Simulation of cyberattack for training in European Union Agency for Network and Information Security

foto: Marek Pawłowski / NCBJ

CyberLab cybersecurity laboratory in Świerk is expanding their research work and international cooperation. At the end of last year the lab generated examples of network traffic that happens during a cyberattack on an industrial network. The data will serve to train security experts by European Union Agency for Network and Information Security (ENISA) and were recently added to Agency’s training materials.

Usually for training purposes the network traffic is simulated, but in such case it strongly deviates from reality. „In our case, we simulated real attacks on industrial systems, instead of saved data that reflect such attack” – explains Mgr Inż. Marcin Dudek, NCBJ. „Data that we provided were really recorded using tcmdump-type tools. In order for them to be realistic they had to be recorded in environment utilising genuine equipment, and that is exactly what we have in CyberLab. The data will serve the participants of the course, who learn how to analyse and detect such attacks. They will be given network traffic we recorded and, according to the exercise scenario, they will have to determine whether there has been an attack, and if there had been, then which type.”

The idea comes from Polish ComCERT company, which also took part in preparing the training materials for ENISA. NCBJ was a partner, which granted access to the research conducted in the laboratory. Prepared training materials are ready to use during training. They are composed of comprehensive information for the trainers as well as finished exercises for the participants.

Tracking network traffic is useful, when analysing what is happening during a technical problem, as well as in an event of cybernetic attack. The data contain information about everything that was transferred between devices in a set window of time. Analysis of network traffic is one of the factors that allowed scientists of CyberLab to detect vulnerability of Siemens S7–1500 controller, which we have reported two months ago.

CyberLab laboratory is operating within Science and Technology Park „Świerk” (PNT), which is an organizational unit of National Centre for Nuclear Research. CyberLab personnel is composed of employees of the Park. The Park mainly provides research services for small and medium sized enterprises on the basis of de minimis aid.

foto: Marek Pawłowski / NCBJ