The document discusses plans for using a miniature city infrastructure called "CyberCity" to train cyber warriors. It describes CyberCity as a 1:87 scale physical model incorporating elements like a power grid, transportation systems and buildings that can be remotely controlled for offensive and defensive cyber missions. The goal is to demonstrate the kinetic impact of cyber attacks in a hands-on way and help trainees recognize real-world consequences. Initial missions discussed include disabling enemy weapons and manipulating traffic to support first responders. The document recommends starting with simpler missions and expanding complexity over time.

1. Eric Bassel
August 26th, 2015
The most trusted
source for
computer security
training,
certification, and
research

2. What is going on in the world?
What is the situation in the US?
What are our adversaries planning
next?
What should we be doing in DoD?

8. Supreme Leader Kim Jong-un
Shells fired over the DMZ

9.  Increasing numbers in the Nuclear club
 Rising power of the micro forces
 Increasing ability, enabled by technology, for individuals
and groups to cause mass violence and mass disruption
 More nations and resourced groups possess the ability to
undermine/challenge the national and economic security of
nations via difficult to attribute cyber attacks [global cyber
campaigns
 The Fog of More
 Increasing use of violence as the ‘diplomatic tool of
choice’
 Shifting identities
 Racing for resources
 The power of ideas.
 Apologizing super power
 Continued trend towards urbanization and combat
occurring in these urban areas

10. Flame
Gauss
Stuxnet
Olympic
Games
operation(s)
Shamoon
DDoS on US Banks
Duqu 1.0
Duqu 2.0
OPM Hack

11. What is going on in the world?
What is the situation in the US?
What are our adversaries planning
next?
What should we be doing in DoD?

14.  Stood up Cyber Command
 Developed Cyber Commands in all four
services
 Began developing training program for cyber
warriors
 Created career paths for cyber warriors
 Army stood up a new Branch

15.  Our debt as a percent of GDP will continue to
raise and will force many difficult decisions
 We will spend less in real dollars for defense
than we have over the past decade
 Our military will be forced to innovate in order
to meet the requirements
 The threats will continue to be there…
 Our next engagement will likely be in an urban
environment
 Our next engagement will certainly involve cyber
warfare
 The US does not have a significant sustainable
advantage in Cyber Warfare.

16. What is going on in the world?
What is the situation in the US?
What are our adversaries planning
next?
What should we be doing in DoD?

17. "Leveraging inferior tactical or operational
strength against [the enemy’s] vulnerabilities
to achieve disproportionate effect with the
aim of undermining [their] will in order to
achieve the asymmetric actor's strategic
objectives.”
Kenneth McKenzie, NDU

26.  Most of our adversaries simply cannot hope
to compete with our military on a
conventional battelfield
 Economically they do not have the horse power
 Militarily they are decades behind
 Their only option is Asymetric Warfare
 Looking for ways neutralize the effectiveness of
the most powerful navy and air force in the
world
 ASBM with stand off range against carriers
 Drones
 Nuclear deterrent
 Offensive Cyber Capability

27.  Invest in finding and training their personnel for
effective operations in cyber space
 Train for multiple levels of skills
 Large numbers of intermediate to advanced skilled people
 Small numbers of very, very highly skilled people
 Resource your teams with the best tools and training
available – keep them in the battle
 Aggressive network mapping; understanding the
battlespace
 Planting embeds in critical systems, even down to the
firmware level
 Organize as teams focused on different aspects of the US’s
critical infrastructure
 Repeatability
 Stealth

28. What is going on in the world?
What is the situation in the US?
What are our adversaries planning
next?
What should we be doing in DoD?

29.  Ensure the integrity and
security of the US by
detecting, deterring,
preventing, or, if necessary,
defeating threats and
aggression against the United
States as early and as far
from its borders as possible
so as to minimize their
effects on U.S. society and
interest.
 Quadrenial Roles and Missions
Review

30.  Typically we prepare to fight the ‘last war’
 It is what we know and what we are
comfortable with
 Military tactics and strategy always lag
technological advancements
 Our leaders cannot fully understand the
fundamental changes that the internet is
having on the future of warfare
 We MUST adjust tactics and strategy quickly or
their will be a significant readjustment of
global powers that will not benefit the United
States

39.  Iran's capture of the $6 million
Lockheed-made RQ-170 Sentinel spy drone,
reportedly monitoring Iran's nuclear program,
is a significant loss for the US.
 Strategically, the US will suffer from the loss ...
it has radar, a fuselage, and coating that makes
it low-observable, the electronics inside are very high-tech. (Dec.
2011)
 Iran claims that their engineers have reverse engineered the secrets of
the American stealth spy drone RQ-170 Sentinel. To prove it, they have
made public some of the encrypted information stored in the plane.
(April, 2012)
 Iran making overtures to China on access to US drone technology.
(April 2012)

40.  Getting the ‘right people’ in the training
 Establishing solid training programs for:
 Enlisted, warrant officers and officers
 Standing up a new Branch
 170
 17C
 17A
 Collective Training
 Need to conduct more thorough team based training
 Individuals need to get advanced training in their
specialty
 Integrate Cyber Training into warfare training
 Currency training

41. Cyber Talent: Identify Aptitude
SANS Courses: Develop In-Depth Skills
GIAC Certification: Assess Learning and Skills
NetWars: Refine & Assess Skills
CyberCity: Build Capabilities
Life-Size CyberCity: Refine Capabilities
IndividualTeamBased

42.  Over the past 5 years, SANS has built, operated, and
refined the NetWars system to help develop hands-on skills
 Our goals:
 To evaluate current skills: “How good am I?” & “How broad is my
skill set?”
 To reinforce existing skills: Practice, practice, practice
 To develop new skills: A very hands-on learning tool
 To work as a together in teams and as a community
 To appeal to a broad range of participant skill sets (from intro up
to very advanced)
 We’ve learned a lot in building and operating the NetWars
cyber range

43. Levels:
0) Q&A with tutorials – Do you know
the foundations?
1) Played on CD image (Lin or Win), no
superuser privs granted
2) Played on CD image (Lin or Win)
with superuser
3) Played across the Internet, attacking
DMZ
4) Played across the Internet, attacking
internal network from DMZ
5) Played across the Internet, attacking
other player’s castles
and defending your own
Scorecard for
each player
Score
Server
Enter captured
flags to advance
Gateway
Servers
DMZ
Target
DMZ
Target
DMZ
Target
Firewall
intran
et
Castle
1
Castle
2
Castle
N…

44.  Customer requests: How can you train people to understand
the kinetic impact of cyber action in a safe & effective manner?
 Our answer: NetWars CyberCity
 Provides a hands-on cyber range to conduct defensive and offensive
training
 Visibly demonstrates to participants and senior leaders the impact of
cyber missions
 Supports our country and allies in helping to defend our critical
infrastructure
 Teaches cyber warriors to recognize the kinetic impact of cyber missions

46.  Physical and cyber assets simulating a real city
 Transit including airport, rail, roads, traffic lights
 Utility services including electrical and water
 Community services including hospital, bank, ISP, and social networking site
 Residential and business services
 CyberCity Population: 20,000 people (bank accounts, hospital records, social
networking site accounts, etc.)
 Implemented at 1:87 scale
 Controlled using SCADA and related
components for the greatest
possible realism for missions
 Built with model train assets
(buildings, track, etc.) for realistic
look at miniature scale
 Designed for remote access

49.  CyberCity includes over 18 missions (defense and offense):
 Reconnaissance mission for remote visibility of city assets
 Disable enemy rocket launcher (to prevent hospital strike)
 Stop weapon egress by controlling rail system
 Support hostage rescue team by manipulating traffic systems
 Recover control of a terrorist-compromised electric utility
 Participants will remotely see:
 Compromised cameras and CyberCity operation
 Launch and directional aiming of rocket launcher
 Moving train and drawbridge; derailment
 Traffic light system manipulation
 City "lights-out" demonstration by attackers
Demonstrating the kinetic effect of cyber attack through practical,
hands-on mission examples… building real-world warrior skills.

50.  Currently focused on distribution, not generation (yet)
 Each quadrant of CyberCity will have its own PLC
 Allen-Bradley, GE, and Siemens
 Controlling residential and industrial lighting, street lighting,
and railway switch junctions
 Wonderware HMI running on Win7 and WinXP for
management
 Protocols: Modbus/TCP, DNP3, Profinet, Ethernet/IP
 Wireless carried across highly attenuated wires and/or
small-scale Faraday cage, for both the power grid and
Wifi at the coffee shop

51.  CyberCity HOMELAND: Titles 10, 18, & 32
 Missions aligned with US infrastructure for
infrastructure operators, law enforcement, National
Guard, & US military bases
 CyberCity BLUE: Titles 10 & Title 50
 Missions include response actions or other activities
aligned with DoD or IC operations in a friendly country
that has authorized US actions for defense or in
support of military objectives
 CyberCity RED: Titles 10 & Title 50
 Missions focused on military or intelligence operations
against a foreign adversary and its supporting
infrastructure

52.  Over the past 12 months, we’ve been invited
to visit Camp Atterbury many, many times
 We heard that it was an impressive MOUT Site,
but…frankly, we had some serious concerns
 We knew it would be possible to leverage the
lessons learned building SANS CyberCity, but…
 We doubted whether this was the best use of
our scarce resources
 We were not sure this was in strategic
alignment with our training mission

55. DELETE THIS BOX OR ENTER
SUBTITLE HERE.
Provide additional information or
explanation here. Provide additional
information or explanation here.
Provide additional information or
explanation here. Provide additional
information or explanation here.
Provide additional information or
explanation here.
Delete text and place
photo here.
Sewage
Treatment
Prison Complex
Steam Plant
Water treatment
Embassy
Telephone Company (ISP)

56. • Coal-fired facility
•Industrial Control Systems
•Wide Range of Vendors
•Electrical grid infrastructure
Underground Tunnel Network
Coal-Fired Steam Plant
Complex Sensor and Control Arrays
Convergence of Cyber and Physical Domains
Human Machine Interface (HMI)
Facility Owned Grid Infrastructure

57. Prison/Jail
•Highly complex secure target
•Simulated Human Terrain
Building Management Control &
Security Systems
Tunnel Network Complete Jail Environment Integrated Security

58. Cyber Physical
SCADA & PLC DevicesAnalog and Digital GEN I Systems
Sewage

59. Array of PLC devicesIn-line Flow Meters
Collocated GEN I, II, III Systems
HMI Interface
Water Treatment

60. Secure Fiber Backbone
Array of modern and
legacy telecom systems
Facility wide 2G/3G/4G
Cellular Capability
Telephone Co (ISP)
Complex layers of security

61. Develop and Monitor Training in real time
Highly experienced ROC staff
enhance all training activities Centralized Audio Simulation
Center
Customize and
Record AAR analysis
Citywide Audio System
Range Operations Center

62. Cyber City Traffic System
imulated software applications
Basic control with digital IO
Illustrative
Actual
Water Treatment
PLCs & HMI Application
Basic Control & Monitoring
Power Generation
DCS
Refinery
SCADA/EMS
Chemical

63. Ft Sam Houston
Ft Stewart/HAAF
Ft Campbell
Ft Bragg
Ft Polk
Ft Hood
Ft Lewis/YTA
JRTC
JCW
Ft Carson
Ft Irwin
NTC
Ft Bliss
Ft Riley
Ft Leavenworth
MCTP
ROK
Ft Shafter & Schofield Barracks
JMRC
Mission Scenario
Ft Sill
JKCP
UJTP
Camp Atterbury
PEOSTRI
Ft Drum
Nellis AFB
China Lake
63

64. Ft Sam Houston
Ft Stewart/HAAF
Ft Campbell
Ft Bragg
Ft Polk
Ft Hood
Ft Lewis/YTA
JRTC
JCW
Ft Carson
Ft Irwin
NTC
Ft Bliss
Ft Riley
Ft Leavenworth
MCTP
ROK
Ft Shafter & Schofield Barracks
JMRC
Mission Scenario
Ft Sill
JKCP
UJTP
Camp Atterbury
PEOSTRI
Ft Drum
Nellis AFB
China Lake
PHASE 1
1st Brigade
deploys to
Fort Polk
64

65. Ft Sam Houston
Ft Stewart/HAAF
Ft Campbell
Ft Bragg
Ft Polk
Ft Hood
Ft Lewis/YTA
JRTC
JCW
Ft Carson
Ft Irwin
NTC
Ft Bliss
Ft Riley
Ft Leavenworth
MCTP
ROK
Ft Shafter & Schofield Barracks
JMRC
Mission Scenario
Ft Sill
JKCP
UJTP
Camp Atterbury
PEOSTRI
Ft Drum
Nellis AFB
China Lake
PHASE 2
A Co
1/327th conducts
secondary mission
& deploys to FOB
Cobra
65

66. Ft Sam Houston
Ft Stewart/HAAF
Ft Campbell
Ft Bragg
Ft Polk
Ft Hood
Ft Lewis/YTA
JRTC
JCW
Ft Carson
Ft Irwin
NTC
Ft Bliss
Ft Riley
Ft Leavenworth
MCTP
ROK
Ft Shafter & Schofield Barracks
JMRC
Mission Scenario
Ft Sill
JKCP
UJTP
Camp Atterbury
PEOSTRI
Ft Drum
Nellis AFB
China Lake
PHASE 3
A Co
1/327th deploys
back to Fort Polk
and rejoins
main effort
66

67.  Six groups of four teams, with ~10 people/team = 240
 8 hours each team in CyberCity, Monday through Friday
 Capstone: 4 teams with highest score, Saturday
 Goals:
 To learn technical skills in an applied way: Blue analysis and
eradication of adversaries in CyberCity’s infrastructure
 To work as a team, operating together and spreading knowledge
 Special thank you for support,
planning, and operations:
 MAJ Mike Lass
 Gary Deckard
 Rob VanDevand

68.  Hands-on skill levels vary widely among
individuals
 Hands-on skill levels vary widely among teams
 In CyberCity missions, team leadership is crucial
 Teams with strong leaders did well
 Walked around, sought input and consensus from team members, and were
decisive when required
 Teams with two or three strong technical people and no
leadership did not do well
 Teams with a strong technical person as the lead did not
do as well
 Team coordination improved after we pushed for
identification of a team leader and briefed
leaders before start of the course

70.  Select missions that can be built at the ‘crawl’
level of difficulty
 Select missions that easily tie Cyber and Kinetic
missions together
 Design missions so that they can be completed
by a trained team in 1 day
 Design missions so that they can be expanded
and made more complicated later
 Leave complicated and risky missions for later
phases

71. DELETE THIS BOX OR ENTER
SUBTITLE HERE.
Provide additional information or
explanation here. Provide additional
information or explanation here.
Provide additional information or
explanation here. Provide additional
information or explanation here.
Provide additional information or
explanation here.
Delete text and place
photo here.
Sewage
Treatment
Prison Complex
Steam Plant
Water treatment
Embassy
Telephone Company (ISP)

72. Secure Fiber Backbone
Array of modern and
legacy telecom systems
Facility wide 2G/3G/4G
Cellular Capability
Mission 1a –Telephone Co
Complex layers of security

73. Mission 1b - Prison/Jail
•Highly complex secure target
•Simulated Human Terrain
Building Management Control &
Security Systems
Tunnel Network Complete Jail Environment Integrated Security

74. Array of PLC devicesIn-line Flow Meters
Collocated GEN I, II, III Systems
HMI Interface
Mission 2 -Water Treatment

77.  Reconnaissance
 Network packet
capture
 Cameras
 Telephone intercept
 Prison / Jail
 Water Treatment
 Subway
 Sewage Treatment
 Steam
 Power distribution
 Hospital
 School
 Bank
• Air Field
• UAV
• Oil Refinery
• Distribution Center
• HVAC
• Smart House
• Water Tower
• Embassy
• Radio Tower
• Train
• Bus

78.  Future wars will likely involve mega-cities
 Future conflicts will certainly involve Cyber
Warfare
 Commanders at the brigade and division level
will demand cyber capabilities
 These capabilites must be integrated into
existing training centers in a realistic way
 Remember… We are breaking new ground
 We’ll make mistakes, but we are all going to
learn a lot

79.  Eric Bassel
 Ebassel@sans.org