Ransomware Tabletop Exercise Tests Water Utility’s Cyber Resilience at Infosecurity Europe
At this year’s Infosecurity Europe conference, cybersecurity vendor Semperis hosted Operation 999, a high-stakes ransomware tabletop simulation targeting a fictional UK water utility, Springfieldshire Water Treatment. The exercise pitted a red team of attackers against a blue team of defenders comprising CISOs, security leaders, and incident response experts to test real-world response strategies in a critical infrastructure scenario.
The Attack Unfolds
The red team launched their assault on December 24, exploiting the utility’s outdated SCADA-based industrial control systems, which were integrated with its IT network. Timing the attack for maximum disruption when staff were on holiday and the head engineer was celebrating a birthday the attackers escalated privileges, encrypted sensitive data, and exfiltrated corporate emails. Their goal: a £20 million ransom, with no intent to sabotage operations (avoiding terrorist-like consequences).
When the blue team detected suspicious encryption activity, they followed protocol, notifying the UK’s National Cyber Security Centre (NCSC) and regulators a move prompted by legal warnings about potential fines or liability. External incident response specialists were brought in, while the utility’s leadership faced public backlash, including a press conference by the local council demanding action.
Extortion Tactics and Financial Exploitation
After the blue team refused to pay the ransom backed by authorities and crisis experts the attackers pivoted, leaking customer records online to pressure the utility. Despite the denial, the red team still profited by shorting Springfieldshire Water Treatment’s stock ahead of the attack, exploiting a pending takeover bid by a rival utility.
Key Takeaways from the Simulation
- Critical Infrastructure Vulnerabilities – The exercise highlighted the risks of IT-OT convergence, where outdated SCADA systems create entry points for attackers.
- Stakeholder Coordination – The blue team’s response involved rapid communication with regulators, legal teams, and external experts, though assumptions about reaching stakeholders during a holiday proved optimistic.
- Financial Motives Over Disruption – Unlike nation-state actors, ransomware groups prioritize profit, using extortion and market manipulation (e.g., stock shorting) rather than physical sabotage.
- Public and Media Fallout – The attack triggered social media panic and misinformation, underscoring the need for controlled crisis communications.
Broader Industry Context
The scenario mirrored real-world threats: a Semperis survey found that 62% of UK/US utilities were targeted in the past year, with 54% suffering permanent system damage. Meanwhile, Mikko Hypponen of WithSecure noted in a keynote that ransomware presents a more persistent risk than natural disasters, with attackers relentlessly probing defenses.
Led by Steve Hill (former Credit Suisse CISO) and featuring security leaders from bp and Schillings Partners, the exercise demonstrated how tabletop simulations akin to military war games can sharpen incident response plans, even if they can’t replicate the chaos of a live attack. The blue team ultimately focused on containment, resilience, and long-term mitigation, reinforcing the need for updated playbooks and cross-team collaboration in critical sectors.
Southern Water cybersecurity rating report: https://www.rankiteo.com/company/southern-water
"id": "SOU1767941346",
"linkid": "southern-water",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'One million customers '
'(simulated)',
'industry': 'Utilities',
'location': 'UK',
'name': 'Springfieldshire Water Treatment',
'size': 'Serves one million customers',
'type': 'Water utility'}],
'attack_vector': 'SCADA-based industrial control systems integrated with IT '
'systems',
'customer_advisories': 'Public statements via social media and press '
'conferences',
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (personally identifiable '
'information, corporate sensitive '
'data)',
'type_of_data_compromised': ['Corporate data',
'Emails',
'Customer records']},
'description': 'A ransomware tabletop simulation exercise where a red team '
'targeted Springfieldshire Water Treatment, encrypting '
'sensitive data, escalating privileges, and attempting to '
'extort £20 million. The blue team responded by activating '
'incident response plans, notifying authorities, and refusing '
'to pay the ransom. The attackers leaked customer records '
"online and profited from shorting the company's stock.",
'impact': {'brand_reputation_impact': 'Public panic, media scrutiny, '
'reputational damage',
'data_compromised': 'Sensitive corporate data, emails, customer '
'records',
'identity_theft_risk': 'Customer records leaked online',
'legal_liabilities': 'Potential fines or liability issues due to '
'regulatory non-compliance',
'operational_impact': 'Potential disruption to water treatment '
'services (simulated)',
'systems_affected': ['SCADA systems', 'IT systems', 'Endpoints']},
'initial_access_broker': {'entry_point': 'Outdated SCADA systems integrated '
'with IT',
'high_value_targets': ["Head engineer's computer",
'SCADA systems']},
'investigation_status': 'Simulated exercise (completed)',
'lessons_learned': 'Importance of stakeholder communication, identifying '
'critical assets, and long-term resilience planning. '
'Assumptions about stakeholder availability during '
'holidays may be optimistic.',
'motivation': 'Financial gain (extortion, stock manipulation)',
'post_incident_analysis': {'corrective_actions': ['Enhance monitoring',
'Improve network '
'segmentation',
'Update incident response '
'plans'],
'root_causes': ['Outdated SCADA systems',
'Integrated IT/OT environment',
'Lack of segmentation']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '£20 million'},
'recommendations': ['Update incident response playbooks to account for '
'holiday periods',
'Enhance monitoring and segmentation between IT and OT '
'systems',
'Develop crisis communication plans for public '
'reassurance',
'Regularly test and update cyber crisis plans'],
'references': [{'source': 'CSO Online'},
{'source': 'Infosecurity Europe'},
{'source': 'Semperis'}],
'regulatory_compliance': {'fines_imposed': 'Potential fines (simulated)',
'regulatory_notifications': ['UK National Cyber '
'Security Centre',
'Regulators']},
'response': {'communication_strategy': ['Social media statements',
'Press conferences',
'Media outreach'],
'containment_measures': 'Network segmentation, enhanced '
'monitoring',
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'network_segmentation': True,
'third_party_assistance': 'External incident response '
'specialists'},
'stakeholder_advisories': 'Reassurance statements to public and partners '
'about water supply safety',
'threat_actor': 'Red team (simulated attackers)',
'title': 'Operation 999: Ransomware Attack on Springfieldshire Water '
'Treatment',
'type': 'Ransomware',
'vulnerability_exploited': 'Outdated SCADA systems, integrated IT/OT '
'environment'}