Ransomware Simulation Highlights Gaps in Critical Infrastructure Defense
At InfoSecurity Europe, cybersecurity firm Semperis demonstrated the high-stakes reality of ransomware attacks through a tabletop simulation pitting a red team (attackers) against a blue team (defenders) safeguarding a water treatment facility a sector increasingly targeted by cyber threats.
Why Critical Infrastructure is Vulnerable
Public sector organizations, including utilities, face heightened risks due to bureaucratic inefficiencies, underfunding, and skill shortages, according to Guido Grillenmeier, Semperis’ principal technologist for EMEA. While compliance checklists may be met, many lack the technical expertise to respond effectively to real-world breaches. The simulation underscored that detection and recovery not just prevention are critical, as attackers exploit even minor deviations from normal system behavior.
The Simulation’s High-Pressure Scenario
The red team, drawing on real-world tactics, compromised the water facility’s systems and demanded a ransom matching typical insurance payouts. The blue team, despite pressure, refused payment, but the exercise revealed how unpredictable attacks force defenders to adapt rapidly. Semperis introduced wildcards to test resilience, emphasizing that preparation and creative problem-solving are key to outmaneuvering adversaries.
Tools Alone Aren’t Enough
Semperis’ Ready1 platform, launched recently, provides a centralized hub for incident response plans, communication protocols, and recovery strategies aiming to reduce downtime and regulatory risks. However, Grillenmeier stressed that tools are only as effective as the teams using them. A 2023 Semperis study found that while 96% of companies have response plans, 71% suffered a high-impact attack disrupting critical operations in the past year. Common failures included poor cross-team communication (48%), unclear roles (41%), and over-reliance on disparate tools (40%).
Regulatory Pressure and the Path Forward
The EU’s Digital Operational Resilience Act (DORA) now mandates independent resilience testing, pushing organizations to validate their preparedness. Simulations like Semperis’ offer a low-risk environment for teams to refine strategies, test defenses, and identify weaknesses lessons that apply far beyond the financial sector.
The exercise reinforced that ransomware attacks are inevitable, but their impact can be mitigated through structured preparation, clear roles, and continuous testing. For critical infrastructure, the stakes couldn’t be higher.
Semperis cybersecurity rating report: https://www.rankiteo.com/company/semperis
"id": "SEM1767939926",
"linkid": "semperis",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'industry': 'Public sector (water treatment)',
'name': 'Simulated water facility',
'type': 'Critical infrastructure'}],
'data_breach': {'data_encryption': 'Yes (simulated ransomware encryption)'},
'description': 'A ransomware tabletop simulation conducted by Semperis at '
'InfoSecurity Europe, involving red and blue teams to test '
'response strategies for a water facility under cyberattack.',
'impact': {'operational_impact': 'Potential halt of critical business '
'functions (water treatment services)',
'systems_affected': 'Water facility infrastructure'},
'investigation_status': 'Simulated exercise (not a real incident)',
'lessons_learned': 'Importance of disaster recovery planning, monitoring '
'systems for anomalies, understanding vulnerabilities, and '
'cross-team communication. Public sector vulnerabilities '
'due to bureaucracy, lack of funds, and technical skills.',
'motivation': 'Financial gain (ransom demand)',
'post_incident_analysis': {'corrective_actions': ['Implement centralized '
'crisis response platforms',
'Conduct regular resilience '
'testing',
'Improve monitoring for '
'anomalies'],
'root_causes': ['Lack of technical skills in '
'public sector',
'Bureaucratic inefficiencies',
'Insufficient preparation for true '
'disasters']},
'ransomware': {'data_encryption': 'Yes (simulated)',
'ransom_demanded': 'Hefty ransom (matched insurance payout)',
'ransom_paid': 'No'},
'recommendations': ['Prepare disaster recovery plans',
'Conduct regular tabletop simulations',
'Improve cross-team communication',
'Clarify roles and responsibilities',
'Reduce reliance on disparate tools',
'Use centralized platforms like Semperis Ready1 for '
'crisis response',
'Engage independent entities for operational resilience '
'testing (e.g., DORA compliance)'],
'references': [{'source': 'TechRadar Pro'}],
'regulatory_compliance': {'regulatory_notifications': 'DORA compliance '
'(simulated operational '
'resilience testing)'},
'response': {'enhanced_monitoring': 'Yes (simulated)',
'incident_response_plan_activated': 'Yes (simulated)',
'third_party_assistance': 'Semperis (simulated support)'},
'threat_actor': 'Red team (simulated ransomware group)',
'title': 'Ransomware Tabletop Simulation at InfoSecurity Europe',
'type': 'Ransomware'}