Under Pressure

ACE Responder specializes in the monitoring and control of pressurized containment systems used across industrial and municipal sectors—everything from water treatment to chemical storage. These systems are operated via a logically segregated Operational Technology (OT) network, where Programmable Logic Controllers (PLCs) regulate pressure, flow rates, and automated safety interlocks.

Last night, the FBI’s Cyber Division issued a time-sensitive alert: one of your internal IT systems has been observed beaconing to command-and-control (C2) infrastructure tied to a known threat actor over the course of several months. This threat actor is known to target critical infrastructure.

This actor is technically capable but not stealthy. They rely on loud enumeration tactics, like broad host scanning and account probing, but are also proficient in living-off-the-land (LoL) techniques—using native tools like PowerShell and Bash.

While the potential compromise appears limited to the corporate network, maintenance personnel just reported a critical storage tank failure triggering an emergency shutdown at a regional facility. The cause of failure is unknown. No injuries were reported, but the incident resulted in significant damage and potential environmental exposure.

Initial review shows no clear signs of compromise within the OT environment, but there is growing concern: Was the tank failure purely mechanical—or was it cyber-physical sabotage?

As a SOC analyst, you’ve been called in to lead the investigation. Your goals:

• Confirm whether a malicious cyber actor is, or has been, present in the environment
• Determine if attacker activity reached or influenced the OT network
• Assess whether malicious action contributed to the storage tank failure