Cyber-security and the Case For Really Good Train Sets

Alex Walker
Alex Walker

It’s sometimes easy for us to forget what a brilliant idea the ‘staging server’ is.

Every day we get to test our work on a perfect copy of our website, where our occasional, disastrous, site-killing mistakes have almost zero real-life consequences. If there’s a mistake, we roll-back, fix it, wipe our brow and the outside world never knows.

Failure is a wonderful teacher – as long as it doesn’t kill you during the lesson, right?

The real-world provides us with fewer risk-free chances to test. For instance, heart surgeons get one shot at a triple bypass. Road construction crews have to rebuild the highway while it’s being used. I’m sure both would jump at the opportunity to complete their work in private before deploying the finished product.

Alas, that’s the stuff of sci-fi for now.

There are some exceptions where teams get to test themselves in semi real-world scenarios. Car crash safety testing is an obvious example.

CyberCity is another I’d like to tell you about.

The Tricky Problem with Cyber-terrorism

Over the past decade, Cyber-security has become an increasingly crucial concern for governments all around the world – and with good reason.

Today almost all of our critical civil infrastructure – water, power, transport, health – is intricately wired into our electronic networks. And unfortunately, that network is vulnerable to easy, low-risk and potentially devastating attacks in literally thousands of different places.

So while you’re busily locking down your train system, they could be targeting your power station. While you’re securing the airports, they could be tampering with your water supply.

It’s like trying to keep ants out of a football stadium. Where do you begin defending something with so much surface area?

Apparently the answer is in a room in New Jersey.

The Rise of CyberCity

Ed with CyberCity

For the past five years, Ed Skoudis and his team at SANS Institute have been running an entire metropolis, complete with its own power-grid, airport, traffic management, water supply, hospitals, schools, and retail. There’s even a dog sleeping on a veranda.

They dubbed it ‘CyberCity’ and it’s possibly the most accurate physical replica of a real, living city ever produced – albeit scaled down to occupy a 48-square area.

Ed Skoudis is a counter-hacker and trainer with a background in creating digital infosec simulations, but CyberCity has unleashed his ideas into physical space.

Each item in the city is 1:87 scale but this is no toy. The tiny traffic signals are controlled by real-world traffic management software, and the model trains are coordinated by authentic rail coordination software. Each relay and sensor feeds their data into the kinds of software systems you’ll find quietly running our world.

Computers in the tiny hospital record patients checking in and out while commuters tweet from the subway. Each inhabitant of the city has a unique name, address, and social security number. No detail is spared.

Night-time in CyberCity.
Night falls on CyberCity. What insidious plan awaits tomorrow?

And every day, as the sun rises, the attackers come in. Their first task is to gain access to webcams positioned around the room. They then set about their mission to bring CyberCity to its knees by any means necessary.

They might sniff the Wi-Fi at a cafe for passwords, overload the power grid, DDOS the air traffic control, or compromise the water filtration systems.

As with real cyber terrorism, these attacks can come from anywhere in the world at any time. Attackers can see the physical evidence of their successes in real-time.

Of course, the idea behind CyberCity is to develop their understanding of where attacks might take place and how best to defend against them – before the real attacks occur.

Ed and his team have spent hundreds of hours on tiny details in the city, and not just because it’s fun. Both attackers and defenders need to have ‘high stakes’ and the higher they value CyberCity, the greater the lengths they’ll go to to either take or defend it.

You could say that SANS has effectively built the world’s first ‘anti-cyber-terrorism staging server’. Make your mistakes, learn your lessons, and no one gets hurt.

The airport (there's a Delorean if you look closely)
The CyberCity airport (there’s a silver Delorean if you look closely).

But what’s arguably even more impressive?

Ed figured out a way to build a kick-ass train-set and get the military to pick up the tab.


P.S. Eric Molinsky toured CyberCity last year and recorded his journey in his wonderful podcast ‘Imaginary Worlds’. If you liked this story, I recommend you give it a listen.

Originally published in the SitePoint Design Newsletter.