A small town is facing a blackout as hackers try to break into the computers controlling its power grid.

More than 1,500 kilometres away, a team of computer experts is trying to find the malicious code and shut it down before the lights go out.

It may sound like a scene out of a Hollywood plot, but it's just another day in the life of CyberCity, a two-square-metre model town that serves as a training ground for computer security experts in their continuing battle against hackers.

Tucked away in a secret location in New Jersey, the model town of 15,000 employs the same software and control systems used by power and water utilities in major cities.

CyberCity has its own internet service provider (ISP), bank, media outlets, military base, hospital and school, all to provide a mock staging ground for the kinds of computer security threats faced by city officials all over the world.

Ed Skoudis designed CyberCity four years ago when military clients of his company, CounterHack, complained that most information security training felt too much like video games.

"We need to demonstrate kinetic impact – that’s the word the military folks use for physical things," Skoudis said. “Stuff moves, stuff could break, people could get injured, people could get hurt, and the military indicated to us 'we need the ability to train our people to prevent that kind of stuff from happening.'"

Defending the castle

CounterHack,  which designs, builds and operates information security training programs, holds sessions across the country, where a mix of computer consultants, public works employees and military contractors spend hours attacking and defending CyberCity.

The students conduct missions exposing the weaknesses of CyberCity’s computer systems – and by extension, show them real-world vulnerabilities.

In late February, CounterHack's Tim Medin led a class of 13 students during a conference held by the SANS Institute, an information security research and training organization based in Bethesda, Md.

Their first mission was a simple one: Break into CyberCity's transportation system and change the message on an electronic billboard. 

To do it, the students search CyberCity's mock social network, FaceSpace. There, as in the real world, they find the daily musings of CyberCity's virtual employees, who reveal everything from the types of software the department uses to the format of log-ins and passwords. 

Kinetic impact

Using the publicly available information, they are able to hack into the system in less than an hour. Watching via a remote camera, they see the electronic billboard change from "Welcome to CyberCity" to "Zombies Ahead!"

This is what Skoudis calls a kinetic impact.

Similarly, when the student hacker breaks into CyberCity's power grid and shuts it down, the lights go off.

The missions include an attack on the city's airport and military exercises involving a rocket launcher hackers hope to use against CyberCity.

Medin allows the students to play the role of both hacker and protector, the latter being the more difficult, he says.

"Think of it like a giant castle and it’s sort of an asymmetric game because you have to defend everything perfectly," he said, "whereas the bad guy has to find one or two ways in and it’s off to the races."

The threat

While media headlines focus on massive data breaches such as the Sony Pictures hack or the theft of credit card information from U.S. retailer Target, Medin spends time in class talking about lesser-known incidents, such as a German steel mill where hackers used phishing emails to break into the system and shut down a furnace, causing extensive damage. Then there's a Turkish oil pipeline where hackers shut down security cameras before causing a massive explosion.

While the capability is there, attacks on infrastructure are less frequent because there’s little monetary gain for the attackers, Medin says.

“It’s tough because what you don’t want to do is panic everybody and say 'Hey look, this is going to happen,’ but at the same time you want to raise awareness that things like this can happen," he said.

In December, the U.S. government passed legislation calling for the voluntary standards to reduce cyber risks to critical infrastructure. Skoudis has seen the need first-hand. Through his consulting work, he's helped utilities locate and remove destructive or intrusive software in their systems.

"If bad guys were really determined and they were to go after power generation equipment, they might be able to take our power for many days, maybe weeks," he said. "That's a worse-case scenario that I think about and worry about."

Because of the sensitive nature of the material, he can't reveal what his company has found and where, and in many cases it's difficult to determine who placed the software. 

"That's raised a lot of eyebrows — hasn't made a lot of news stories yet, but it's raised some eyebrows," he said, "so the awareness is increasing. It's not where it needs to be though."