Grid NetWars

A suite of hands-on, interactive scenarios and challenges for Operational Technology professionals of all skill levels.


Grid NetWars is a suite of hands-on, interactive learning scenarios that enable Operational Technology security professionals to develop, test and master the real-world, in-depth skills they need to defend real-time systems. It is designed as a challenge competition and is split into separate levels to allow players to quickly move through earlier levels based on their expertise. The Grid Netwars experience has been themed for the electricity industry and the scenario has been previously used to support multiple electric sector exercises. Grid NetWars was designed to enable participation by players at all skill levels and from any sector (not just the electric sector).

Scenarios & Levels

The fictional US based Alset Energy company owns and operates electric generation, transmission and distribution assets. The company takes pride in its active participation in compliance and standards drafting activities, its information sharing with its partners and the larger industrial control system community, and its overall IT and OT cybersecurity posture. Recently, however, Alset Energy has experienced numerous unexplained system failures - concern and doubt about the effectiveness of their cybersecurity program is increasing. In levels 1 and 2, participants are tasked with achieving an understanding of the environment and determining what is occurring at Alset Energy. In Levels 3 & 4 participants work hard to discover the adversary actions that caused service outages and how to recover the system while customers and critical loads are desperately seeking answers.

"Very hands on quality content, exposure to material I wouldn't otherwise encounter." - Grid NetWars 2017 participant

Level 1

  • In level 1 participants utilize publicly available information and information provided to them by Alset Energy to help them gain an understanding of the enterprise environment compromise. In this level, participants are challenged to perform incident response actions within the IT Stage 1 cyber kill chain. Participants will examine IT network architectures, remote access implementations, supply chain and 3rd party associated risks, analyze logs, endpoint artifact analysis, and ultimately look to the adversary positioning and intent to impact electric systems operations.

Level 2

  • In level 2, participants utilize an ICS specific virtual machine distribution provided with a series of artifacts for analysis and ICS specific tools to work through challenge questions. The level two questions follow the adversary through their ICS kill chain path into initial Stage two – environment discovery, mapping, and reconnaissance. In this level participants must figure out the extent and true nature of the compromise as they work to identify adversary actions within the OT environment.

Level 3

  • In level 3, participants will begin to see adversary ICS attack validation and testing of capabilities within the targeted operations environment and will need to identify the adversary actions performed and the devices impacted. Simulation tools, endpoint, network, and logic artifacts will be used throughout the level as participants hunt for answers and work to contain the ICS incident.

Level 4

  • In level 4, participants will observe system impacts and the effects of the adversary attack on the electric system. Through analysis of observed system behavior, logic, and network traffic participants will need to determine what actions need to be performed to eradicate the adversary access and recover the impacted systems to restore system integrity and reliability.

Laptop Requirements

  • 64-bit system
  • Internet access
  • Latest VMware Player or admin privileges with the ability to install VMplayer and enable VT support in BIOS
  • Ability to disable all security software on your laptop, including antivirus and/or firewalls
  • At least 30 GB of free hard-drive space (50 GB recommended)
  • At least 8 GB of RAM
  • Download of Grid NetWars VM distribution will be provided to registered attendees.

For more information about Grid NetWars email us at ics@sans.org.

Grid NetWars Case Study

Case Study

Learn how the Polish energy grid and Industrial Control Systems (ICS) cybersecurity professionals across Europe empowered their staff to gain practical real-world experience combating ICS cyber attacks with SANS Institute's Grid NetWars cyber exercise.


Grid NetWars Tournament Schedule

All scheduled ranges and tournaments will run virtually.
Grid NetWarsNov. 18-19

6:00 pm - 9:00 pm SGT

Complimentary with SANS November Singapore, October Singapore, India October, Tokyo Autumn, Canberra Spring, Japan November, South by Southeast Asia November 2021 4-6 day courses


NetWars is challenging for all levels of expertise, has great hints if you get stuck, and promotes continuous education.
Jon-Michael Lacek
- Wegmans Food Markets
Core NetWars was challenging but not frustrating for newbies. This is my first time doing NetWars and it has been a blast.
Rachael Murray
- Northwestern Mutual
Having participated in NetWars Continuous and in the NetWars Tournament, I can honestly say that they were the most intellectually challenging and enjoyable tests of technical skills in which I have participated.
Kees Leune
- Adelphi University