With a steady stream of alerts and warnings about potential cyberattacks against critical infrastructure, the recent announcement from Idaho National Laboratory that it had expanded the scope of its Control Environment Laboratory Resource (CELR) to include ICS and OT is a positive step forward to accelerate the cybersecurity capabilities of these key industries.
CELR, which is funded and managed by CISA, is a test range where users may run simulated attack scenarios against actual industrial equipment such as fans, compressors, sensors, valves, and more, coupled with a real IT or OT environment to understand the kinetic impact of cyber-physical attacks on critical infrastructure and services.
Timothy Huddleston, a program manager at INL, said during this episode of the Aperture podcast that CELR has benefits for incident response training (red/blue teaming), defensive tooling capability evaluations, and malware and vulnerability analysis. CELR today supports security and risk scenarios within oil and gas, electricity, chemical, building automation, and smart vehicles, with additional capabilities in the works.
"What CELR does is that it emulates real critical infrastructure. That kind of convergence of real physical components and an IT or OT environment that is extremely effective in helping us test out cyber capabilities before they're deployed," Huddleston said, adding CELR is used primarily for training response capabilities within realistic exercise scenarios, as well as malware and vulnerability analysis.
CELR attack scenarios are built to test the impact of cyberattacks on physical processes, testing dependencies of infrastructure that could be impacted by code execution, malware or vulnerability exploits, for example. Users can inject themselves into the scenarios and test their response capabilities in real time. According to INL, which partners with Pacific Northwest National Laboratory and Johns Hopkins Applied Physics Laboratory on CELR, the simulations include threat actor techniques and demonstrate how to best defend against potentially disruptive or destructive cyberattacks against ICS.
"Everyone brings their own unique perspective and objectives to each training scenario," Huddleston said. "Probably the largest theme we see is that people are attempting to gain increased skills and proficiencies because there's not a lot of options for them to gain that experience other than to do it operationally—especially when we're talking about incident response or something in real time. It's extremely difficult, and you don't want to step into those environments without some experience or expertise."