Cybersecurity Training Simulator using Smart Grid Cyber Ranges
How could cyber incident response teams and cyber security professionals be trained and prepared to protect the forthcoming smart grid from cyber threats? A smart grid cyber range (SGCR) can be tailored for this purpose by utilizing virtualization and simulation to imitate or mimic abnormal features commonly found by DSOs and TSOs, as well as simulating cyberattacks observed in the real world.
Analogous to the reason fighter pilots perform their first flight hours in a realistic flight-simulator, so should cyber security professionals be trained in a cyber range, also known as a security testbed.
According to NIST [1]: “A cyber range is an interactive, simulated representation of an organization’s local network, system, tools, and applications that are connected to a simulated Internet level environment. It provides a safe and legal environment to gain hands-on cyber skills and a secure environment for product development and security posture testing”. Accordingly, a smart grid cyber range (SGCR) is specifically tailored for the smart grid domain by imitating features through simulation, including IT and OT networks, devices and protocols that is commonly found in DSOs and TSOs. Furthermore, by adding manual or emulated cyber-attacks observed from the real-world – capable to propagate, dwell and move laterally thorough the simulated IT and OT environment – allows for “in vitro” and realistic training of cyber security professionals, especially in terms of incident response.
The response capacity is an important aspect when an incident occurs, and the human element is considered as the first line of defense when it comes to being aware and prepared for possible cyber security threats. However, it seems like most investments are made in tools, systems and automated security mechanisms instead of addressing human behavior and decision-making as a means for improving security posture. Hence, there is a need to gather more knowledge of human behavior in the heat of a cyber security incident and use this knowledge to strengthen response capacity across IT and OT systems. An important part of the PHOENIX project is to investigate the cyber-human interaction when cyber threats are detected, to this end some form of spin-off is a valuable practice.
A SGCR aims to provide adequately training of key personnel and security professionals through observations and learning-by-doing scenarios in a highly virtual electrical power and energy system (EPES) environment. Thus, ensuring a resilient cyber-human defense through an effective triage and incident response, such that future impacts of cyber threats and nefarious activity towards the electric power and utility industry is alleviated.
Many cyber ranges are already under development or even ready for use (e.g. electrical power and intelligent control (EPIC) testbed). The range and training scenarios could be managed from the cyber range control center as shown in the figure 1 above; the blue team, SOC team or CIRT team to be trained are using the generic PC’s to interact with the range and to perform necessary tasks given by the exercise scenario. However, only a few are designed and specifically tailored for cyber security experimentation and training in the smart grid domain, much due to the nature and concept of a smart grid still being under development and has yet to become a reality. Consequently, it is hard to imitate a system that doesn’t exist in its entirety, but the SGCRs are emerging side by side with the smart grid advancements, in which the PHOENIX project highly contributes.