The U.S. military is ramping up preparation for cyber wars of the future that will be waged over computers instead of traditional combat zones. In this world, some of our best technological advances look more like vulnerabilities. We’ve figured out how to network bank accounts, streetlights and power grids, how to connect real-time transit data to riders anywhere, or medical records in one hospital to doctors across town. Each of these technologies, though, could just as easily invite cyber attack, with particularly grim implications for major cities.

But for all of these high-tech high stakes, the latest training tool to defend urban infrastructure is a decidedly low-budget innovation: It’s a model-train town, built with parts from the local hobby shop, sitting in an office in New Jersey.





The 6-by-8-foot miniature CyberCity has just been built by the SANS Institute, which leads information-security training for military, government, and civilian officials (this is where you go for classes on digital forensics and network penetration testing). For the past few years, SANS has been running NetWars computer simulation training games for the military. Officials, though, wanted a program that would really capture the “kinetic effects” of cyber warfare.

“That’s what military guys use to refer to stuff in the physical world breaking down or blowing up,” says Ed Skoudis, a SANS instructor and director of the NetWars program. This is–-a little frighteningly–the new frontier of cyber war. “A lot of computer security over last 10 years has really focused on computers themselves and the data on them–somebody hacks in and steals 47 million credit cards, or it’s focused on spying and espionage,” Skoudis says. “But the threat is changing. It’s still that, but adding to that, it’s now people hacking into computers to cause real-world physical damage.”

The threat is changing. It’s now people hacking into computers to cause real-world physical damage.

He’s talking about power blackouts, derailed trains, airport control towers run amok. Sure, you could simulate these scenarios on a computer screen. But SANS wanted to drive home the direct connection between invisible data and physical catastrophe. And so it built a miniature town.

CyberCity has its own train network, a hospital, a bank, a military complex, and a coffee shop complete with–and this is crucial to the exercise at hand–free Wi-Fi. The town is virtually populated by 15,000 people, each with their own data records and electronic hospital files. Much of the model town literally came from a hobby shop, but the technology and systems that make it run are modeled on the real world. The power grid components, for example, are the same ones you’d find in an actual city. “It is lighting tiny little lights inside tiny little buildings,” Skoudis says, “but it’s the same technology with the same vulnerabilities.”

The model has five cameras mounted around it, feeding a live video stream for students who will run through cyber-attack missions from remote locations (this is, Skoudis adds, more like what will happen in the real world, anyway, as officials try to defuse problems caused over networks from thousands of miles away). Scenarios controlled over computers will play out on the board in this tiny town.