1. Quick Reference

Element	Details
Malmon	Raspberry Robin (USB Worm/Stealth) ⭐⭐⭐
Difficulty Tier	Tier 2 (Advanced)
Scenario Variant	Manufacturing Floor - Product Launch
Organizational Context	TechManufacturing: Production facility with 800 workers, industrial control systems, critical product launch deadline
Primary Stakes	Production continuity + Industrial control security + Product quality + Supply chain obligations
Recommended Formats	Full Game, Advanced Challenge (120-180 min)
Essential NPCs	Operations Manager, IT/OT Security Lead, Production Floor Supervisor, Quality Control Director

Scenario Hook

“TechManufacturing is ramping up for critical product launch when production technicians report USB drives used for equipment programming and quality data collection are creating suspicious files, spreading through industrial control systems and production networks.”

Victory Condition

Contain USB worm in production environment, protect industrial control systems, maintain product launch timeline, ensure production quality, secure manufacturing USB workflows.

---

2. Organization Context

Precision Manufacturing Corp: Aerospace Parts Production During Critical Contract Delivery

Quick Reference

• Organization: Industrial precision aerospace manufacturing facility, 850 employees (600 production floor workers), 80 production machines with air-gapped control networks requiring USB-based maintenance
• Key Assets at Risk: Worker safety systems (hazardous gas detection, emergency shutdown controls protecting 850 workers), Production control and industrial systems (air-gapped SCADA, CNC machines, quality certification), $25M aerospace contract (300 jobs dependent, Friday deadline with $500K daily penalties)
• Business Pressure: 72 hours until aerospace contract delivery Friday—maximum capacity 24/7 operations, 150+ daily USB insertions for equipment maintenance, customer demanding production status confirmation
• Core Dilemma: Continue USB-based maintenance required for aerospace quality standards BUT allows malware propagation through air-gapped production systems, OR Halt USB use for containment BUT stops equipment calibration risking $500K daily penalties and worker safety certification

Detailed Context

Organization Profile

• Type: Industrial precision manufacturing facility specializing in aerospace components
• Size: 850-employee facility (600 production floor workers, 120 maintenance technicians and quality engineers, 80 supervisors, 50 administrative and engineering staff)
• Operations: Precision steel processing, CNC machining, aerospace-grade manufacturing, hydraulic press operations, heat treatment, quality control and certification, equipment maintenance
• Critical Services: 24/7 production floor operations across multiple lines, industrial control systems (SCADA, CNC, programmable logic controllers), worker safety monitoring (hazardous material detection, emergency shutdown systems, temperature controls), quality control and certification systems for aerospace specifications, equipment maintenance and calibration
• Technology: Air-gapped production control networks (isolated from corporate IT for security), Windows-embedded industrial control systems (legacy OS for certified equipment), USB-based data transfer for maintenance and updates (required bridge between air-gapped systems), SCADA manufacturing control systems, quality measurement and certification equipment, worker safety monitoring and alarm systems

Precision Manufacturing Corp is mid-sized aerospace component supplier serving aircraft manufacturers and defense contractors. The facility produces high-precision parts requiring aerospace certification and strict quality control. Current status: Maximum capacity operations fulfilling $25M aerospace contract due Friday, production running 24/7 to meet delivery deadline with $500K per day late penalties, 150+ daily USB device insertions for routine equipment maintenance and data transfer between air-gapped production systems.

Key Assets & Impact

What’s At Risk:

• Worker Safety Systems: Environmental monitoring (hazardous gas detection, chemical alerts), emergency shutdown controls for heavy machinery, temperature monitoring for heat treatment processes, personnel safety equipment controls—USB-based malware spreading through maintenance procedures compromises safety instrumented systems protecting 850 production floor workers from industrial hazards, creates OSHA-reportable incidents, triggers mandatory operations halt until safety certification restored
• Production Control & Industrial Systems: Air-gapped SCADA networks, CNC machine control systems, quality measurement equipment, production data logging—Raspberry Robin USB worm propagating through maintenance workflows bypasses air-gap isolation, compromises manufacturing control integrity, threatens aerospace certification validity, risks $500K daily contract penalties with Friday delivery deadline
• Aerospace Contract & Business Viability: $25M aerospace contract represents facility’s largest customer relationship, 300 jobs dependent on contract continuation, thin manufacturing profit margins vulnerable to major revenue loss—USB malware affecting quality control systems invalidates aerospace certification, customer threatens alternative suppliers, facility closure risk affects 850 employees and local community

Immediate Business Pressure

Tuesday morning, 72 hours before aerospace contract delivery Friday. Precision Manufacturing operating at maximum production capacity. Senior Technician Carlos Rodriguez performing routine equipment updates using USB drives—standard procedure for transferring data between air-gapped production control systems. Every manufacturing facility relies on USB for maintenance because air-gap isolation prevents network-based updates.

Carlos radios maintenance team: “USB drives automatically creating suspicious files on every system—‘Equipment_Updates’, ‘Production_Data’, ‘Quality_Control’ folders that aren’t real folders. Systems running slower after USB insertion.” Operations Manager Janet Williams overhears—immediately concerned about aerospace contract jeopardy. “We can’t afford production disruptions. $500K daily late penalties start Saturday if we miss Friday delivery. What’s happening?”

Investigation team discovers Raspberry Robin USB worm creating malicious LNK files disguised as legitimate manufacturing data folders. Malware propagates automatically when USB drives inserted into air-gapped production systems—no user interaction required beyond normal maintenance procedures. Infection spreading through 150+ daily USB insertions required for equipment calibration, firmware updates, quality data transfer, and production control maintenance. Manufacturing technicians share 10 USB drives across 80 production machines—single infected USB contaminates entire maintenance workflow.

Safety Coordinator Diana Park reporting worker safety systems potentially compromised—infected USB drives accessed emergency shutdown controls, hazardous material detection, and personnel safety equipment through same maintenance procedures. Production line 3 experiencing unexpected shutdown after infected USB calibration. Aerospace customer calling demanding production status confirmation. Quality Engineer Mark Thompson concerned infected USB drives accessing quality control systems—entire aerospace certification could be invalidated if production data integrity questioned.

Critical Timeline:

• Current moment (Tuesday 9am): Raspberry Robin identified spreading through air-gapped manufacturing networks via USB maintenance procedures, 72 hours until aerospace contract delivery
• Stakes: Worker safety systems compromised, $25M aerospace contract threatened with $500K daily penalties, 850 employees and 300 jobs dependent on facility operations, air-gapped production control integrity questioned
• Dependencies: 80 production machines requiring daily USB maintenance for aerospace quality standards, worker safety monitoring protecting employees from industrial hazards, quality control certification required for aerospace component delivery, air-gap isolation creates USB dependency that malware exploits

Cultural & Organizational Factors

Why This Vulnerability Exists:

• Air-gap security architecture creates mandatory USB dependency: Precision Manufacturing designed production control networks as air-gapped (no network connectivity) for security and aerospace certification requirements. Aircraft manufacturers demand isolated manufacturing systems to prevent network-based espionage or sabotage. Air-gap creates security against network attacks—but requires USB drives as only method for firmware updates, calibration data transfer, quality measurements, and equipment maintenance. The security measure designed to protect manufacturing becomes the attack vector—USB worm exploits the very isolation meant to provide safety.
• Equipment maintenance workflows are non-negotiable for production: CNC machines require daily calibration via USB. Quality control systems need USB data transfer for aerospace certification. Heat treatment equipment depends on USB firmware updates. Production monitoring requires USB log downloads. These USB procedures are mandatory requirements in aerospace manufacturing—not convenience or negligence. Technicians cannot “just stop using USB” without halting production operations. Equipment vendors specify USB maintenance in service contracts. Attempting to eliminate USB usage means losing aerospace certification and ability to manufacture certified components.
• Manufacturing technicians share USB drives creating propagation network: Facility has 10 USB drives for 80 production machines and 120 maintenance technicians. Shared USB drives move between departments, production lines, and equipment types throughout day. Single infected USB inserted into one system Tuesday contaminates entire facility by Thursday through routine maintenance rotation. Cross-contamination accelerated by cost-efficiency practice of sharing drives rather than dedicating USB devices per machine or technician. Budget constraints ($15 specialized industrial-grade USB drives vs $150 for 100 drives) drove sharing practice that created rapid propagation pathway.
• External contractor introduced infection beyond facility control: Timeline analysis traces initial Raspberry Robin infection to maintenance contractor’s USB drive used during equipment service 5-7 days prior. Contractor companies service multiple manufacturing facilities with same USB drives and tools. Facility has limited control over third-party cybersecurity practices—but must grant contractor USB access to fulfill equipment warranty and maintenance contracts. Supply chain USB contamination created infection source outside organizational security boundaries.

Operational Context

How This Manufacturing Facility Actually Works:

Precision Manufacturing operates in competitive aerospace supply market with thin profit margins ($25M contract represents 30% annual revenue). Air-gapped production networks were expensive security investment required for aerospace defense contractor certification. The air-gap protects against network-based industrial espionage targeting aerospace manufacturing intellectual property—but creates operational dependency on USB as only data transfer method between isolated systems and administrative networks. Operations Manager Janet balances three competing pressures: aerospace customer delivery demands ($500K daily penalties), worker safety requirements (OSHA and insurance mandates), and equipment vendor maintenance specifications (warranty compliance). The facility runs 24/7 during contract delivery periods—technicians perform USB maintenance on evenings and weekends when production demand is highest. This creates vulnerability window where USB procedures occur with minimal IT security oversight. The gap between industrial security best practice (dedicated USB devices per system, real-time malware scanning, vendor cybersecurity requirements) and manufacturing economic reality (shared USBs for cost control, contractor access for warranty compliance, production schedule overrides security maintenance) created perfect conditions for USB worm designed specifically to exploit air-gapped industrial environments.

Key Stakeholders

• Janet Williams (Operations Manager) - Managing $25M aerospace contract delivery with 72-hour deadline, watching USB malware spread through air-gapped production systems, balancing security response with $500K daily late penalties
• Carlos Rodriguez (Senior Technician) - Discovering routine USB maintenance procedures are spreading malware across facility, frustrated that security measures might interfere with proven maintenance workflows required for aerospace quality
• Diana Park (Safety Coordinator) - Investigating worker safety system compromise as USB malware spreads through industrial control networks, must ensure OSHA compliance and employee protection before production resumption
• Mark Thompson (Quality Engineer) - Analyzing production data integrity as infected USB drives contaminate quality control systems, concerned entire aerospace certification could be invalidated by malware affecting quality records

Why This Matters

You’re not just containing a USB worm—you’re protecting 850 workers from compromised safety systems while trying to save 300 jobs dependent on a $25M aerospace contract with 72-hour delivery deadline. Air-gapped production networks designed to prevent network attacks are being compromised through USB maintenance procedures that cannot be eliminated without halting manufacturing. Worker safety monitoring for hazardous materials, emergency shutdowns, and temperature controls is potentially corrupted—OSHA requires absolute certainty before workers can safely operate heavy machinery and chemical processes. The aerospace customer demands quality certification that malware hasn’t affected production data or component integrity. Manufacturing technicians need USB drives for equipment updates required by aerospace standards—but every USB insertion risks spreading the worm through air-gapped systems. There’s no option that eliminates USB, protects workers, meets the deadline, and preserves quality certification. You must decide which matters most.

IM Facilitation Notes

• This is air-gapped OT security, not enterprise IT security: Players often suggest “network isolation” or “disconnect from internet”—remind them systems are ALREADY air-gapped by design. USB is the deliberate bridge for maintenance. The security architecture that should protect them is being exploited. Force players to understand air-gap limitations.
• USB usage is manufacturing requirement, not negligence: Don’t let players dismiss USB as “poor security practice.” Aerospace certification requires air-gapped systems. Equipment vendors specify USB maintenance. Quality standards mandate USB data transfer. This is industrial operational reality. Eliminating USB means losing aerospace certification and production capability.
• Worker safety is non-negotiable even under deadline pressure: If players propose “continue production while investigating,” remind them hazardous material detection and emergency shutdown systems potentially compromised. Cannot verify safety systems while workers use them in active production. OSHA liability if injury occurs. Diana will mandate halt if safety cannot be certified.
• Shared USB drives accelerate propagation authentically: Ten USB drives for 80 machines is realistic manufacturing practice driven by equipment cost and budget constraints. Players may criticize this—acknowledge it’s optimization for operational efficiency over security. Budget-constrained manufacturing made rational choice that created vulnerability.
• Contract pressure is authentic manufacturing crisis: $500K daily penalties and $25M contract loss threatens 300 jobs and facility viability. This isn’t hypothetical—aerospace manufacturing operates with aggressive delivery schedules and penalty clauses. Players must balance worker safety (absolute) with business survival (affects 850 families). Force difficult ethical trade-offs.

---

2-12. Complete Sections

Key Configuration: Product launch deadline, industrial control system safety, production continuity, IT/OT convergence challenges

NPCs:

• Operations Manager: Managing launch with USB malware spreading through production systems
• IT/OT Security Lead: Investigating USB affecting industrial control and production networks
• Production Supervisor: Reporting equipment programming USB affecting quality systems
• Quality Director: Assessing product quality impact and launch readiness

Response Options: Production line isolation (+3), ICS quarantine (+3), USB workflow redesign (+2)

Round-by-Round: Discovery → ICS compromise confirmed → Critical decision on launch vs containment

Type Effectiveness: USB Worm weak to workflow isolation (+3), threatens industrial control systems (safety-critical)

Key Challenge: USB affecting industrial control systems, production launch cannot delay, product quality and worker safety at risk

Cross-References:

• Raspberry Robin Malmon Detail
• Manufacturing Floor Scenario Card
• Healthcare Network Planning

---

Streamlined planning doc emphasizing manufacturing USB workflow vulnerabilities and industrial control system security during product launch operations.