CYRAN: A Hybrid Cyber Range for Testing Security on ICS/SCADA Systems

Introduction

Today Cyber Security is at the top of many government’s agendas and extensive research is conducted (Ayres et al., 2016) with the aim of designing solutions that protect against or mitigate cyber attacks (Nickolson et al., 2012). To evaluate such solutions and to increase understanding of how cyber-attacks against organisations evolve and propagate, the replication of realistic attack and defence scenarios is paramount (Hahn et al., 2013). Technical solutions which implement low-level controls such as VPN deployment, data-diodes to ensure unidirectional information flows to the deployment of complex role-based access control mechanisms and federated identity management all serve the purpose of preventing attackers from penetrating the organization defenses. However, the development of security solutions without understanding the concrete threat or the organizations’ security behaviour when faced with an incident is lacking a holistic approach to security that must bring together infrastructure, software and human variables. In this work we present the De Montfort University Cyber-Range (CYRAN) providing the infrastructure and resources in terms of scenarios and labelled data-sets to ensure that cyber security solutions are relevant to real world problems and provide insights into how cyber incident response and emergency readiness teams respond to attacks.

One of the earliest works towards the generation of attack datasets was the 1998 Defence Advanced Research Projects Agency (DARPA) in partnership with the Massachusetts Institute of Technologys Lincoln Labs (Lippmann et al., 2002). Their work produced datasets containing simulated data which replicated the traffic of a U.S. Air Force base. They undertook further work in 1999 to extend the previous datasets and released a final extension which addressed specific attack scenarios in 2000. Much research has subsequently been written regarding the shortcomings and usefulness of the DARPA datasets, McHugh (2000), Mahoney (2003), Thomas (2008). Irrespective of these works, these datasets, while innovative at their time, are now nearly 16 years old. As a result they can no longer be considered as representative of modern traffic containing examples of current Advanced Persistent Threats (APT) and Advanced Evasive Threats (AET).

Further work to address the lack of available data-sets was undertaken by Sangster (2009). In order to generate the data, they created a Capture the Flag (CTF) environment, running attack and defense scenarios. The attacking participants were limited to military and government security agencies who launched attacks across a Cyber Range (CR) over a four day period. It is logical to assume that such participants would behave with a nation-state mind set and attack and defend accordingly. Therefore, from a typical corporate enterprise and/or production environment, the subsequent datasets could be potentially viewed as not representative of typical enterprise traffic and related attack types. However, this work clearly proved the efficiency of using CRs to produce unique datasets.