Case Study: When the Lights Must Stay On

Every year, NATO's Cooperative Cyber Defence Centre of Excellence gathers thousands of military cyber defenders to join Locked Shields, the world's largest live-fire cyber defence exercise held in Tallinn. Since 2025, SANS Institute has contributed a live industrial control systems environment built to replicate real-world operational systems, putting the people responsible for national security face to face with the consequences of a successful attack on critical infrastructure.

In the spring of 2025, pro-Russian hackers attempted to disable a thermal power plant in western Sweden. The attack failed, but Sweden's Minister of Civil Defence did not mince words when he disclosed the incident in April 2026: these are no longer denial-of-service attacks. They are destructive operations targeting the systems that control physical infrastructure. "If these systems are disrupted, destroyed, or remotely controlled by a threat actor, the consequences for society can be significant."

Sweden was not alone. In December 2025, coordinated attacks struck combined heat and power plants in Poland, supplying nearly 500,000 households. In Norway, hackers seized remote control of a dam and opened its floodgates. The line between cyberattack and physical sabotage is dissolving. What that demands of defenders is shifting accordingly: the question is no longer how to stop an attack. It is how to keep critical systems running while one is already underway.

That shift is precisely what Locked Shields is designed to confront. In April 2026, in Tallinn, more than 4,000 experts from 41 nations worked together to defend simulated national infrastructure against sophisticated attacks designed to mirror real-world conditions as closely as possible. Not as a theoretical exercise, but with real equipment, real industrial protocols, and consequences that are immediately visible.

Beyond the Firewall

For most cyber defenders, the word "attack" still conjures data: stolen records, encrypted files, disrupted networks. Operational technology adds physics. OT systems rely on many of the same data-centric elements as traditional IT, however process environments also control the physical world: the pressure in a pipeline, the state of a circuit breaker, the output of a generator. When those systems are compromised, the consequences are not measured in data loss. They are measured in homes without heat, military bases without power, and supply chains that stop moving.

It is the part of the threat landscape where preparation has historically lagged furthest behind. Many defenders encounter industrial control systems for the first time during an incident, not before it. Locked Shields exists, in part, to close that gap. "Our global work in industrial control systems and operational technology education is, I believe, exactly why SANS has been able to collaborate and contribute to this valuable exercise," says Tim Conway, ICS Curriculum Lead at SANS Institute.

Building the Environment

In 2025, SANS contributed a power generation layer to the exercise, giving blue teams hands-on experience with the industrial control systems that run a real power plant. In 2026, that contribution expanded significantly. SANS integrated its power generation environment with the transmission system already built by CCDCOE, replicating the interdependence that defines real-world energy infrastructure. The result: if the transmission system came under attack, every blue team felt it. If one team's generator failed, the shortage crossed into neighbouring networks.

The environment SANS built and operated comprised 69 physical industrial control assets, including physical PLCs and HMIs, supported by 99 virtual machines across 168 interconnected components. Engineering workstations ran the actual software used to interact with controller devices. Operator workstations displayed live system status: how much power was being generated, whether the plant was connected to the grid, and how the environment was responding in real time. High-speed grid communication was built in, including the monitoring challenges that come with it: a delay in data exchange does not stay digital. It triggers a reaction from the grid itself.

Building that environment is one challenge. Operating it reliably across the full duration of a live exercise, resetting overnight and restoring every component to a verified state before teams return in the morning, is another. Felix Schallock, ICS course author and SANS technical lead for the Locked Shields build, describes the operational reality behind that environment: "The exercise complexity that has been built, is continuously tested, validated, and orchestrated throughout the development and execution stages, and is truly impressive and provides a unique experience for Blue Teams." That discipline, delivering reliably under pressure, is also part of what motivates SANS to pursue a deeper role and expanding the capabilities that they offer in the exercise year over year. "We do not overpromise," Schallock says. "If we agree to deliver, we deliver, whatever it takes."

The Mindset That Matters

Locked Shields brings together participants from across NATO's member states, paired country by country, working together as a team. Each participating nation can send upwards of a hundred to a hundred and fifty participants, and they are, almost without exception, military. Cyber defenders, intelligence analysts, and national security operators. Not power sector engineers, not critical infrastructure operators. For most of them, the industrial control systems they encounter in Tallinn are not part of their day job. Locked Shields forces them to think like operators anyway: to understand what losing visibility over a generator actually means, what cascading failure looks like across an interconnected grid, what it takes to sustain operations when an adversary is already inside the system.

Conway describes the core shift the exercise is designed to produce: "The main thing is not how you stop the attack. It is how you operate critical infrastructure through a successful attack. That is the mindset we are trying to build."

That is not a question most organisations can answer from a classroom. Tabletop exercises produce paper incident response plans. Real incidents expose how rarely those plans survive contact with a live environment. Conway is direct about what that leaves: "You have two typical paths. You learn during an attack, which is not a position you want to be in. Or you train in ways that never get close enough to the real world to build the capability you actually need when it matters. Exercises like Locked Shields provide a third path."

Schallock observed the difference that preparation makes directly, watching teams across the exercise. Some arrived with creative solutions already in mind, building their own capabilities to inspect industrial traffic in real time. Others discovered the unique operating constraints of a live process environment and had to adapt capabilities throughout the exercise. The spectrum was wide, but the direction was consistent. "Year over year, players improve," Schallock says. "To see that is a confirmation that training together, and countries partnering with each other, makes a real difference for the people they are there to protect."

The work SANS does at Locked Shields reflects a broader mission. The energy companies, water utilities, and transport operators that military defenders rely on during a conflict are not military organisations. They are commercial entities with their own people, their own systems, and their own preparedness gaps. SANS works with both worlds and increasingly sees building bridges between them as essential. The partnership with CCDCOE, now entering its third year and continuing to expand into new infrastructure sectors in the future, is one expression of that mission. If your organisation operates or depends on critical infrastructure, the challenge Locked Shields trains for is not hypothetical for you either.

The Stakes Are Not Abstract

Locked Shields runs against a fictional geopolitical backdrop, complete with invented nations, AI-generated election scenarios and simulated disinformation campaigns, because the real threat operates the same way. Cyber operations against critical infrastructure do not arrive in isolation. They are embedded in a broader conflict, and they are escalating. AI and the interconnectivity and interdependence of IT and OT are now the dominant topics in every conversation about national cyber defence, across every participating country.

The teams training in Tallinn are not preparing for a hypothetical. They are the people who will be called on when a dam's floodgates open unexpectedly, when a city's heating fails in January, when a military base loses the power feeds they depend on. For the decision-makers who send them, Conway said: "The investment is in people, and people learn significantly better in a real-world, hands-on environment than in a traditional lecture-only classroom learning environment. When the moment comes, that preparation is what makes the difference. It is worth every penny."

The people who trained in Tallinn went home carrying something with them: the memory of a system under attack, and the knowledge that they kept it running.