A course for IT people securing critical national infrastructure and related industries is new from SANS Institute. SANS SEC562: CyberCity Hands-on Kinetic Cyber Range Exercise will make its European debut in London from April 27 to May 2. The six-day course includes digital representation of a city and commonly found systems used across a range of computers, networks, programmable logic controllers and underlying protocols that operate most of the physical infrastructure used by UK utilities, oil and gas, military and industrial automation.
Tim Medin, course co-author and certified SANS instructor, says: “There has been an assumption that cyber-attacks are all about targeting banks and retailers for monetary gain but for many years, critical national infrastructure has been under constant attack without generating the headlines or media hype. The motivations of the attackers are not so clear cut anymore – we are seeing a type of asymmetric warfare where actors including hacktavists, disgruntled employees and in some cases nation states that cannot mount a direct attack, instead aim to cause real-world damage without the spotlight of notoriety or risk of arrest.”
Medin points to incidents including a steel mill in Germany, a gas pipeline in Turkey and the infamous Stuxnet attack on nuclear facilities in Iran as examples of cyber-attacks that have led to kinetic damage. “Increasingly, organisations are using sophisticated IT to improve the efficiency of electrical grids, water treatment and even traffic lights but these interconnections can leave highly computerised nations vulnerable to attacks that cause an incredibly damaging ripple effect.”
Medin also highlights the challenges for the teams tasked with protecting these systems. “One of the fundamental problems for defenders is that these systems are complex and highly specialised and often in place for several decades. The skill needed to design and implement best practice security in these environments is scarce and even making small changes to live systems is a daunting process. There is an element of risk as the consequences of mistakes can literally turn-the-lights-out.”
The new course includes a 1:87 scale miniaturised physical city that features ICS-controlled electrical power distribution, as well as water, transportation, hospital, bank, retail, and residential infrastructures. The software systems used by these infrastructure models are real and the course is weighted towards hands on exercises to help students understand the processes attackers use to gain control, helping them to better defend these targets.
The course includes modules that focus on network reconnaissance, protocol manipulation, ICS switching and power grid manipulation. However, the course also looks at operator interface terminals and the human elements such as the targeting of key staff through social networking and intelligence gathering. The course is rounded off by a red-team/blue-team mock cyber battle within the CyberCity.
“It may sound like overkill but the reality is that every year, more of our infrastructure is becoming connected and automated and if we fail to properly train the people who we ask to defend these systems, then eventually we will have a ‘Titanic moment’ and then it will be too late. Part of the challenge is to change the mind-set away from complacency towards an active defence. The debut of this course in Washington last year reached 100pc capacity in days of registration and the attendees were a diverse mix of senior staff across the entire spectrum of infrastructure as well as military and governmental.”
SEC562: CyberCity Hands-on Kinetic Cyber Range Exercise will be part within SANS ICS London 2015. The annual event will also run the foundation ICS410: ICS/SCADA Security Essentials course and two hosted courses on “Assessing and Exploiting Control Systems” and “Critical Infrastructure and Control System Cybersecurity”. Visit: www.sans.org/ics-london-2015/ or email [email protected]
