SANS Institute Prepares Nations for Real-World Cyber Conflict at NATO CCDCOE Locked Shields

Tallinn, Estonia, 21 April 2026 — Attacks on critical infrastructure are no longer theoretical. The gap between "cybersecurity training" and "actual operational readiness" has never mattered more. SANS Institute is helping to close the gap at this year's NATO CCDCOE Locked Shields. Locked Shields is the world's largest and most complex live-fire cyber defence exercise, run annually by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) since 2010. This year, SANS Institute designed and built a fully operational Power Generation System (PGS), not a replica, not a software simulation in the traditional sense, but a controls-based energy environment where 16 international teams must keep a national-scale grid running while it's actively under attack.

"We are putting teams in an environment where cyber decisions directly impact physical operations," says Felix Schallock, who leads the initiative at SANS Institute. "If you lose visibility, if you lose control, the power generation can be affected. That's the reality operators face every day. That's what we're training for."

“Locked Shields is a technically advanced exercise that challenges participants to defend the critical infrastructure systems modern societies depend on. As much of this critical infrastructure is owned and operated by the private sector, strong public–private collaboration is essential. Industry partners such as SANS Institute play a vital role in making the exercise as realistic and impactful as possible,” said Tõnis Saar, Director of the NATO CCDCOE.

Real Equipment. Real Consequences.

What makes this different from a typical cyber range is the infrastructure itself. The SANS-built environment includes nearly 70 physical industrial control assets—real Programmable Logic Controller (PLCs), real Human-Machine Interface (HMIs), real operator workstations, engineering workstations, and supporting network infrastructure—alongside 100 virtual machines and hundreds of interconnected systems across the broader CCDCOE environment forming a hybrid IT/OT architecture. Digital actions have physical outcomes. Maintaining a reliable generation system isn't a metric on a scorecard; it's the mission.

"We're showing teams how to defend infrastructure that can't simply be rebooted or patched on the fly," says Tim Conway, SANS Institute Fellow and ICS Curriculum Lead. "You have to think like an operator, not just a defender. That mindset shift is what makes this environment so powerful."

Defending the Grid Under Fire

Participants are tasked with defending their assigned energy provider while under sustained attack from sophisticated Red Teams. Success requires more than detecting threats, it demands operational discipline like maintaining continuous power generation, preserving communications between IT and OT networks, retaining visibility and control of industrial systems and avoiding disruptions that could destabilize the grid. Failure is immediate and visible. A misstep doesn’t just trigger an alert, it can degrade system performance, disrupt generation, or simulate national-level consequences.

The PGS environment is fully integrated into the Locked Shields exercise floor with physical industrial systems displayed live at the venue, real-time dashboards showing national generation and system health, and dedicated Red and Green Team environments validating realistic attack scenarios. Every defensive action (or failure) ripples through the system in real time. Teams don’t just see alerts; they see turbines throttled, breakers opened, and generation capacity affected.

James Lyne, CEO at SANS says, "I'm incredibly proud of what the SANS team has built for Locked Shields this year. The scenarios these critical initiatives prepare for are playing out in the world national espionage, cyber integrated to kinetic attacks and warfare, and retaliation attacks. Throw in AI or machine speed attackers and the need for defenders to adapt and you have the most disruptive period in cybersecurity in 20 years. We are privileged to help our allies be ready and continuously improving to secure the future. The people defending our critical infrastructure deserve training that takes the threat as seriously as they do."

“This is about preparing teams for the systems that matter most. Cybersecurity training must reflect the environment defenders are protecting,” concludes Schallock. “We’re not just teaching cybersecurity, we’re showing how to defend a nation’s infrastructure when it counts.”

About SANS Institute

The SANS Institute is the global leader in cybersecurity training and certifications, trusted by governments, enterprises, and security professionals worldwide. For over three decades, SANS has set the industry standard for technical excellence, equipping practitioners with the real-world skills needed to defend today’s most complex digital environments. As cybersecurity evolves, SANS continues to lead the way, defining best practices and establishing the global benchmark for AI security and emerging technologies.

About the NATO CCDCOE

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is the leading dedicated hub for NATO allies and like-minded nations to jointly raise their cyber defence capabilities. Based in Tallinn, Estonia, the Centre brings together 39 nations and conducts research, training, and exercises, including Locked Shields and Crossed Swords.