1. Case Study Review of relevant OT cyber incidents.

 Objective: The objective of this activity is to engage participants in the analysis of real Operational Technology (OT) cybersecurity incidents, encouraging them to connect theory with practice and to reflect on the real consequences of vulnerabilities in industrial environments.

Description: Participants will review one or more documented OT cyber incidents ( ex: Ukraine Power Grid Attack (2015)

• What happened? — identifying the nature and sequence of the attack.
• What were the vulnerabilities? — examining technical weaknesses, human errors, or procedural gaps that enabled the incident.
• How was it resolved? — understanding the containment, recovery, and communication measures implemented.
• What lessons were learned? — reflecting on how similar risks could be prevented in the future through segmentation, monitoring, and secure protocol management.

This exercise helps participants strengthen their critical thinking and incident analysis skills, while reinforcing core learning outcomes of the module — namely, understanding how poor segmentation or insecure protocols can escalate into major operational disruptions.

By the end of the activity, learners will be able to identify vulnerabilities, assess response effectiveness, and propose mitigation measures aligned with best practices for OT cybersecurity.

2. Scenario-Based Simulation: Segmentation, Protocol Security, and Incident Coordination

 Objective: The objective of this activity is to immerse participants in realistic OT cybersecurity scenarios that challenge them to apply the concepts covered in the module segmentation, protocol protection, and IT/OT coordination.
Through hands-on problem solving, learners develop the ability to analyze misconfigurations, identify vulnerabilities, propose mitigation measures, and manage cross-domain responses during an evolving cyber incident.

Description: Analyze three practical scenarios, each illustrating a different type of cybersecurity weakness commonly found in industrial environments. The scenarios require technical evaluation, architectural reasoning, and collaborative interpretation of events.

By completing this scenario-based simulation, participants will:

• Strengthen their ability to diagnose segmentation gaps and security misconfigurations.
• Apply defense-in-depth concepts to real-world OT architectures.
• Improve their understanding of protocol vulnerabilities and appropriate mitigation controls.
• Develop practical experience in IT/OT joint incident response, communication, and crisis coordination.

This activity reinforces the idea that cybersecurity in industrial systems is not only technical, but also organizational — requiring collaboration, clarity, and preparedness.

• Scenario 1 – Segmentation Failure Due to Misconfigured Firewall

A misconfigured firewall allows traffic from the business network (Level 4) to reach a control zone (Level 2/Level 1), violating Purdue segregation rules.

Tasks:

• Identify which Purdue layers are impacted by the misconfiguration.
• Propose correct firewall rules and a revised segmentation strategy to restore proper isolation.
• Update or redraw the network diagram to justify zone boundaries and permitted access paths.

 Learning Outcome : Participants understand how small segmentation errors can expose critical OT assets and how to redesign secure zone boundaries.

• Scenario 2 – Legacy PLC Accepting Unauthenticated Modbus Commands

A legacy PLC is found to accept unauthenticated Modbus commands, enabling unauthorized write operations.

Tasks:

• Analyze the provided packet sample to identify protocol weaknesses.
• Identify missing security controls, such as authentication, validation, or access restrictions.
• Propose mitigation strategies, including protocol tunneling, endpoint protection, network filtering, or migration to more secure protocols.

 Learning Outcome : Participants gain hands-on experience in detecting protocol misuse and designing compensating controls for insecure industrial communications.

• Scenario 3 – IT/OT Incident Coordination Roleplay

A simulated cross-network attack occurs: unusual write commands originate from a business network host (Level 4) attempting to modify logic on a Level 1 PLC.
The command bypassed firewall rules due to a faulty policy. Production halts, and alarms are triggered on SCADA.

Tasks:

• Investigate the source and method of unauthorized access across domains.
• Define roles and responsibilities for containment, communication, and recovery — representing IT Security, OT Operations, and Site Management.
• Develop a 1-page internal briefing and response plan outlining actions and lessons learned.
• Present a concise coordinated action summary to the class.

Learning Outcome : Participants practice multi-disciplinary incident response, enhancing communication and coordination between IT and OT teams.

• Interactive Q&A

 Objective:  The objective of this activity is to encourage reflection and active participation following the case study analysis, allowing participants to consolidate key lessons and relate them to their own professional context.

Description: Through an open and interactive Q&A session, learners are invited to share their insights, challenge assumptions, and explore how the discussed incidents connect to their everyday operational realities.

Guided by the facilitator, the discussion revolves around four key questions:

• What surprised you about the case(s)? — identifying unexpected elements or insights that changed your perception of OT cybersecurity.
• How would you have responded differently? — evaluating alternative actions or strategies that might have mitigated the impact more effectively.
• What parallels do you see with your own environment? — drawing comparisons between the case study and your organization’s network, policies, or culture.
• What would you implement after this discussion? — translating lessons learned into practical improvements for segmentation, monitoring, or collaboration between IT and OT teams.

This session is designed to foster peer learning, critical thinking, and knowledge transfer, helping participants internalize the relevance of OT cybersecurity practices.

 By the end of the activity, participants will have a clearer understanding of how to apply the principles of segmentation and protocol security in their own organizations and how to strengthen the bridge between theory and operational experience.