Army cyber protection teams upgrade training with a 'real' city

Army cyber teams will face off against industrial control systems at Indiana National Guard's Muscatatuck Urban Training Center in Butlerville, Ind.

The Army's cyber protection teams are upgrading their training program to include a real-life, round-the-clock, cyberattack on a city port.

"There's a dearth of realistic training venues," John Nix, director of federal for SANS Institute, told FCW. "There are lots of cyber ranges, but they don't have those rich training scenarios where you have an adversary that is being emulated -- a real advanced persistent threat -- and they bang away at the Cyber Protection Teams."

A task force comprised of two CPTs will endure a weeklong, 24-hour-a-day training exercise, called the SANS Cyber Situational Training Exercise (Cyber STX), at the Indiana National Guard's Muscatatuck Urban Training Center in Butlerville, Ind., starting Aug. 20.

While far from the Army cyber team's first cyber training exercise, this is the first with a full-scale cityscape. The 45-acre facility offers typical metropolitan trappings, physical and cyber infrastructures and control systems -- water facilities, a prison, hospital and traffic lights. There's also an electronic warfare component, restricted airspace, and human interference, such as web queries, social media and email that teams must wade through to fulfill the mission.

"It's going to be where cyber connectivity and kinetic activity meet," said Ed Skoudis, co-founder at Counter Hacker and a SANS Institute fellow. He said the exercise's overall scenario involves hackers trying to gain control of construction cranes control systems to damage a city port.

Earlier versions of the exercise lacked industrial control systems. "This is the first real opportunity to exercise that cyber-physical in the similar environment as our nation's critical infrastructure," Nix said.

John Womble, Army Cyber Protection Brigade training officer in Ft. Gordon, Ga., said the training exercise will be used as an evaluation tool to test if cyber operators are ready for combat. If all goes well, the exercise will create opportunity for the Army to expand beyond SCADA systems and simulate other network breaches, including election systems, power grids, and company networks.

The task force will face cyber challenges around the clock, Womble said, because "the enemy doesn't go to sleep so we can relax, so we have to train for that."

Womble couldn't disclose how many operators were on each team, but said the Army's goal is to push about 12 teams or two task forces through this training process each year going forward.

The goal is to get real-world feedback that gets operators "comfortable being uncomfortable" so they can "maneuver around different adversaries," Womble said, without naming the specific adversarial threats.

"If we can understand all the different possibilities in ways to gain access to the network, we can better protect the network," he added.

The exercise is the last for fiscal 2018 but Womble plans to do more in 2019 -- if the budget allows.

"If we have a budget for FY19, we're on a continuing resolution right now, so if everything goes well, hopefully, we'll have a budget" to do more, he said.