Air Force Staff Sgt. Aaron Wendel, 2nd Lt. Stephanie Stanford and Senior Airman Brett Tucker, part of the 90th Information Operations Squadron at Joint Base San Antonio-Lackland, Texas, conduct cyber operations. (Air Force)
The Air Force is beefing up training for its cybersecurity personnel. The resulting new training program may be adopted by other agencies.
The Air Force is contracting with the SANS Institute, a computer security training organization, to develop the new training capabilities, which will be incorporated into existing training at the Air Force’s 39th Information Operations Squadron at Hurlburt Field in northwest Florida.
Early next year, airmen will begin beta tests of a new product from SANS called NetWars CyberCity, said Skip Runyan, technical adviser for the Air Force unit.
CyberCity is a 6-by-8-foot replica of a small city, complete with a residential neighborhood, a bank with fictitious accounts, and a hospital with fictitious patient medical records, water tower, train system, the Cuppa Josephine coffee shop and a social networking site with fictitious user accounts representing people in the town.
The CyberCity model is in New Jersey, but airmen training on the system at Hurlburt will initially access the physical city and its virtual systems via a virtual private network as a subscription-based training and assessment tool. Users can train individually or compete against each other in training scenarios.
“We’re seeing the threat change, and our customers have said to us we need to show kinetic impact” — in other words, physical damage that can be caused by hacking into an industrial control system or stealing and manipulating data, said Ed Skoudis, the creator of CyberCity and a SANS instructor.
“We are like a flight simulator for cyber warriors,” he said.
Here’s how CyberCity will work: Users must first hack into physical cameras distributed throughout the model city to gain access to streaming video of what’s happening. Users are given missions that could include preventing terrorists from contaminating the town’s reservoir, derailing a train or hacking into the town’s utility company and shutting down power. Another mission may be preventing a resident’s medical records from being manipulated.
Among the skills the airmen use or learn include how to gain control of outside computers and use reverse engineering to, for example, steer rocket launchers away in an attack, or use digital forensics to pull together intelligence terrorists leave behind, Skoudis said.
CyberCity shows the consequences of the trainees’ decisions. For instance, if a terrorist contaminated the water, an LED used to make the replica reservoir appear blue would turn red. Or one of the model trains could derail following a successful attack.
Missions in CyberCity can last hours or days, and airmen are scored on how long it takes them to complete each mission, whether they were able to prevent the attack and other criteria to ensure they understand how they arrived at a solution.
CyberCity also provides users with realistic simulations of the back-end systems that control real-world critical systems, Runyan said.
“If we can defend the model train set, our graduates can most certainly defend the real thing,” he said.
For now, CyberCity can support about 30 to 50 trainees at a time, but there are requests to increase the capability significantly, Skoudis said. SANS also has requests to allow users to create their own missions, he said.
The Defense Department is funding the development of the city and will permit agencies involved in law enforcement or protecting critical infrastructure and certain utility companies to eventually train on CyberCity. Neither SANS nor the Air Force would say how much the project costs, but it has been reported that the price tag is less than $1 million.
The Air Force is using other cyber ranges similar to CyberCity that can simulate control of a critical system, but CyberCity adds a visual element and the ability to better score each user’s abilities. Airmen can fail fast and correct their mistakes during training, as opposed to failing on the job.
“The first time that they see bad guys in front of them should not be on a live network, it should be on our training network,” Runyan said.
In the end, the service will objectively score and determine whether airmen have mastered the necessary defensive skills.
“My customers are the operational squadron commanders,” said Lt. Col. Kiley Weigle, commander of the Air Force’s 39th Information Operations Squadron at Hurlburt. “So, I have to look them in the eye and tell them that I know beyond a shadow of a doubt that this troop … is ready to go.”
A DoD spokesman said, “Efforts to standardize the development of the department’s cyber workforce are underway.”