SC-014: OT Ransomware Attack — Municipal Water Treatment Plant¶
Scenario Header
Type: OT/ICS | Difficulty: ★★★★★ | Duration: 3–4 hours | Participants: 6–10
Threat Actor: SYNTHETIC-INDUSTRIAL — ransomware group targeting municipal critical infrastructure (composite of publicly documented Industroyer2, Pipedream, TRITON research)
Primary ATT&CK Techniques: T1566.001 · T1558.003 · T0886 · T0840 · T0855 · T0836 · T0831 · T1486 · T0880
Facilitator Note
This scenario requires IT security, OT/SCADA operations, and executive participants. Pre-assign a "Plant Superintendent" and "Public Health Liaison" if running with a purely IT audience. The defining learning outcome is the intersection of cybersecurity response with public health and safety obligations. All data is synthetic. All organizations, IPs, and indicators are fictional.
Threat Actor Profile¶
SYNTHETIC-INDUSTRIAL targets municipal water, wastewater, and small energy utilities. Unlike opportunistic ransomware groups, they conduct OT reconnaissance using public data (state environmental permits, SCADA vendor job postings) to identify targets where ransomware creates maximum public safety pressure. Their playbook: lock out HMI operators, manipulate historian data, and attempt PLC setpoint modification to escalate urgency. Demands: $1.5M–$4M in Monero. Dwell time: 7–12 days. They understand Purdue Model architecture and carry custom Modbus TCP reconnaissance scripts.
Scenario Narrative¶
Phase 1 — Initial Access: Spear Phishing & Credential Harvesting (~30 min)¶
A senior engineer at Municipal Water Treatment — SYNTHETIC-CITY (serving 250,000 residents) receives a phishing email impersonating the VPN vendor, linking to a cloned Fortinet login page at hxxps://vpn-update-syntheticcity[.]com. The engineer enters credentials, which are harvested. The attacker authenticates to the legitimate VPN using a real-time phishing proxy to relay SMS MFA. Entra ID logs show impossible travel: the engineer's plant session (Synthetic City) and the attacker's session (IP 198.51.100.47, Bucharest) within 8 minutes.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Email Gateway | From security-notifications@fortinet-update[.]net — SPF: FAIL — URL to hxxps://vpn-update-syntheticcity[.]com/login |
| Entra ID | j.martinez@syntheticcity-water.gov — Sign-in #1: 08:12 UTC, plant IP — Sign-in #2: 08:20 UTC, 198.51.100.47 (Bucharest) — Risk: High (impossible travel) |
| VPN Gateway | Session: j.martinez, Source 198.51.100.47, Assigned 10.20.5.201 — MFA: SMS verified (relayed) |
| DNS Passive | vpn-update-syntheticcity[.]com registered 72h prior — Let's Encrypt cert issued same day |
Phase 1 — Discussion Inject
Technical: The attacker bypassed SMS MFA via real-time phishing proxy. Compare SMS OTP, TOTP, and FIDO2/WebAuthn for phishing resistance. What Entra ID conditional access policy would have blocked the attacker?
Decision: Impossible travel alerts fire ~15/week with 90% false positives from multi-site workers. Do you tune down, accept the noise, or implement a different approach?
Expected Analyst Actions:
- [ ] Correlate both sign-in IPs against known employee locations
- [ ] Check for concurrent VPN sessions from
j.martinez - [ ] Investigate phishing domain age, registrar, certificate issuer
- [ ] Query email gateway for all recipients of the phishing campaign
- [ ] Check Entra ID for other accounts authenticating from
198.51.100.47
Phase 2 — IT Network Compromise: Lateral Movement & Staging (~40 min)¶
Via VPN, the attacker runs SharpHound for AD enumeration and Kerberoasts svc_scada_backup (SPN: MSSQLSvc/SCADA-HIST-01.syntheticcity.local:1433). Password WaterPlant2023! cracked in 4 minutes. This service account has local admin on 6 systems including the SCADA historian and IT/OT jump server — a 3-year-old "temporary" configuration. The attacker deploys Cobalt Strike on file server FS-01 (10.20.2.10). Defender AV detects it but the alert is allowed due to a path exclusion on C:\ProgramData\Microsoft\Crypto\.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| DC-01 Event Log | EventID 4769: TGS for svc_scada_backup — Encryption: RC4-HMAC (0x17) — Kerberoasting indicator |
| EDR (FS-01) | SharpHound.exe (renamed diag_tool.exe) — 12,847 LDAP objects enumerated in 90s |
| Defender AV | HackTool:Win64/CobaltStrike.MZ!dha — Action: Allowed (exclusion on C:\ProgramData\Microsoft\Crypto\) |
| Network Flow | FS-01 (10.20.2.10) → 203.0.113.88:443 — Cobalt Strike C2 — 60s interval, 10% jitter |
Phase 2 — Discussion Inject
Technical: Write a detection rule (Sigma or KQL) for TGS requests using RC4-HMAC (0x17). What false positive rate do you expect in an environment enforcing AES-256?
Decision: Defender flagged Cobalt Strike but a path exclusion allowed it. Who has authority to create AV exclusions? What governance prevents stale exclusions from becoming attacker cover?
Expected Analyst Actions:
- [ ] Flag EventID 4769 with RC4-HMAC as Kerberoasting
- [ ] Scope all systems where
svc_scada_backuphas admin access - [ ] Audit and remediate AV exclusion list
- [ ] Block
203.0.113.88at the perimeter - [ ] Reset
svc_scada_backupandj.martinezcredentials
Phase 3 — IT/OT Pivot: Crossing the DMZ (~45 min)¶
The attacker uses svc_scada_backup to RDP through the jump server (JUMP-01, 10.20.3.50) into the OT network. A critical misconfiguration: firewall rule EMERGENCY_MAINT_2024 permits any traffic from JUMP-01 to 172.16.100.0/24 — added 18 months ago during emergency maintenance and never reverted. Claroty detects anomalous RDP from JUMP-01 to SCADA-HIST-01 (172.16.100.10) at 02:47 UTC, outside the maintenance window.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| FW-OT-01 | PERMIT: 10.20.3.50 → 172.16.100.0/24 — Rule EMERGENCY_MAINT_2024 — Any protocol/port — Last modified 2024-09-15 |
| JUMP-01 Event Log | EventID 4624 Type 10: svc_scada_backup from FS-01 — 02:47 UTC (outside 06:00–18:00 window) |
| Claroty | HIGH: Anomalous RDP — JUMP-01 → SCADA-HIST-01 — Outside baseline — Account not in OT access list |
| Dragos | MEDIUM: JUMP-01 initiated ICMP sweep + TCP 3389/502/102 scan of 172.16.100.0/24 |
Phase 3 — Discussion Inject
Technical: What technical control (not just policy) automatically expires temporary firewall rules? How would you implement it on Palo Alto or Fortinet?
Decision: Claroty alerts at 02:47 UTC. Your 2-person OT security team has no overnight on-call. The IT SOC sees the alert but has no OT authority. Who disconnects JUMP-01? What is the escalation path?
Expected Analyst Actions:
- [ ] Escalate to OT operations manager — confirmed IT-to-OT breach
- [ ] Verify and remediate overly permissive firewall rule
- [ ] Disable
svc_scada_backupin AD immediately - [ ] Isolate JUMP-01 from the OT network at the firewall
- [ ] Notify CISA ICS-CERT — attacker in water treatment OT environment
Phase 4 — OT Reconnaissance & HMI Ransomware (~45 min)¶
From SCADA-HIST-01, the attacker maps the OT environment: 3 HMI workstations (Wonderware InTouch, 172.16.100.20–22), 2 Allen-Bradley ControlLogix PLCs (172.16.100.30–31) for chemical dosing/filtration, 1 Siemens S7-1200 PLC (172.16.100.32) for pumps, and 1 Triconex SIS (172.16.100.40, accessible via misconfigured VLAN trunk).
On Day 9, ransomware waterlock.exe encrypts all HMIs and the historian simultaneously. Operators lose all visibility — chlorine, turbidity, flow, tank levels. PLCs continue on last setpoints, but operators are flying blind.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Claroty | CRITICAL: Modbus function code scan — SCADA-HIST-01 → PLCs — FC 1, 3, 43 (Read Device ID) |
| Dragos | CRITICAL: HMI-01/02/03 stopped heartbeat responses — Day 9, 03:15 UTC |
| PI Historian | Connection lost 03:14:47 — 847 tags flatlined |
| HMI-01 | Ransom: "WATERLOCK — Pay 85 BTC ($3.2M) in 96h. Contact: waterlock_decrypt@proton.me" |
| HMI-01 Files | 12,847 files → .waterlock — Wonderware *.aaInTagCfg, *.aaRtDb, *.InTouch encrypted |
Phase 4 — Discussion Inject
Technical: How do you distinguish legitimate SCADA polling (FC 1, 3) from attacker recon in Claroty/Dragos? What is the detection signal — source IP, frequency, FC combination?
Decision (Safety-Critical): Operators have no HMI visibility. PLCs run on last setpoints. Switch to manual operations, let PLCs run unsupervised, or hybrid? Can operators safely run manual for 24+ hours?
Expected Analyst Actions:
- [ ] MANDATORY: Switch to manual operations with portable field instruments
- [ ] Physically isolate OT from IT network at switch/firewall level
- [ ] Do NOT restore HMIs from OT network — assume all OT Windows systems compromised
- [ ] Forensic image one HMI workstation using a clean isolated laptop
- [ ] Activate mutual aid with neighboring water utilities
Phase 5 — Safety System Impact: Chemical Dosing Manipulation (~40 min)¶
A time-delayed script on SCADA-HIST-01 fires 4 hours post-lockout. Modbus TCP writes (FC 6, FC 16) change the chlorine setpoint on PLC-01 from 2.0 mg/L to 8.0 mg/L — four times normal, exceeding EPA limits. The Safety Instrumented System (Triconex), operating on hardwired analog signals independent of the SCADA network, detects the deviation at 4.0 mg/L (high-high alarm) and automatically closes the chlorine injection valve at 07:22 UTC. Chlorine reached 3.8 mg/L before SIS activation — a near-miss.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Claroty | CRITICAL: Unauthorized Modbus write — SCADA-HIST-01 → PLC-01 — FC 16 — Register 40001 (Chlorine Setpoint): 2.0 → 8.0 |
| SIS (Triconex) | SAFETY TRIP: High-High chlorine — PV: 3.8 mg/L (rising) — Valve CV-101 CLOSED — Hardwired analog signal |
| PLC-01 Log | Register 40001 write at 07:17 UTC — Source: 172.16.100.10 — No operator auth required |
| Field Instrument | Hach CL17 portable: 3.7 mg/L at 07:25 UTC — declining post-valve closure |
Phase 5 — Discussion Inject
Technical: The SIS used hardwired analog signals independent of the SCADA network. Per IEC 62443/61511, describe the architecture ensuring SIS independence. What is the difference between a shared VLAN trunk and a physical air gap for SIS?
Decision (Public Health): Chlorine reached 3.8 mg/L — above normal but below EPA acute threshold. Distribution system may have elevated chlorine for 30–60 minutes. Do you issue public notification? Who decides — IT security, plant superintendent, or city manager?
Expected Analyst Actions:
- [ ] MANDATORY: Physically verify SIS integrity — do NOT rely on network tools
- [ ] Collect distribution system water samples for lab analysis
- [ ] Document near-miss and prepare EPA notification
- [ ] Physically disconnect VLAN trunk to SIS — enforce air gap
- [ ] Contact Schneider Electric for Triconex forensic support
Phase 6 — Recovery & Reporting (~45 min)¶
ICS-CERT Advisory Format¶
ICS-CERT Advisory ICSA-2026-080-01 (Synthetic)
Title: SYNTHETIC-INDUSTRIAL Ransomware Targeting Municipal Water Treatment
CVSS v3.1: 9.8 (CRITICAL)
Mitigations: (1) FIDO2 MFA for remote access; (2) Purdue Model segmentation with host/port-specific jump server rules; (3) OT IDS with Modbus write alerting; (4) Air-gap SIS; (5) Disable Modbus writes from historian/HMI to PLCs where feasible; (6) 3-2-1-1-0 backups with air-gapped OT copies.
CISA Reporting (CIRCIA)¶
| Requirement | Deadline | Status |
|---|---|---|
| CISA CIRCIA Report | 72 hours from determination | Due: Day 12 |
| Ransom Payment Report | 24 hours from payment | N/A (not paying) |
| EPA Notification | Immediately (public health impact) | Filed: Day 9 |
| State Drinking Water Program | Per state regulation | Filed: Day 9 |
| FBI IC3 | As soon as practicable | Filed: Day 9 |
| WaterISAC Advisory | Voluntary (recommended) | Filed: Day 9 |
Recovery Playbook (OT-Specific)¶
- Manual plant control with portable field instruments
- Physical IT/OT network disconnect
- SIS physical inspection and verification
- Distribution system water sampling (6 locations)
- Evidence preservation: forensic images of HMI and historian
- PLC logic verification against offline backups (paper/USB from safe)
- PLC firmware checksum validation against vendor baselines
- Clean HMI rebuild from vendor media (not network backups)
- Historian restore from offline tape (2-week-old verified backup)
- Full credential rotation: AD, VPN, OT accounts, PLC passwords
- Purdue Model re-segmentation with IEC 62443 firewall rules
- FIDO2 MFA deployment for all remote access
- SIS physical air-gap (remove VLAN trunk, dedicated cabling)
- 3-2-1-1-0 backup strategy with weekly air-gapped OT backups
- EDR deployment on all OT Windows systems
Detection Signatures (Synthetic)¶
OT IDS Rules (Synthetic — Claroty/Dragos Style)
alert modbus any any -> $OT_PLC_SUBNET any (
msg:"Unauthorized Modbus Write to Chemical Dosing Register";
modbus_func: 6,16; modbus_register: 40001;
classtype:ics-write-unauthorized; sid:9014001; rev:1;
)
alert modbus any any -> $OT_PLC_SUBNET any (
msg:"Modbus Device ID Enumeration Scan";
modbus_func: 43;
threshold:type both,track by_src,count 3,seconds 30;
classtype:ics-recon; sid:9014002; rev:1;
)
alert tcp $IT_DMZ_SUBNET any -> $OT_SUBNET 3389 (
msg:"Off-Hours RDP to OT Network";
classtype:ics-unauthorized-access; sid:9014003; rev:1;
)
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| CISA ICS-CERT | Tracking: ICS-2026-SYNTH-014 — On-site team dispatched within 24h |
| PLC Integrity | PLC-01/02/03 logic vs. offline backup: MATCH — Attacker modified setpoint register (data), not program (logic) |
| Insurance | Cyber policy: $5M limit, OT sublimit $3M — Manual ops cost: $180K/day |
Phase 6 — Discussion Inject
Technical: The attacker modified a PLC setpoint register but not the PLC logic. Compare setpoint manipulation vs. logic manipulation (TRITON/TRISIS). Which is harder to detect? To recover from?
Decision: City manager asks: "Pay $3.2M?" FBI says no. Offline backups enable 3–5 day recovery. Manual ops cost $180K/day. Present cost-benefit to city council in 5 minutes.
Expected Analyst Actions:
- [ ] File CIRCIA report within 72 hours
- [ ] File EPA notification immediately for chlorine deviation
- [ ] Share IOCs with WaterISAC
- [ ] Begin PLC integrity verification from offline backups
- [ ] Engage ICS-CERT on-site assessment team
- [ ] Document all costs for insurance claim
ATT&CK for ICS Mapping¶
| Phase | Technique | ATT&CK ID | Tactic |
|---|---|---|---|
| 1 | Spearphishing Attachment | T1566.001 | Initial Access |
| 2 | Kerberoasting | T1558.003 | Credential Access |
| 3 | Remote Services (IT/OT pivot) | T0886 | Lateral Movement (ICS) |
| 3 | Network Connection Enumeration | T0840 | Discovery (ICS) |
| 4 | Data Encrypted for Impact | T1486 | Impact |
| 4 | Loss of View | T0829 | Impact (ICS) |
| 5 | Unauthorized Command Message | T0855 | Execution (ICS) |
| 5 | Modify Parameter | T0836 | Impair Process Control (ICS) |
| 5 | Manipulation of Control | T0831 | Impact (ICS) |
| 5 | Loss of Safety | T0880 | Impact (ICS) |
Detection Opportunities¶
| Phase | Technique | ATT&CK | Detection Method | Difficulty |
|---|---|---|---|---|
| 1 | VPN credential phishing | T1566.001 | Email gateway: SPF fail + domain age < 7 days | Easy |
| 1 | MFA bypass (phishing proxy) | T1078 | Entra ID: impossible travel + concurrent sessions | Medium |
| 2 | Kerberoasting | T1558.003 | EventID 4769 with RC4-HMAC (0x17) encryption | Medium |
| 2 | Cobalt Strike beacon | T1071.001 | EDR: periodic HTTPS with consistent interval/jitter | Medium |
| 3 | IT/OT pivot via jump server | T0886 | Firewall: service account RDP to OT outside maintenance window | Medium |
| 3 | OT network scan | T0840 | OT IDS: Modbus/S7comm port scan from non-PLC host | Easy (with OT IDS) |
| 4 | HMI ransomware | T1486 | OT IDS: mass file rename + VSS deletion on HMI | Easy |
| 5 | Chlorine setpoint manipulation | T0836 | OT IDS: Modbus write FC 6/16 from non-PLC source | Medium |
| 5 | SIS trip | T0880 | Hardwired alarm — independent of network detection | N/A (physical) |
Key Discussion Questions¶
- SMS MFA was bypassed by a phishing proxy. What is the cost-benefit of FIDO2 hardware keys for a municipal utility with a limited IT budget?
- Firewall rule
EMERGENCY_MAINT_2024persisted 18 months. What OT change management process — per IEC 62443 — prevents this? - The SIS saved the plant. What if it was also compromised (as in the TRITON/TRISIS attack)?
- Can your operators run the plant manually for 72+ hours? When were manual procedures last tested?
- At what financial pressure point does ransom payment override FBI guidance, and who decides for a municipal government?
Debrief Guide¶
What Went Well¶
- SIS operated correctly on hardwired analog signals — independent of compromised SCADA
- Claroty/Dragos detected IT/OT pivot and Modbus writes, providing forensic evidence
- Offline PLC backups (paper in fireproof safe) enabled integrity verification
- Operators had training to initiate manual operations
Key Learning Points¶
- Phishing-resistant MFA is non-negotiable — SMS/TOTP bypassed by real-time proxy; FIDO2 is the minimum
- Temporary firewall rules become permanent — implement automatic expiration, not just policy
- Service accounts are Kerberoasting targets — use gMSA with automatic password rotation
- SIS independence is the last line of defense — shared VLAN trunk was near-fatal; physical air-gap required per IEC 61511
- OT backups differ from IT — PLC logic: offline paper/USB; historian: air-gapped; HMI: rebuild from vendor media
Recommended Follow-Up¶
- [ ] Deploy FIDO2 keys for all remote access — eliminate SMS MFA
- [ ] Implement automatic firewall rule expiration for temporary OT access
- [ ] Migrate to gMSA for service accounts — eliminate static passwords
- [ ] Air-gap SIS physically — remove VLAN trunk
- [ ] Deploy EDR on all OT Windows systems
- [ ] 3-2-1-1-0 backup strategy with weekly air-gapped OT backups
- [ ] Quarterly manual operations drills — verify 72h manual capability
- [ ] Join WaterISAC for sector information sharing
- [ ] Annual ICS security assessment per IEC 62443