This year, SANS Institute has designed and built an operational environment of a fictional energy provider (PGS). Not a replica or traditional software simulation, but a realistic environment where sixteen international teams must keep a national-scale electricity grid running while it is actively being attacked.
"We place teams in an environment where cyber decisions have a direct impact on the physical operation," says Felix Schallock, who leads the initiative at SANS Institute. "When you lose oversight and control, energy generation can be affected. That is the reality operators face every day, and that is what we train for."
Locked Shields is an advanced exercise that challenges participants to defend critical infrastructure upon which modern societies rely. Tõnis Saar, director of NATO CCDCOE, says: "Since a large part of this critical infrastructure is owned and managed by the private sector, strong public-private collaboration is essential. Partners, including SANS Institute, play a crucial role in making the exercise as realistic and impactful as possible."
What distinguishes this from a typical cyber range is the infrastructure itself. The environment built by SANS includes nearly 70 physical industrial control components: real Programmable Logic Controllers (PLCs), Human Machine Interfaces (HMIs), operator workstations, engineering workstations, and supporting network infrastructure – all alongside 100 virtual machines and hundreds of interconnected systems within the broader CCDCOE environment that together form a hybrid IT/OT architecture.
Tim Conway, SANS Institute Fellow and ICS Curriculum Lead: "We show teams how to defend infrastructure that you cannot simply reboot or patch 'on the fly'. You have to think like an operator, not just as a security expert. That mindset shift makes this environment so powerful."
Defending the electricity grid during Locked Shields
Participants are tasked with defending their assigned energy provider while being continuously attacked by advanced Red Teams. Success requires more than just detecting threats; it demands operational discipline, such as maintaining continuous energy production, preserving communication between IT and OT networks, maintaining visibility and control over industrial systems, and preventing disruptions that could destabilize the grid.
The PGS environment is fully integrated into the Locked Shields exercise space, with physical industrial systems showcased live on-site, real-time dashboards displaying national energy production and system status, and separate Red and Green Team environments validating realistic attack scenarios.
James Lyne, CEO of SANS Institute, concludes: "The scenarios for which these initiatives prepare are actually happening in the world: national espionage, cyberattacks integrated with kinetic warfare, and retaliatory strikes. Add artificial intelligence or attackers at machine speed, and you have the most disruptive period in cybersecurity in twenty years. We are privileged to help our allies be prepared and continuously improve to secure the future."
