capabilities Demonstrated:
- Chemical Process Manipulation: Alters water treatment chemical dosing controls (chlorine, fluoride, pH adjustment) while maintaining plausible ranges that avoid triggering automatic safety alarms but create subtle public health risks
- Sensor Data Falsification: Manipulates SCADA monitoring displays to show normal chemical levels while actual treatment processes operate outside safe parameters—sophisticated concealment from operators and regulators
- SCADA Modernization Exploitation: Targets predictable vulnerability window during system deployment when new controls are being integrated, tested, and optimized before full operational acceptance
Vulnerabilities to Exploit:
- Field Measurement Validation: While SCADA displays can be falsified, actual field measurements and laboratory chemical analysis reveal true treatment conditions that malware cannot manipulate
- Operator Experience: Veteran water treatment operators detect subtle anomalies through experiential knowledge of “normal” system behavior that automated monitoring misses
4. NPC Reference
Essential NPCs (Must Include)
NPC 1: Linda Zhang (Water Operations Manager)
- Position: Overall water treatment operations, responsible for SCADA modernization project and safe water delivery to 500,000 residents
- Personality: Experienced operator, safety-focused, comfortable trusting staff expertise even when systems show normal, protective of public service mission
- Agenda: Wants SCADA modernization to succeed and meet EPA deadline, but will never compromise public water safety for timeline or budget
- Knowledge: Deep operational understanding of water treatment, normal chemical dosing patterns, SCADA deployment timeline; noticed initial anomalies through operator experience
- Pressure Point: 18-month project investment and public service reputation depend on successful modernization, but public health is absolute priority
- IM Portrayal Notes: Play Linda as the experienced operator who trusts field staff over automated systems. She asks direct questions: “Can I guarantee safe drinking water for half a million people, yes or no?” Use her to create tension between compliance deadline and absolute safety requirements.
NPC 2: Dr. Samuel Foster (Water Quality Director)
- Position: Responsible for ensuring treated water meets all EPA and state health standards, oversees laboratory testing and regulatory compliance
- Personality: Scientific, methodical, deeply concerned about public health implications, conservative in risk assessment for drinking water safety
- Agenda: Wants comprehensive water quality validation before declaring system safe; concerned about potential public health exposure and regulatory reporting requirements
- Knowledge: Water treatment chemistry, EPA safe drinking water standards, public health incident protocols; understands chemical manipulation health consequences
- Pressure Point: Professional responsibility for protecting public health, regulatory career implications, concern about potential community health exposure
- IM Portrayal Notes: Use Samuel to raise public health and regulatory considerations. He introduces health risk assessment and asks about chemical exposure: “If dosing has been manipulated for days, what’s the public health impact and our notification obligations?”
NPC 3: Alexandra Wu (SCADA Systems Engineer)
- Position: Leading new SCADA deployment, responsible for industrial control system installation and cybersecurity
- Personality: Technical expert, troubled by sophisticated attack during her project, determined to understand compromise vector
- Agenda: Wants to identify how malware infiltrated during deployment and validate system security before EPA demonstration
- Knowledge: SCADA architecture, industrial control protocols, deployment timeline and activities; detected initial compromise during investigation
- Pressure Point: Professional reputation tied to successful modernization project, concern that deployment procedures may have created vulnerabilities
- IM Portrayal Notes: Alexandra is the technical detective investigating SCADA compromise. Use her to provide deep industrial control insights and deployment timeline details. She says things like: “This malware specifically targets water treatment chemical controls—not random systems. Someone planned this attack around our modernization.”
Optional NPCs (Add Depth)
NPC 4: Michael Park (EPA Regional Administrator)
- Position: Federal regulator responsible for Safe Drinking Water Act compliance oversight
- Personality: By-the-book regulator, concerned about cybersecurity implications for water safety
- Agenda: Needs SCADA compliance demonstration but also requires public health incident reporting if water quality was compromised
- Knowledge: EPA regulations, industry-wide cybersecurity concerns, federal reporting requirements
- Pressure Point: Federal regulatory authority, public health protection responsibility, potential national precedent
NPC 5: Public Health Official
- Position: County or state health department representative responsible for community health protection
- Personality: Focused on public safety, concerned about potential exposure notification and health monitoring
- Agenda: Needs assessment of public health risk and determination of community notification requirements
- Knowledge: Public health incident response, exposure assessment, community notification protocols
- Pressure Point: Community health protection, public trust, transparency obligations
NPC 6: DHS CISA Critical Infrastructure Coordinator
- Position: Federal critical infrastructure protection specialist for water sector
- Personality: Strategic thinker, concerned about nation-state targeting of water infrastructure
- Agenda: Wants to understand attack for broader water sector threat assessment and protection
- Knowledge: Critical infrastructure threats, nation-state capabilities, sector-wide coordination
- Pressure Point: National security responsibility, critical infrastructure protection mission
NPC Interaction Guidelines
When to introduce NPCs:
- Linda Zhang (Immediately): Opens scenario by briefing team on SCADA deployment status and chemical anomaly discovery
- Dr. Samuel Foster (Round 1): Appears with laboratory analysis showing chemical level discrepancies, raises public health concerns
- Alexandra Wu (Round 1-2): Available throughout for technical consultation, provides SCADA architecture and deployment insights
- Michael Park (Round 2-3): Calls regarding EPA compliance schedule, becomes aware of incident, raises regulatory requirements
- Public Health Official (Round 2-3): Contacted when investigation confirms chemical manipulation, discusses community notification
- CISA Coordinator (Round 3): Appears if nation-state attribution confirmed, handles sector-wide coordination
How NPCs advance the plot:
- Linda Zhang forces safety decision point: “I need your assessment—is the water safe, or do we switch to alternative treatment?”
- Dr. Foster escalates public health implications: “If chemical dosing has been wrong for days, we may have EPA reporting obligations and community notification requirements”
- Alexandra Wu provides technical validation and breakthrough insights when team investigation approaches correct answers
- NPC conflicts create realistic pressure: EPA wants compliance, health officials want safety certainty, operations manager must balance both
5. Investigation Timeline
Round 1: Discovery Phase
Automatic Reveals (present to all teams):
- Chemical Dosing Discrepancies: Field measurements show water treatment chemical levels differ from SCADA display readings by small but measurable amounts—not failures, but concerning variations
- SCADA Compromise Evidence: Forensic investigation reveals sophisticated malware in industrial control systems with capabilities for chemical process manipulation and sensor data falsification
Detective Investigation Leads:
- Malware analysis reveals multi-component code specifically designed for water treatment SCADA systems with chemical dosing control capabilities
- Timeline correlation shows malware presence began during SCADA deployment integration phase when new and legacy systems were being connected
- Code examination reveals nation-state sophistication indicators: industrial control expertise, stolen SCADA vendor credentials, specific targeting of municipal water infrastructure
Protector System Analysis:
- Industrial control system integrity verification reveals unauthorized modifications to chemical dosing control logic and safety alarm thresholds
- Water quality data analysis shows systematic manipulation pattern: subtle changes avoiding safety alarm triggers but creating cumulative health risks
- SCADA architecture review reveals deployment activities created temporary network access that became malware infiltration vector
Tracker Network Investigation:
- Network traffic analysis reveals covert communication between compromised SCADA systems using industrial control protocols designed for isolated networks
- Command structure examination shows autonomous operation with pre-programmed chemical manipulation objectives—no external command and control required
- Attribution indicators point to nation-state critical infrastructure targeting with strategic objectives beyond immediate disruption
Communicator Stakeholder Insights:
- Linda Zhang explains operator intuition: “Chemical dosing just felt off during morning checks—SCADA said normal, but field measurements showed differences”
- SCADA contractors describe deployment procedures that created legitimate temporary network access for system integration and testing
- Public health staff emphasize notification requirements: “If drinking water quality was compromised, EPA and state health require public disclosure”
Crisis Manager Coordination Discoveries:
- EPA compliance timeline: 2 weeks until SCADA demonstration required for Safe Drinking Water Act modernization compliance
- Public service continuity: 500,000 residents depend on continuous safe water delivery—system disruption affects essential service
- Impact assessment: Days or weeks of subtle chemical manipulation may have exposed community to sub-optimal water treatment
Threat Hunter Proactive Findings:
- Malware characteristics indicate nation-state capabilities targeting critical water infrastructure during predictable modernization periods
- Intelligence reports reveal similar SCADA targeting patterns at other municipal water utilities during upgrade projects
- Strategic assessment suggests adversary objectives include demonstrating critical infrastructure vulnerability and gathering intelligence on U.S. water systems
Round 2: Investigation Phase
Automatic Reveals:
- Manipulation Timeline: Forensic analysis reveals malware has been subtly manipulating chemical dosing for approximately two weeks—since SCADA system operational acceptance testing began
- Public Health Assessment: Laboratory analysis of water quality samples shows chemical levels were maintained within safe ranges but at sub-optimal treatment effectiveness
Detective Investigation Leads:
- Deep malware analysis reveals sophisticated attack logic: maintain chemical levels within ranges that avoid triggering safety alarms while reducing treatment effectiveness
- Attribution forensics identify code signatures and targeting priorities consistent with specific nation-state critical infrastructure programs
- Attack timeline reconstruction shows compromise occurred during predictable SCADA deployment vulnerability window when systems were in transition
Protector System Analysis:
- Comprehensive water quality validation shows treatment effectiveness was reduced but public health risk remains low—sophisticated attack maintained plausible deniability
- SCADA security assessment reveals malware established firmware-level persistence requiring complete system validation before operational trust
- Recovery analysis indicates system can be restored using verified backup configurations, estimated 3-5 days for comprehensive SCADA rebuild and validation
Tracker Network Investigation:
- Network forensics map complete SCADA compromise scope: all chemical dosing controls affected, distribution monitoring systems potentially accessed
- Attack capability analysis shows malware designed for escalation: current subtle manipulation could be increased to dangerous levels if adversary chose
- Infrastructure intelligence suggests this attack may be reconnaissance for potential future disruption capability rather than immediate public health threat
Communicator Stakeholder Insights:
- Dr. Foster provides health risk assessment: “Chemical levels stayed within EPA safe ranges but treatment effectiveness was reduced—low public health risk but potential regulatory notification requirement”
- EPA Regional Administrator expresses concern: “This represents first confirmed cyber attack on U.S. municipal water treatment—national precedent for regulatory response”
- Public health officials discuss community notification: “Transparency vs. public alarm—do we notify about low-risk exposure that’s already ended?”
Crisis Manager Coordination Discoveries:
- Federal reporting requirements initiated: EPA, state health department, DHS CISA all require formal incident notification
- Business continuity assessment: SCADA rebuild extends past EPA compliance deadline, requiring regulatory accommodation
- Public communication strategy: Balance transparency obligations with public trust and avoiding unnecessary alarm about low-level exposure
Threat Hunter Proactive Findings:
- Intelligence analysis suggests facility was targeted due to SCADA modernization project providing predictable vulnerability opportunity
- Broader sector assessment identifies similar targeting at other water utilities undergoing infrastructure upgrades
- Geopolitical context reveals nation-state adversary strategic interest in demonstrating U.S. critical infrastructure vulnerabilities
Round 3: Response Phase
Automatic Reveals:
- Decision Point: Linda Zhang formally requests team recommendation: “EPA compliance demonstration is in two weeks, but SCADA rebuild requires three weeks. More importantly, do I need to notify the community about potential water quality exposure?”
- Regulatory Coordination: EPA Regional Administrator requires formal assessment of public health risk and incident response plan before determining compliance timeline accommodation
Evidence Based on Player Actions:
- If team recommends comprehensive SCADA rebuild: Linda supports decision, coordinates alternative treatment methods and EPA timeline extension
- If team attempts rapid malware removal: Alexandra expresses concern that sophisticated firmware-level persistence may remain undetected
- If team focuses on public notification: Dr. Foster provides health risk assessment guiding transparency vs. alarm balance
- If team proposes enhanced monitoring during recovery: EPA indicates preference for complete system validation before operational reliance
Malware Behavior Evolution:
- If detection approaches succeed: Malware remains dormant attempting to preserve persistence for potential future activation
- If SCADA system continues operation without complete remediation: Risk that sophisticated malware maintains manipulation capability for future escalation
- If comprehensive system rebuild initiated: Complete malware eradication successful but timeline and regulatory impacts create operational challenges
Final Complications (Advanced Challenge):
- Federal agencies request evidence preservation for attribution analysis and future critical infrastructure protection
- Media inquiries emerge about “cybersecurity incident at water utility,” creating public concern and transparency pressure
- Nation-state adversary aware of detection may attempt additional compromise or gather intelligence on defensive response capabilities
6. Response Options
Type-Effective Approaches
Most Effective (Electric/Behavioral Strength):
- Comprehensive SCADA Rebuild from Verified Clean Configurations: Complete industrial control system restoration using verified backup configurations and vendor-validated software, 3-5 day timeline—most reliable method for sophisticated malware eradication (DC 12, high confidence but extended timeline)
- Enhanced Field Monitoring with Operator Validation: Implement robust field measurement verification and operator-based anomaly detection that doesn’t rely on potentially compromised SCADA displays (DC 14, enables safer continued operation during recovery)
Moderately Effective:
- Targeted Malware Removal with System Validation: Focus on identifying and removing specific malware components while validating control logic integrity—faster than full rebuild but risks missing persistence (DC 16, partial success likely)
- Alternative Treatment Methods During Recovery: Switch to manual/backup treatment processes while SCADA undergoes comprehensive security validation—ensures safety but operationally challenging (DC 13, reliable but resource-intensive)
Least Effective (Nuclear Resistance):
- Signature-Based Detection: Sophisticated nation-state malware with industrial control expertise evades standard SCADA security tools (DC 20, very low success rate)
- Continued Operation with “Enhanced Monitoring”: Relying on compromised SCADA systems while attempting to monitor for manipulation creates unacceptable public health risk (Automatic failure, Dr. Foster and EPA prohibit)
Creative Response Guidance
Encourage player innovation in these areas:
- Hybrid Operating Modes: Team might propose partial SCADA operation using only verified clean systems while compromised components undergo rebuild—creative risk management
- Transparency Strategy: Developing public communication that provides honest disclosure about low-risk exposure while maintaining public trust and avoiding unnecessary alarm
- Sector Coordination: Engaging other water utilities to share threat intelligence and coordinate defensive strategies against infrastructure targeting
Common creative solutions players develop:
- Phased SCADA Recovery: Proposing incremental system validation and restoration allowing earlier return to automated operation while maintaining safety through enhanced monitoring
- Public Health Monitoring: Implementing community health surveillance to verify no adverse effects from subtle chemical manipulation exposure
- Federal Partnership: Leveraging DHS CISA resources for SCADA forensics and validation to accelerate recovery timeline
7. Round-by-Round Facilitation Guide
Round 1: Discovery
Opening Narration:
“It’s Monday morning at Metro Water Authority. Water Operations Manager Linda Zhang calls an emergency meeting. ‘We have a situation,’ she begins, pulling up chemical dosing data. ‘During routine checks this morning, our operators noticed discrepancies between what the new SCADA system is displaying and what field measurements show. Not big differences—but concerning to experienced staff.’ She gestures to SCADA Engineer Alexandra Wu. ‘When we investigated, we found malware in our industrial control systems. Sophisticated code that shouldn’t be there.’ Dr. Samuel Foster, the Water Quality Director, adds context: ‘This is our drinking water treatment system serving 500,000 residents. If chemical dosing has been manipulated, we may have public health and regulatory notification obligations.’ Linda looks directly at your team. ‘I need to know what happened, whether the water is safe, and whether I can trust this SCADA system that we’re supposed to demonstrate to EPA in two weeks.’”
IM Questions to Ask:
- “Experienced operators noticed chemical levels were ‘off’ even though SCADA displays showed normal. What does that operator intuition tell you about the sophistication of this attack?”
- “You’re looking at malware specifically designed for water treatment chemical controls. What does that targeting specificity suggest about the adversary’s capabilities and objectives?”
- “The malware has been present since SCADA deployment began. How does system modernization create vulnerability windows, and what does that mean for critical infrastructure protection?”
Expected Player Actions:
- SCADA Forensic Analysis: Reveal sophisticated malware with chemical process manipulation and sensor falsification capabilities
- Water Quality Validation: Discover chemical dosing manipulation maintained plausible ranges but reduced treatment effectiveness
- Infrastructure Assessment: Map compromise vector through SCADA deployment integration activities
- Public Health Risk Analysis: Determine exposure timeline and health impact assessment requirements
Malmon Identification Moment:
“As you analyze the malware capabilities, the sophisticated design becomes clear. Chemical process manipulation specifically targeting water treatment. Sensor data falsification concealing attack from operators. Nation-state industrial control expertise. This is Stuxnet-class critical infrastructure targeting—sophisticated malware designed to compromise municipal water systems during predictable modernization vulnerability windows. You’re dealing with an adversary targeting U.S. water infrastructure and public health protection systems.”
Round Conclusion:
“Your initial investigation reveals the scope: sophisticated nation-state malware infiltrated during SCADA deployment, manipulated chemical dosing for approximately two weeks while concealing activities from monitoring systems. Dr. Foster’s health assessment provides some relief: ‘Chemical levels stayed within EPA safe ranges—public health risk appears low but we may have notification obligations.’ Linda Zhang faces operational reality: ‘I need to rebuild this SCADA system before I can trust it, but that extends past our EPA deadline. More immediately, do I need to notify half a million residents about potential water quality exposure?’ The investigation deepens as you balance public safety, regulatory compliance, and critical infrastructure protection.”
Round 2: Investigation
Situation Update:
“Eight hours into the investigation, the strategic picture crystallizes. Alexandra Wu explains the attack sophistication: ‘This malware maintains chemical levels just barely within safe ranges—sophisticated enough to avoid triggering our safety alarms but reducing treatment effectiveness. If the adversary wanted immediate public health crisis, they could have. This feels like demonstration or reconnaissance.’ Dr. Foster provides health context: ‘Our laboratory analysis confirms treatment was sub-optimal but safe. The question is regulatory: do we notify the community about low-risk exposure that’s already ended?’ EPA Regional Administrator Park calls expressing concern: ‘This is the first confirmed cyber attack on U.S. municipal drinking water. Whatever you decide about notification sets national precedent.’ The SCADA system serves 500,000 residents who depend on safe water every day.”
IM Questions to Ask:
- “The malware maintained chemical levels within safe ranges but reduced effectiveness. What does this sophisticated restraint tell you about adversary objectives—immediate harm or long-term capability?”
- “You can rebuild SCADA systems for guaranteed security, but that extends past EPA compliance deadline. How do you balance regulatory requirements with operational safety and public service continuity?”
- “Public health risk was low, but some exposure occurred. What’s your framework for community notification—absolute transparency or measured communication avoiding unnecessary alarm?”
Pressure Points to Introduce:
- EPA Compliance: Regional Administrator emphasizes compliance demonstration required in two weeks, but expresses willingness to accommodate security incident response
- Public Trust: Public health officials discuss notification obligations: “Transparency builds trust even when risk is low—but we must balance against unnecessary public alarm”
- Federal Coordination: DHS CISA requests detailed incident information for critical infrastructure threat assessment and water sector coordination
Round Conclusion:
“Your deep investigation has mapped the complete attack: nation-state adversary targeted SCADA modernization vulnerability window, maintained sophisticated chemical manipulation for reconnaissance purposes, and demonstrated capability to threaten public health while avoiding immediate crisis. You understand both the technical compromise and the strategic implications. Linda Zhang calls final meeting. ‘I need your recommendations: First, SCADA recovery approach and timeline. Second, community notification—do we disclose low-risk exposure or would that create unnecessary alarm? Third, what does this mean for our EPA compliance and broader water sector security?’ The moment of decision approaches.”
Round 3: Response
Critical Decision Point:
“Late Monday afternoon, 14 days before EPA compliance demonstration. Linda Zhang sits with Dr. Foster, Alexandra Wu, EPA Regional Administrator Park, and your incident response team. ‘I need your formal recommendations,’ she states clearly. ‘On SCADA recovery: comprehensive rebuild takes three weeks—we miss EPA deadline. Targeted removal might be faster but less certain. On public notification: health risk was low, but do we have transparency obligations? On sector coordination: if this is nation-state infrastructure targeting, what’s our broader responsibility?’ She looks directly at your team. ‘Safe water for half a million people is my absolute priority. Everything else is negotiable. What do you recommend?’”
IM Questions to Ask:
- “What level of certainty about SCADA integrity do you need before recommending operational reliance for drinking water treatment, and can you achieve that within EPA timeline constraints?”
- “How do you balance public health transparency obligations with risk of creating unnecessary alarm about low-level exposure that’s already ended and was within safe ranges?”
- “If this represents nation-state critical infrastructure targeting, what coordination with other water utilities and federal agencies is appropriate for sector-wide protection?”
Success and Failure Branches:
If team recommends comprehensive SCADA rebuild with community transparency:
“Linda nods decisively. ‘Public safety and public trust come first. We rebuild completely.’ She coordinates with EPA for timeline extension and develops transparent community communication. Dr. Foster leads public health briefing: ‘Water quality was maintained within safe ranges, but we’re taking comprehensive security measures.’ Your team coordinates full SCADA validation and sector threat intelligence sharing. Public response is positive—transparency builds trust, comprehensive security measures demonstrate responsibility. EPA accommodates timeline, praising thorough approach.”
If team proposes enhanced monitoring with targeted remediation:
“Alexandra considers carefully. ‘If we implement robust field monitoring and operator validation protocols, I can accelerate targeted malware removal with high confidence.’ Linda agrees: ‘We balance safety through monitoring with operational continuity.’ Your team develops sophisticated validation approach combining technical remediation with operational safeguards. EPA compliance proceeds with enhanced security demonstration. It’s challenging, but careful approach succeeds while maintaining public service.”
If team attempts continued operation without sufficient validation:
“Dr. Foster intervenes. ‘I cannot certify water safety while sophisticated malware potentially remains in treatment controls. Public health is non-negotiable.’ EPA Administrator supports: ‘Federal regulations require system integrity before operational reliance, especially for drinking water.’ Linda agrees: ‘We switch to alternative treatment until SCADA is validated. Public safety is absolute.’ Your technical approach was sound, but you learned that in water utilities, public health requirements override operational convenience.”
Resolution Narration:
“Three weeks later, Metro Water Authority completes SCADA system restoration with fully validated industrial controls and enhanced security monitoring. Your comprehensive response not only protected public health but provided critical intelligence about nation-state water infrastructure targeting. DHS CISA shares defensive strategies across water sector, EPA develops cybersecurity guidance for SCADA modernization, and your team’s MalDex entry on critical infrastructure protection becomes required reading for municipal water utility defenders nationwide. Linda Zhang sends personal message: ‘Thank you for prioritizing public safety when pressure to maintain schedules was intense. That’s what water utilities must do.’”
Round 4+ (Advanced Challenge Only)
Round 4: Long-Term Water Sector Security and Critical Infrastructure Protection
“Six months after the incident, your successful response has led to national mission: EPA and DHS want you to help develop sector-wide defenses against nation-state targeting of municipal water infrastructure. Intelligence suggests attack on Metro Water Authority was pilot program for broader critical infrastructure reconnaissance.”
Advanced Challenge Elements:
- Develop comprehensive SCADA security protocols that protect water treatment while maintaining operational requirements and modernization benefits
- Create field-based monitoring frameworks that detect manipulation through operator expertise and direct measurement validation
- Design public transparency protocols that balance community notification obligations with measured communication avoiding unnecessary alarm
- Address strategic question: How does U.S. protect critical water infrastructure from sophisticated nation-state targeting while continuing essential system modernization?
Nation-State Adversary Evolution:
- Intelligence reveals adversary accelerates water infrastructure targeting after detection—developing more sophisticated SCADA infiltration techniques
- Geopolitical context evolves: Critical infrastructure targeting becomes diplomatic and national security priority
- Broader critical infrastructure implications: What you learned has applications for power, transportation, and other essential systems
8. Pacing & Timing Notes
Time Management Strategies
If Running Long:
- Condense Round 2 attribution analysis—provide nation-state intelligence as automatic reveal
- Streamline NPC interactions—combine EPA and public health into single regulatory conversation
- Fast-forward through water chemistry details—provide summary of health risk assessment
- Abbreviate final resolution—focus on immediate response decision
If Running Short:
- Expand technical investigation with detailed SCADA forensics and chemical manipulation analysis
- Add NPC complexity: conflicting priorities between operations (continuity), health (safety), EPA (compliance)
- Develop public communication strategy: detailed notification framework and community engagement
- Extend attribution investigation: deep dive into nation-state infrastructure targeting tradecraft
If Team is Stuck:
- On compromise vector: Have Alexandra explain: “During SCADA deployment, we created temporary network connections for integration—legitimate activities that became attack vector”
- On malware sophistication: Provide reveal: “Chemical manipulation stayed within safe ranges to avoid alarms—sophisticated attack demonstrating capability without immediate crisis”
- On notification decision: Have Dr. Foster frame question: “Health risk was low, but transparency builds trust—what’s your framework for community communication?”
- On SCADA recovery: Have Linda ask: “What validation gives you confidence this system is safe for drinking water treatment?”
Engagement Indicators
Positive Signs:
- Team debates notification decision with genuine consideration of transparency vs. unnecessary alarm
- Players demonstrate understanding of critical infrastructure security and public health protection
- Discussion includes nation-state implications beyond immediate incident
- Team coordinates role-based investigation (Detective on malware, Protector on water quality, Communicator on public health)
Warning Signs:
- Team oversimplifies water safety (“just remove the malware and continue operation”)
- Confusion about SCADA security vs. water quality validation
- Frustration with regulatory requirements or public health constraints
- Team avoids public notification discussion
9. Debrief Discussion Points
Critical Learning Objectives
Technical Concepts:
- Industrial Control System Security: Understanding how SCADA systems manage critical infrastructure and why sophisticated malware targeting requires specialized response beyond conventional IT security
- Critical Infrastructure Vulnerability Windows: Learning how system modernization creates predictable periods when security is transitional and adversaries can exploit legitimate activities
- Sensor Data Falsification: Recognizing sophisticated attacks that manipulate both control processes AND monitoring systems, requiring field validation independent of automated displays
- Nation-State Infrastructure Targeting: Understanding strategic objectives (reconnaissance, capability demonstration, future disruption potential) beyond immediate damage
Collaboration Skills:
- Multi-Stakeholder Public Safety Coordination: Balancing operations (continuity), public health (safety), regulatory (compliance), and federal (infrastructure protection) priorities
- Transparency Communication Strategy: Developing public notification approaches that maintain trust through honesty while providing measured context avoiding unnecessary alarm
- Technical-Operational Integration: Coordinating cybersecurity investigation with water treatment operations requiring continuous public service
Reflection Questions
Scenario-Specific:
- “When operators noticed chemical levels ‘felt off’ despite SCADA showing normal, what made you trust field expertise over automated systems? What does that tell you about the value of operational experience in detecting sophisticated attacks?”
- “The malware maintained chemical levels within safe ranges rather than creating immediate crisis. What does this sophisticated restraint reveal about nation-state infrastructure targeting objectives and long-term strategy?”
- “Linda Zhang asked for notification recommendation regarding low-risk exposure that had already ended. Walk through your decision-making: what transparency obligations did you balance against potential for unnecessary public alarm?”
- “SCADA modernization created the vulnerability window this attack exploited. How do critical infrastructure organizations balance modernization requirements with security during transitional periods?”
Real-World Connections:
- “Nation-state adversaries increasingly target U.S. critical infrastructure for reconnaissance and future disruption capability. What does this mean for water utilities, power grids, and other essential services?”
- “In your professional environment, where do you have system modernization or upgrade activities that create transitional security vulnerabilities? How do you protect against targeting during those windows?”
- “This scenario involved balancing public transparency about low-risk exposure with potential for unnecessary alarm. How do you handle similar communication challenges in incident response?”
- “What are implications of sophisticated attacks that demonstrate capability through restraint rather than immediate damage? How does that change defensive strategies and threat assessments?”
MalDex Documentation Prompts
Encourage teams to document:
- Field Validation Protocols: Techniques for detecting SCADA manipulation through independent measurement and operational expertise beyond automated monitoring
- SCADA Modernization Security: Approaches for protecting critical infrastructure during system upgrade activities and transitional vulnerability windows
- Public Transparency Framework: Strategies for community notification balancing honesty obligations with measured communication avoiding unnecessary alarm
- Critical Infrastructure Decision-Making: Framework for balancing public safety (absolute), regulatory compliance (required), and operational continuity (important) priorities
- Nation-State Attribution Analysis: Sophistication indicators and strategic objective assessment for infrastructure targeting beyond conventional cybercrime
- Water Sector Coordination: Best practices for sharing threat intelligence across municipal utilities while protecting operational security
10. Facilitator Quick Reference
Type Effectiveness Chart
Stuxnet (Nuclear/Electric dual-type):
Strong Against:
- Bug-type defenses (automated SCADA monitoring ineffective against sophisticated sensor falsification)
- Normal-type security (conventional controls inadequate for nation-state industrial control expertise)
- Water-type infrastructure (chemical treatment processes specifically targeted)
Weak Against:
- Electric-type defenses (field measurement validation detects manipulation automated systems miss)
- Steel-type controls (physical operational security and field verification prevents complete compromise)
- Psychic-type analysis (operator expertise detects anomalies through experiential knowledge)
Resists:
- Fire-type responses (aggressive rapid fixes risk incomplete malware removal)
- Grass-type containment (designed for industrial control environments with limited connectivity)
Vulnerable To:
- Electric-type comprehensive SCADA rebuild from verified clean configurations
- Psychic-type operator validation using field expertise and independent measurements
Common Facilitation Challenges
Challenge 1: Team oversimplifies water safety or underestimates SCADA complexity
IM Response: “Dr. Foster pulls up the health risk assessment. ‘This malware manipulated chemical dosing while falsifying sensor data—it controlled both the treatment process AND what operators saw. Standard antivirus or quick fixes won’t address firmware-level persistence in industrial controls. For drinking water serving half a million people, I need comprehensive validation, not assumptions.’”
Challenge 2: Team paralyzed by notification decision or regulatory complexity
IM Response: “Linda recognizes your dilemma. ‘Let me simplify: Public safety is non-negotiable—that’s our mission. Public trust requires honesty—that’s our obligation. Within those constraints, we minimize unnecessary alarm. So the question becomes: what do residents need to know, and how do we communicate it responsibly?’”
Challenge 3: Team focuses exclusively on technical investigation and misses strategic infrastructure implications
IM Response: “DHS CISA coordinator interrupts technical discussion. ‘I need you to understand broader context: A nation-state adversary targeted municipal drinking water treatment—essential service for American communities. This attack demonstrated capability without creating crisis. That’s reconnaissance for potential future disruption. This isn’t just about Metro Water Authority. This is about critical infrastructure protection.’”
Challenge 4: Team wants to continue SCADA operation without sufficient validation
IM Response: “Dr. Foster speaks clearly: ‘I understand operational pressure, but I cannot certify water safety while sophisticated malware potentially remains in treatment controls. EPA regulations and public health laws exist for reason. We validate system integrity completely before operational reliance. Drinking water safety is absolute.’”
Dice/Success Mechanics Guidelines
For this scenario:
DC Ranges:
- SCADA Malware Forensic Analysis: DC 14 (sophisticated industrial control code with obfuscation)
- Water Quality Validation: DC 13 (field measurement verification straightforward but comprehensive)
- Chemical Manipulation Impact Assessment: DC 15 (health risk analysis requires water chemistry expertise)
- Nation-State Attribution Analysis: DC 16 (sophisticated operational security requires expert analysis)
- Comprehensive SCADA Rebuild: DC 12 (time-consuming but technically achievable from verified backups)
- Rapid Targeted Removal: DC 18 (high risk of missing firmware-level persistence)
Type Effectiveness Modifiers:
- Electric-type approaches (field validation, SCADA rebuild): -3 to DC
- Psychic-type approaches (operator expertise validation): -2 to DC
- Steel-type approaches (physical operational security): -2 to DC
- Fire-type approaches (aggressive rapid fixes): +3 to DC
- Bug-type approaches (automated SCADA monitoring): +5 to DC
Automatic Success Conditions:
- Comprehensive SCADA rebuild from verified clean vendor configurations (with appropriate timeline)
- Field measurement validation protocols independent of potentially compromised displays
- Public health risk assessment conducted by qualified water quality experts
Automatic Failure Conditions:
- Attempting continued drinking water treatment operation without addressing SCADA integrity concerns
- Relying solely on automated monitoring for sophisticated nation-state malware detection
- Ignoring public health notification obligations due to operational convenience
11. Scenario Customization Notes
Difficulty Adjustments
Make Easier:
- Reduce chemical manipulation sophistication: make water quality impacts more obvious and immediately detectable
- Simplify public health context: focus on technical SCADA investigation without complex community notification decisions
- Extend timeline: provide four-week EPA deadline instead of two-week pressure
- Provide clearer attribution: make nation-state indicators more obvious
Make Harder:
- Add active adversary response: nation-state attempts escalated manipulation or evidence destruction when detection occurs
- Introduce actual health impacts: some community members experienced minor effects requiring medical assessment and expanded notification
- Add media pressure: investigative reporters become aware of incident creating public communication complexity
- Expand scope: evidence suggests multiple water utilities targeted simultaneously requiring sector coordination
Industry Adaptations
For Power Grid/Electrical Infrastructure:
- Replace water treatment with electrical grid SCADA monitoring and generation control
- Adjust regulatory environment from EPA to NERC CIP and electrical reliability compliance
- Modify stakes from public health to regional power reliability and critical infrastructure continuity
For Manufacturing/Industrial Context:
- Adapt scenario to manufacturing SCADA with production safety instead of public health
- Change regulatory focus from EPA to OSHA safety and environmental compliance
- Adjust public impact from community water to product safety and supply chain
For Transportation Infrastructure:
- Shift focus to traffic management or transit control systems
- Replace water safety with transportation safety and public mobility
- Adjust stakeholders to transportation authorities and public safety officials
Experience Level Adaptations
For Novice Teams:
- Simplify water treatment concepts with clear explanations of chemical dosing and safety ranges
- Reduce SCADA sophistication: present malware with more obvious detection opportunities
- Provide guided investigation with operators offering frequent validation and technical context
- Streamline competing priorities: focus on safety vs. timeline rather than complex multi-stakeholder coordination
For Expert Teams:
- Add technical depth: detailed water chemistry analysis, SCADA protocol investigation, firmware rootkit forensics
- Introduce public communication complexity: media management, transparency strategy development, community engagement planning
- Expand strategic implications: broader water sector protection, international infrastructure targeting patterns, diplomatic considerations
- Require innovative solutions: no pre-defined approach works perfectly, team must develop creative hybrid strategies
12. Cross-References
Additional Scenario Variants
- Stuxnet Manufacturing Deadline: stuxnet-manufacturing-deadline-planning.qmd - Manufacturing context
- Stuxnet Power Plant: stuxnet-power-plant-planning.qmd - Nuclear critical infrastructure
- Stuxnet Research Facility: stuxnet-research-facility-planning.qmd - Federal research laboratory
Additional Resources
MITRE ATT&CK Techniques:
- T1091 (Replication Through Removable Media): SCADA deployment infiltration vector
- T1080 (Taint Shared Content): Industrial control system configuration manipulation
- T1565 (Data Manipulation): Chemical dosing control and sensor data falsification
- T1498 (Network Denial of Service): Potential escalation capability
Real-World References:
- Oldsmar Water Treatment Facility incident (2021) - Remote SCADA access compromise
- Critical infrastructure SCADA security challenges and modernization vulnerabilities
- Nation-state targeting of municipal water infrastructure for strategic reconnaissance
Professional Development:
- Water sector cybersecurity frameworks (AWWA guidance)
- EPA Safe Drinking Water Act compliance and security requirements
- Industrial control system security certifications (GICSP)
- Critical infrastructure protection coordination (DHS CISA programs)
Notes for IM Customization
What worked well:
What to modify next time:
Creative player solutions to remember:
Timing adjustments needed: