Is Cyber War: One Scenario fiction or non-fiction?

It is structured as scenario-based exploration. The 72-hour event is presented as fiction, but every component of it — the threat actor patterns, the failure modes, the executive decision points, the federal coordination architecture — is drawn from real incident debriefs and 150+ facilitated executive tabletop exercises.

Why focus on OT instead of IT?

Because OT is where cyber risk turns physical. The IT-OT pivot is the unsolved architectural problem in most critical-infrastructure operators today, and the cascade behavior across sectors is dominated by OT decisions, not IT decisions.

Who should read the book first?

Executives in critical-infrastructure-adjacent companies, the boards that govern them, and federal/policy stakeholders who want a clean operational walkthrough. The book is designed to be readable as a tabletop or as a postmortem, depending on the role.

Does the book recommend specific products or vendors?

No. The book is vendor-neutral by design. It names categories of capability and architectural decisions, not products.

Inside 'Cyber War: One Scenario' — A Coordinated OT Attack on America

The most important thing about Cyber War: One Scenario is not that it predicts a coordinated cyberattack on American critical infrastructure. It is that the scenario inside the book is built from patterns I have already watched 150+ executive teams discover under tabletop conditions — patterns that already exist inside real operating utilities, real operating manufacturers, and real operating transportation networks.

The book exists because most executives I work with have read every cyberwar headline of the last three years and still cannot describe, hour by hour, what such an attack would actually do to their operations, their boards, their regulators, and their customers. The scenario fills that gap.

The architecture of the scenario

The scenario is structured as a 72-hour event. The adversary is composite — drawn from the real targeting patterns of three nation-state-level actors and one criminal extortion group acting opportunistically. The targeting set is multi-sector and deliberately includes the IT-OT pivot, because that is the actual unsolved problem in critical infrastructure cybersecurity today.

The 72 hours break into six phases:

Hours 0–6: Initial Intrusion. The first signal, the missed alert, and the fork in the road where containment is cheap if anyone is paying attention.
Hours 6–24: Lateral Movement. A coordinated adversary moves through OT and IT in parallel. The trust boundaries that fail first.
Hours 24–36: First Cascading Failure. The first downstream service drops. Public awareness begins. Federal partners enter the call.
Hours 36–48: National Coordination. CISA, the sector ISACs, the FBI, and the carrier’s panel firms all need different things at the same time.
Hours 48–60: Public Communications. The press conference, the regulator filings, the cyber-insurance carrier’s public-statement gate.
Hours 60–72: Recovery Decisions. Backup integrity, the choice between fast and forensic, and the residual risk that gets carried into the next quarter.

The point is not that this is the only way a coordinated attack would unfold. The point is that this is the way the executive teams I have facilitated lose decisions when the same scenario class is run as a tabletop. The book makes those decision losses legible, slowly, on the page.

Why OT sits at the center

The book’s adversary targets OT because OT is where cyber risk turns physical. Operational technology is the layer between an exploit and a real-world consequence — a turbine that does not spin, a valve that does not close, a switch that does not throw. Every other failure in the scenario is downstream of an OT decision somewhere in the chain.

The IT-OT pivot — the place where an adversary jumps from the corporate IT environment into the plant — is the architectural decision most operators have inherited rather than designed. The scenario in the book exploits exactly that: the historical convergence path most plants accumulated over fifteen years of remote-access expediency.

For a separate treatment of how to close that pivot path without taking the plant offline, see IT-OT convergence keynote.

The cascade is the real lesson

Most cyber-war fiction stops at the intrusion. The scenario in Cyber War: One Scenario deliberately spends more time on the cascade than on the intrusion, because that is where executive decisions actually live.

The cascade map I use in the book is the same one I draw on a whiteboard during executive tabletops. The 16 CISA-designated sectors are not independent — they share dependency arrows. Power feeds water. Water feeds healthcare. Healthcare feeds public confidence. Public confidence feeds market response. Each arrow has a timing characteristic — how many hours before failure in sector A produces failure in sector B — and that timing is what compresses or expands the executive decision window.

For a separate treatment of the dependency map, see the Critical Infrastructure Sector Cascade Map article.

What boards take from the scenario

I run a 30-minute condensed version of the scenario as a board briefing. The version that actually lands is the one that strips out cyber jargon and reduces the entire 72 hours to four executive decisions:

Authority to disconnect. Who can order the IT-OT cut, on what evidence, and at what cost.
Authority to restore. Who can order restoration from backup, with what forensic obligation, and against what regulatory clock.
Authority to communicate. Who speaks to regulators, to media, to the cyber insurance carrier, in what order, with what coordination.
Authority to escalate. When an event becomes a national-coordination event and which federal partners enter the room.

Every one of those four authorities tends to be unwritten or contested in the operators I work with. The scenario’s value is making the absence visible before a real event makes it expensive.

The quantum dimension

The book’s adversary is not running quantum decryption. The book’s adversary is running harvest-now-decrypt-later against the operator’s long-life data and the federal stakeholders’ long-life data, because that is what real adversaries are doing right now. The post-quantum migration is woven into the scenario as a long-tail consequence of decisions made today, not as an immediate failure mode.

If you read the scenario carefully, the harvest-now-decrypt-later threat is the only place the scenario quietly extends past 72 hours and into a decade.

Who the book is for

It is written for three audiences. Executives in critical-infrastructure-adjacent companies who need a working model of what a coordinated event would do to their operations. Boards that govern those companies and need a fiduciary view that does not require an acronym dictionary. Federal stakeholders and policy professionals who already understand the policy frame and want a clean operational walkthrough they can use as briefing material.

The book exists because the gap between policy and operating reality is the place where a coordinated event would do the most damage — and the gap closes one tabletop at a time.

Where to read or buy

Cyber War: One Scenario on Amazon · Book overview on marklynd.com

Inside Cyber War: One Scenario — What a Coordinated OT Attack on America Actually Looks Like

The architecture of the scenario

Why OT sits at the center

The cascade is the real lesson

What boards take from the scenario

The quantum dimension

Who the book is for

Where to read or buy

Mark Lynd

Frequently Asked Questions

Want Mark to deliver this as a keynote?

Who is Mark Lynd?

What does Mark Lynd speak about?

How do you book Mark Lynd?

What is Mark Lynd's speaking fee?

Where has Mark Lynd spoken?

What are Mark Lynd's rankings?

What has Mark Lynd written?

What is Mark Lynd's research?

Who has Mark Lynd partnered with?

What is Mark Lynd's background?

Does Mark Lynd advise schools?

Can you hire Mark Lynd virtually?