CybersecurityA 2-square-meter model city shows cyber-threats real cities face

Published 25 March 2015

In a secret location in New Jersey, Ed Skoudis operates CyberCity, a model town of 15,000 people, which employs the same software and control systems used by power and water utilities in major cities. CyberCity has its own Internet service provider, bank, media outlets, military base, hospital, and school. The two-square-meter model town serves as a mock staging ground for the cyber threats faced by city officials around the world. There, computer security professionals get offensive and defensive training in their battle against hackers. Skoudis, founder of CounterHack, designed CyberCity four years ago when military clients complained that most cybersecurity training felt too much like video games.

Much attention has been focused on cyber breaches targeting U.S. private sector firms in retail, banking, and entertainment, but America’s critical infrastructure also faces a threat from hackers looking to exploit the vulnerabilities of critical systems which are increasingly being connected to the Internet.

In a secret location in New Jersey, Ed Skoudis operates CyberCity, a model town of 15,000 people, which employs the same software and control systems used by power and water utilities in major cities. CyberCity has its own Internet service provider, bank, media outlets, military base, hospital, and school. The two-square-meter model town serves as a mock staging ground for the cyber threats faced by city officials around the world. There, computer security professionals get offensive and defensive training in their battle against hackers.

CBC News reports that Skoudis, founder of CounterHack, designed CyberCity four years ago when military clients complained that most cybersecurity training felt too much like video games. “We need to demonstrate kinetic impact – that’s the word the military folks use for physical things,” Skoudis said. “Stuff moves, stuff could break, people could get injured, people could get hurt, and the military indicated to us ‘we need the ability to train our people to prevent that kind of stuff from happening.’”

CounterHack designs, builds, and operates information security training programs, and hold sessions throughout the country, where computer consultants, public works employees, and military contractors spend time attacking and defending CyberCity. As students expose the vulnerabilities of CyberCity, they begin to understand the cyber weaknesses of critical infrastructure systems. In a late February class of thirteen students, CounterHack’s Tim Medin led the team on their first mission to “Break into CyberCity’s transportation system and change the message on an electronic billboard.” To accomplish the task, the students searched through CyberCity’s mock social network FaceSpace, studied the daily routines and posts of CyberCity’s virtual employees who revealed details including the types of software their department uses to the format of log-ins and passwords.

With publicly available information at hand, the students were able to hack into CyberCity’s transportation system in less than an hour. Watching via a remote camera, they saw the electronic billboard change from “Welcome to CyberCity” to “Zombies Ahead!”

Students also hacked into CyberCity’s power grid, shutting the lights. Other CyberCity missions consist of an attack on the city’s airport and military exercises involving a rocket launcher hackers hope to use against CyberCity. Students often play the role of both hacker and protector, the latter being the more difficult, Medin said. “Think of it like a giant castle and it’s sort of an asymmetric game because you have to defend everything perfectly,” he said, “whereas the bad guy has to find one or two ways in and it’s off to the races.”

Though attacks on critical infrastructure are less frequent partly because there is little monetary gain for the attackers, the public should be aware of the possibility of such attacks. “It’s tough because what you don’t want to do is panic everybody and say ‘Hey look, this is going to happen,’ but at the same time you want to raise awareness that things like this can happen,” Medin said.

The U.S. government has issued voluntary guidelines to reduce cyber risks to critical infrastructure, but Skoudis knows that “If bad guys were really determined and they were to go after power generation equipment, they might be able to take our power for many days, maybe weeks,” he said. “That’s a worse-case scenario that I think about and worry about.”