Security professionals face cyberattacks in real-time trainings at PNNL

Across the United States, much of the nation’s critical infrastructure—including water treatment plants, shipping ports, freight railyards, and more—are digitizing. Mechanisms that once could be performed manually, such as running a water filtration process, are more likely to be run by a computer. 

And with more digitization comes opportunities for bad actors to commit cyberattacks. 

To prepare for a more digitized future, industry professionals can now visit the Department of Energy’s (DOE’s) Pacific Northwest National Laboratory (PNNL) to train against simulated cyberattacks on scale models of critical infrastructure. This year, the team has run four training sessions with industry professionals from a variety of fields, and they’re expecting to run one more by the end of 2024.

The exercises are held at the Control Environment Laboratory Resource (CELR), which PNNL manages on behalf of the Department of Homeland Security (DHS's) Cybersecurity and Infrastructure Security Agency (CISA). The CISA CELR community also includes partners from Idaho National Laboratory, the John Hopkins University Applied Physics Laboratory (JHU-APL), and MITRE.

“Our society is becoming more and more dependent on cyber systems, so therefore the risk of the cyber system being attacked is also increasing,” said Thomas Edgar, a cybersecurity research scientist at PNNL. He’s also the PNNL principal of CELR, which hosts the trainings. “We developed the CELR platforms to support DHS CISA in preparing both federal and private industry to be ready for when the next cyberattack happens.”

Training for a cyberattack

CELR consists of researcher-built scale models of critical infrastructure, including a water treatment plant, a wastewater treatment plant, a freight rail yard, a hydroelectric dam, and a shipping port. These models have been built with “the most critical digitally controlled operations in mind to represent how it might fail in the real world,” Edgar said. 

“With these models, we build out fictional companies and treat them as if they are one of the organizations calling for help against a cyberattack. And then we run exercises to do live training of the analysis,” Edgar continued. 

In a typical exercise, the CELR team first creates a fictional company, with a fictional organizational chart and real computers connected in a network. A third party, such as a cybersecurity team from JHU-APL, creates a scripted sequence of cyberattacks the trainees must confront. 

Tina Ellis, a cybersecurity analyst at PNNL, has participated in two trainings so far—both for water treatment plants. Although her work is focused on protecting PNNL itself, “the techniques and the tools that the simulated attackers use are going to be the same as what we would see an attacker use in our environment,” Ellis said.

“The infrastructure will be different, but a lot of the techniques—like the way an attacker initially accesses the system—would probably be something similar to what we might see here at the lab,” she continued.

Red team vs. blue team

The simulation begins when a team of attackers, known as the red team, initiates a cyberattack on the fictional facility that the trainees—or blue team—must recognize and counter. In Ellis’s case, it was a ransomware attack. When she and the blue team logged onto their computers, a message appeared demanding money or else all their data would be destroyed. 

“At the base level, a lot of the attack tactics are kind of similar,” Edgar said. “They’re trying to take over a computer and make it do something it shouldn't, but that computer might be controlling a railway switch or a water pump. We try to model as much realism as we can.”

Once the blue team recognizes an attack, they simulate a response including reporting to officials of the fictional company and recommending how to remediate the issue.

Meanwhile, the red team will “be attacking more and more of the system all the way up to causing a physical impact on the scale model,” Edgar said, such as raising or lowering water levels. “The blue team can actually see changes in the model going on in the background, like the green lights that represent UV lights for cleaning water flickering or going off.”

Ellis said that in her training, when the lights started flashing and alarms started sounding, the sensory overload “made you feel like you were in an immersive situation where you could feel the physical representation of what was going on. In the digital world, we don't get to see that that often.”

During some trainings, the blue team also visits a real facility like a water treatment plant to contextualize the systems they are protecting in the exercise with a real-world example.

To win is to learn

As the attack progresses, “we have a number of defined failure conditions the red team can cause if they are successful in their attack, so we can show trainees what could happen in a real system,” Edgar said. 

In these trainings, to win is to learn. “The blue team has to find out as much as they can about what's happening in the scenario. That's how you win. You document what's all happening as much as you can, then take that knowledge into the real world,” Edgar continued.

Once Ellis and her team completed their trainings, they got to sit down with the red team and ask questions about their methods, how they initially gained access, and how they got around the blue team’s defenses.

“What the training allowed me to do is practice some of the skills and learn in an environment where there's nothing at stake—there are no bad guys actually getting in,” Ellis said. “It’s just like any situation where you're faced with a puzzle and there's a clock running and you need to put the puzzle together—it's exciting.”