22 ready-to-run cybersecurity exercises — ICS/OT threat scenarios, board-level discussion guides, sector-specific injects, and facilitation toolkits. Powered by CISA CTEP frameworks and OT/ICS threat intelligence.
A nation-state affiliated threat actor conducts a spear-phishing campaign targeting IT/OT convergence personnel. Lateral movement into OT networks results in adversary access to SCADA HMI. Physical process manipulation is attempted on critical production systems.
VOLTZITE reconnaissance activity is detected targeting the electricity subsector. Intrusion into energy management systems via a compromised third-party vendor escalates to potential disruption of grid stability controls and substation automation systems.
A cyber intrusion at a chemical manufacturing facility exploits the IT/OT convergence boundary. Adversary access to distributed control systems (DCS) creates risk of unintended chemical process manipulation, safety system bypass, and hazardous material release.
Threat actors exploit remote access vulnerabilities in hydroelectric facility SCADA to gain control over water flow management systems. Unauthorized manipulation of sluice gate controls and turbine management presents catastrophic downstream consequences.
A threat actor gains remote access to a water treatment facility's operational technology network. Chemical dosing systems are targeted — unauthorized modification of chlorine levels poses immediate public health risk and activates multi-agency emergency response protocols.
A coordinated cyber attack targeting a major port's cargo management and operational technology systems disrupts crane automation, vessel tracking (AIS), and gate systems. IT/OT convergence in port infrastructure creates simultaneous physical and cyber impacts.
A sophisticated attack on a critical manufacturing facility's Industry 4.0 infrastructure compromises production SCADA, robotics controllers, and quality management systems. The adversary pivots from an OEM vendor VPN connection to achieve persistent OT access.
A RansomHub affiliate deploys ransomware that begins on corporate IT but propagates across the IT/OT boundary. Production systems halt. Operators face a decision: continue manual operations with safety risk or shut down entirely while attackers demand a multi-million dollar ransom.
A trusted OT automation vendor is compromised. Malicious code embedded in a legitimate software update is pushed to 47 client sites simultaneously. The backdoor provides persistent access to OT networks across multiple critical infrastructure sectors before detection.
A disgruntled operations engineer with privileged access to OT systems is recruited by a foreign intelligence service. Over 90 days, the insider exfiltrates network topology, SCADA configurations, and SIS documentation — providing a roadmap for a future destructive attack.
A 96-hour sustained DDoS campaign targets internet-facing OT management interfaces, historian servers, and remote monitoring portals. Combined with selective BGP route hijacking, adversaries sever remote monitoring visibility across distributed critical infrastructure assets.
A malicious package masquerading as a legitimate Python library used in industrial automation toolchains is downloaded 14,000 times before detection. The package installs a reverse shell enabling persistent access to engineering workstations connected to OT environments.
A Tier-2 defense contractor is breached via spear-phishing. The adversary exfiltrates OT schematics, network diagrams, and ITAR-controlled technical data over 6 months. The breach is only discovered when a ISAC threat intelligence alert matches behavioural patterns.
Ransomware targeting hospital enterprise systems propagates to building management, HVAC, and connected medical devices. ICU patient monitoring systems go offline. Clinical operations revert to manual procedures during peak hours as attackers threaten to release patient data.
A coordinated attack targets a major financial institution's transaction processing systems and ATM network. Simultaneous DDoS on banking portals and a SWIFT messaging compromise creates customer-facing disruption while adversaries attempt fraudulent international transfers.
A nation-state actor targets a major food processing corporation's smart agriculture and production automation systems. Manipulation of chemical additive dosing systems and cold chain management creates a public health incident affecting millions of distributed food products.
A coordinated attack on rural broadband infrastructure providers severs connectivity to 340,000 subscribers, disabling SCADA monitoring for remote OT assets across energy, water, and agricultural sectors that depend on cellular and fiber backhaul for operational visibility.
Threat actors compromise building management systems (BMS) across a high-occupancy commercial complex — HVAC, elevators, physical access control, and fire suppression are manipulated. The attack targets a critical infrastructure tenant operating OT systems within the facility.
GRAPHITE targets a Floating Production Storage and Offloading (FPSO) vessel's SCADA systems via a compromised automation vendor. Process historian manipulation masks anomalous production behaviour while adversaries pre-position on Safety Instrumented Systems for potential destructive action.
The CEO receives a call at 2AM: production has halted at two facilities. IT confirms ransomware. OT team cannot confirm containment. The board wants answers in 4 hours. This exercise tests executive decision-making, crisis communication, media strategy, and regulatory notification timelines.
A coordinated cyberattack targets a mid-size city's water, traffic management, and emergency services OT infrastructure simultaneously. The attack coincides with a severe weather event, compounding response complexity and testing inter-agency coordination under dual-crisis conditions.
A zero-day in a widely deployed enterprise SIEM platform grants adversaries persistent access to the corporate network. Over 72 hours the threat actor pivots toward OT boundary devices. IT and OT teams struggle to coordinate response across separate reporting chains and security tools.