They're calling it a cyber war; so isn't the best way to prepare through live-speed, realistic training? Merit Network and the State of Michigan think so.
There's a town in Michigan you may want to avoid. It's under attack. The library, school, power company, even the police station are bad-guy targets of opportunity. Welcome to Alphaville.
Michigan and cyber-security
In his 2011 Michigan Cyber Initiative, Governor Rick Snyder raised the bar several notches regarding cyber security, explaining the state needed to increase awareness. Merit Network, a non-profit, member-owned organization with over 4000 miles of fiber and a 10 Gb per second backbone, took the governor's request to heart creating a cyber-security training department called Michigan Cyber Range which happens to include the embattled city of Alphaville.
"Every day, breaches to computer systems threaten the security of data — data that may include personal information about Michigan's citizens," mentioned the governor's press release. "This partnership to establish the Michigan Cyber Range benefits all levels of government as well as educational systems, business, and industry."
One of the first steps taken by Merit Network was to hire Dr. William J. Adams as vice president of research and cyber security. Adams has the proper perspective having served 26 years in the United States Army as CIO of the National Defense University, a professor and research scientist at West Point, and network engineer for the Supreme HQ, Allied Powers Europe.
Adams and his team immediately got to work building the Cyber-Range's classroom environment and live test bed. Today, three years later, the program offers:
● Fourteen online and or in-person cyber-security classes plus certification courses that are NSA CNSS-accredited as well as NIST and NICCS-mapped
● Help setting up test plans for software developers seeking to make sure their programs are secure
● Real-life exercises developed by Adams and his team of five analysts
The exercises are where Alphaville — in real life, a data center consisting of more than 100 virtual machines — comes into play. Alphaville's standard configuration includes the following virtual establishments:
● Public Library: An open "information commons" featuring an online card catalog, asset-management system, and computer workstations.
● Public School: A K-12 educational network consisting of classrooms, computer labs, staff email, human-resource functions, and student grades in a web-accessible server farm.
● Power & Electric Company: A Supervisory Control And Data Acquisition (SCADA) environment with sensors, human-machine interfaces, and corporate LAN.
● Police Station: A web presence comprised of a general information website; a secure portal for authorized users; and data repositories for legal documents, personal information, and other sensitive material.
The above establishments were chosen as they signify four levels of security commonly found in real-world digital infrastructure. The crew at Merit Network intends to offer additional establishments. "Alphaville continues to expand, creating more specialized training opportunities," mentions Adams. "Plans include additional SCADA, Industrial Control System, and retail VMs."
Red Team versus Blue Team
Alphaville in of itself is not that unique. However, Alphaville plus the Red Team is. "An exercise sponsor can bring its IT staff to form a Blue Team and defend Alphaville from a Red Team of hackers intent on
disrupting communications, stealing critical information or intellectual property, and causing mayhem for political reasons," explains the Cyber-Range website. "These exercises can last a day or more, creating a demanding atmosphere that stresses team communication and documentation in addition to individual skills."
The Red Team is no ordinary group of white-hats. "Red Team members are experienced security professionals who either work for Merit Network or belong to the Michigan Cyber Civilian Corps (MiC3)," mentions Adams. "The MiC3 cyber-expert volunteers are the people the governor calls during state emergencies, so they are serious and know their stuff."
A few months ago, a cyber-security exercise took place at the Michigan Cyber Range. The drill, code-named Power Phoenix, tested incident-response skills of representatives from Consumers Energy and DTE Energy, two power utilities. "We are always looking for ways to practice our incident-response plans and skills," said Jim Beechey, director of cyber security for Consumers Energy. "This event allowed us to do so in safe environment with a realistic incident."
Power Phoenix focused on Alphaville's Power & Electric Company and its ability to simulate security challenges indicative of a SCADA environment. This benefited the participants in several ways:
● It allowed participants to react as if the situation was real.
● The exercise was accurate enough to allow both companies to meet compliance requirements.
● After the exercise, participants gained further insight during a debriefing with the Red Team.
"We would normally use a table-top exercise for our training," mentioned John Townsend, manager of information protection & security at DTE Energy. "For the technical people, this exercise is valuable, to deal with injects using the tools we would use in a real incident."
MCRCon and one last thought
Each year, Michigan Cyber Range holds MCRCon in Ann Arbor Michigan. Besides speakers, the Cyber Range will host a day-long "Capture the Flag" competition on May 12, 2015.
As a military veteran and former volunteer firefighter, I understand the benefit of realistic exercises as a way to prepare for the genuine thing, and the Michigan Cyber Range is doing its part to help IT-security professionals get an edge.