The U.S. military is ramping up preparation for cyber wars of the future that will be waged over computers instead of traditional combat zones. In this world, some of our best technological advances look more like vulnerabilities. We’ve figured out how to network bank accounts, streetlights and power grids, how to connect real-time transit data to riders anywhere, or medical records in one hospital to doctors across town. Each of these technologies, though, could just as easily invite cyber attack, with particularly grim implications for major cities.
But for all of these high-tech high stakes, the latest training tool to defend urban infrastructure is a decidedly low-budget innovation: It’s a model-train town, built with parts from the local hobby shop, sitting in an office in New Jersey.
The 6-by-8-foot miniature CyberCity has just been built by the SANS Institute, which leads information-security training for military, government, and civilian officials (this is where you go for classes on digital forensics and network penetration testing). For the past few years, SANS has been running NetWars computer simulation training games for the military. Officials, though, wanted a program that would really capture the “kinetic effects” of cyber warfare.
“That’s what military guys use to refer to stuff in the physical world breaking down or blowing up,” says Ed Skoudis, a SANS instructor and director of the NetWars program. This is–-a little frighteningly--the new frontier of cyber war. “A lot of computer security over last 10 years has really focused on computers themselves and the data on them--somebody hacks in and steals 47 million credit cards, or it’s focused on spying and espionage,” Skoudis says. “But the threat is changing. It’s still that, but adding to that, it’s now people hacking into computers to cause real-world physical damage.”
He’s talking about power blackouts, derailed trains, airport control towers run amok. Sure, you could simulate these scenarios on a computer screen. But SANS wanted to drive home the direct connection between invisible data and physical catastrophe. And so it built a miniature town.
CyberCity has its own train network, a hospital, a bank, a military complex, and a coffee shop complete with--and this is crucial to the exercise at hand--free Wi-Fi. The town is virtually populated by 15,000 people, each with their own data records and electronic hospital files. Much of the model town literally came from a hobby shop, but the technology and systems that make it run are modeled on the real world. The power grid components, for example, are the same ones you’d find in an actual city. “It is lighting tiny little lights inside tiny little buildings,” Skoudis says, “but it’s the same technology with the same vulnerabilities.”
The model has five cameras mounted around it, feeding a live video stream for students who will run through cyber-attack missions from remote locations (this is, Skoudis adds, more like what will happen in the real world, anyway, as officials try to defuse problems caused over networks from thousands of miles away). Scenarios controlled over computers will play out on the board in this tiny town.
In one training “mission,” terrorists hack into the power grid, cause a blackout, and reconfigure the power company’s computers so that utility workers can’t get into them. The challenge: hack the computers and get the lights back on. They will, in fact, flicker on and off in CyberCity.
In another scenario, students must figure out how to simultaneously turn all of the traffic lights in town red, to halt the escape of terrorists fleeing the city. In others, they must derail a train barreling toward town with radiological weapons, or reprogram a rocket launcher on the military base that’s been aimed at the hospital. All of these actions will also take place in CyberCity, for students to follow from afar. SANS expects those students to come first from the U.S. military, and eventually government agencies and critical infrastructure providers like utility companies.
The whole setup is a low-budget alternative to costly computer graphics (“Have you looked at budgets for making video games today?” Skoudis asks. “It’s like major motion pictures now!”). But it’s also the simplest way to illustrate how dominoes fall in the real world. “If you were to do the entire thing simulated, it would be less meaningful to most of the [military] leadership. They want to see physical things. They want to see the battle space, and what’s happening there,” Skoudis says. “That’s our whole goal here: to show you can cause physical damage or change in a city environment entirely using computers.”
Better to make the point now on a toy-train town than later in an actual city.