Join us for the FREE Cyber Defense Forum | Live Online on October 9


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

New course helps protect critical UK national infrastructure against cyber attack

"Cyber Range" exercises to help InfoSec teams fight threats against electrical power grids, water utilities, HVAC systems and industrial automation amongst growing list of critical targets

  • Bethesda, MD
  • February 12, 2015

April will welcome the UK's first ever hands-on InfoSec course designed specifically for IT professionals charged with securing critical national infrastructure and related industries. The new course from SANS Institute follows an increase in cyber-attacks aimed at delivering kinetic payloads.

SANS SEC562: CyberCity Hands-on Kinetic Cyber Range Exercise will make its European debut in London from April 27th to May 2nd. The 6 day course includes hands on digital representation of a city and commonly found real world systems used across a wide range of computers, networks, programmable logic controllers and underlying protocols that operate most of the physical infrastructure used by key UK utilities, oil and gas, military and industrial automation.

"There has been an assumption that cyber-attacks are all about targeting banks and retailers for monetary gain but for many years, critical national infrastructure has been under constant attack without generating the headlines or media hype," explains Tim Medin, course co-author and certified SANS instructor.

"The motivations of the attackers are not so clear cut anymore - we are seeing a type of asymmetric warfare where actors including hacktavists, disgruntled employees and in some cases nation states that cannot mount a direct attack, instead aim to cause real-world damage without the spotlight of notoriety or risk of arrest."

Medin points to incidents including a steel mill in Germany, a gas pipeline in Turkey and the infamous Stuxnet attack on nuclear facilities in Iran as examples of cyber-attacks that have led to severe kinetic damage. "Increasingly, organisations are using sophisticated IT to improve the efficiency of electrical grids, water treatment and even traffic lights but these interconnections can leave highly computerised nations vulnerable to attacks that cause an incredibly damaging ripple effect."

Medin also highlights the challenges for the teams tasked with protecting these systems. "One of the fundamental problems for defenders is that these systems are complex and highly specialised and often in place for several decades. The skill needed to design and implement best practice security in these environments is scarce and even making small changes to live systems is a daunting process. There is an element of risk as the consequences of mistakes can literally turn-the-lights-out."

The new course includes a 1:87 scale miniaturised physical city that features ICS-controlled electrical power distribution, as well as water, transportation, hospital, bank, retail, and residential infrastructures. The software systems used by these infrastructure models are real and the course is weighted towards hands on exercises to help students understand the processes attackers use to gain control, helping them to better defend these targets.

The course includes modules that focus on network reconnaissance, protocol manipulation, ICS switching and power grid manipulation. However, the course also looks at operator interface terminals and the human elements such as the targeting of key individuals through social networking and intelligence gathering. The course is rounded off by a red-team/blue-team mock cyber battle within the CyberCity to put theory into a practical arena for attack and defence scenarios.

"It may sound like overkill but the reality is that every year, more of our infrastructure is becoming connected and automated and if we fail to properly train the people who we ask to defend these systems, then eventually we will have a 'Titanic moment' and then it will be too late."

"Part of the challenge is to change the mind-set away from complacency towards an active defence," says Medin, "The debut of this course in Washington last year reached 100% capacity in days of registration and the attendees were a diverse mix of senior staff across the entire spectrum of infrastructure as well as military and governmental."

"The feedback we had was amazing and this first UK session has also had a huge amount of forward interest and we urge that participants register as soon as possible to secure a place," Medin adds.

SEC562: CyberCity Hands-on Kinetic Cyber Range Exercise will take part within SANS ICS London 2015. The annual event will also run the foundational ICS410: ICS/SCADA Security Essentials course and two hosted courses on "Assessing and Exploiting Control Systems" and "Critical Infrastructure and Control System Cybersecurity".

For more information, please visit: or email

Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (