=Paper=
{{Paper
|id=Vol-2597/paper-02
|storemode=property
|title=EVA: A Hybrid Cyber Range
|pdfUrl=https://ceur-ws.org/Vol-2597/paper-02.pdf
|volume=Vol-2597
|authors=Shabeer Ahmad,Nicolò Maunero,Paolo Prinetto
|dblpUrl=https://dblp.org/rec/conf/itasec/AhmadMP20
}}
==EVA: A Hybrid Cyber Range==
https://ceur-ws.org/Vol-2597/paper-02.pdf
EVA: A Hybrid Cyber Range∗
Shabeer Ahmad13 , Nicolò Maunero23 , and Paolo Prinetto23
1
GSSI - Gran Sasso Science Institute, L’Aquila, Italy
shabeer.ahmad@gssi.it
2
Politecnico di Torino, Dipartimento di Automatica e Informatica, Torino, Italy
nicolo.maunero@polito.it
paolo.prinetto@polito.it
3
CINI - Cybersecurity National Lab
Abstract
Over the recent years, cyber attacks have increased constantly. Attacks targeting sensors
networks, or exploiting the growing number of networked devices, are becoming even more
frequent. This has led to the need to find a way to train the teams responsible for defending
computer systems in order to make them able to respond to any threats quickly. The fact
that it is impossible to carry out training operations directly on corporate networks or
critical infrastructure has led to the birth of Cyber Ranges, virtual or hybrid systems that
allow training in safe and isolated environments. In this paper we present a model for
the implementation of a Hybrid Cyber-Range (HCR), based on the model of a real Water
Supply System WSS). The HCR shall combine the dynamism and flexibility of virtualised
Cyber-Ranges (CR) and the realism of Cyber-Physical Systems (CPS).
1 Introduction
The unification of physical systems and networked computing opened a new era of specialised
systems, usually referred to as Cyber-Physical Systems (CPS) The term “cyber-physical sys-
tems” appeared in 2006 and become popular in 2010, first used by Helen Gill at the National
Science Foundation in the US to mention the combination of cyber computation with physical
processes [11]. A CPS is a high-scale network system consisting of sensors, actuators, control
processing units, and communication devices [5]. Over the recent years, CPSs have received in-
creasing attention due to their intrinsic combination of physical and cyber aspects, in particular,
regarding the aspect of cybersecurity [10, 4].
Industrial control systems (ICS) are a sub-class of CPSs where control processes and physical
actions are under-control of cyber components (PLCs, SCADA, etc.). Any cyber-attacks on
ICS or critical infrastructures such as water supply system, transportation, power grid and so
on1 , may lead to series of serious problems and the consequences for people and infrastructures
can be disastrous.
The concern about cybersecurity of critical infrastructure, in recent years, stimulated the
creation and adoption of new methodologies for the training of cybersecurity teams in charge
of defend them. This lead to the introduction of the concept of Cyber Range (CR). Cyber
Ranges are virtual polygons dedicated to the training of cybersecurity professionals, consisting
of controlled and safe environments, typically based on virtualisation [3].
It is shown in literature that malicious attackers use realistic testbeds to develop complex
exploits, such as, Advanced Persistent Threats (APTs) [12]. This therefore requires the use of
∗ Copyright c 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution
4.0 International (CC BY 4.0).
1 https://www.cbsnews.com/news/cyber-war-sabotaging-the-system-06-11-2009/
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
a type of CR that integrates, within it, also real components used in ICS and critical infras-
tructures, to increase its realism [23]. Hereinafter, we will identify this type of CRs as Hybrid
Cyber Ranges (HCRs).
In this paper we present EVA, an Hybrid Cyber Range based on the model of a Water Supply
System. The objective of EVA is to provide a realistic testbed, representing in the best way,
and as faithfully as possible, a real Water Supply System. Moreover it shall also provides the
flexibility of a CR in deploying different scenarios and the possibility to easily test new products
and/or solutions before adopting them in a real system. The paper is structured as follows:
first a brief overview on CRs developed by both industry and academy and the definition of the
various teams that interact with a CR. Then the model and implementation of EVA, the em-
ulator of a real aqueduct, is presented, continuing with the introduction of the model adopted
for upgrading EVA from a CPS to a HCR. Some improvements and issues to be addressed in
the near future are eventually presented.
2 Background
2.1 Cyber Range
A Cyber Range (CR) is a platform that can provide advanced cyber-security training exercises
for university students and professionals, changing the way to approach cybersecurity2 . In as
document of 2018 [16] NIST defines a Cyber Range as “an interactive, simulated representa-
tion of an organisation’s local network, system, tools, and applications that are connected to a
simulated internet level environment.”
The use of CRs derives from the need to have protected and secure environments where perform-
ing cybersecurity activities, isolated from the outside world and without the need to operate
directly on the corporate networks or infrastructures under analysis.
Three different types of CR can be identified:
Physical Cyber Ranges : the testbed faithfully recreates a network or computing infrastruc-
ture, guaranteeing the highest level of loyalty, often using real components of the reference
infrastructure. This typology is, on the one hand, the best for gaining experience and
gathering results with the aim of improving the defences of a given infrastructure. On the
other hand, it has the disadvantages of (i) being less flexible, since a modification may
require the reconstruction of the entire CR, and (ii) requiring a very expensive set-up
process.
Virtual Cyber Ranges : in the testbed all the components of the reference infrastructure
are simulated, using virtualisation technologies, to obtain testbeds of different complexity.
The main advantage of this approach is that the components needed to build it (servers
for hosting virtual machines) can be easily found, at a relatively low cost, on the market.
It is also possible, in this case, to get a high degree of flexibility and scalability in changing
the simulated environment. However, this approach has the disadvantage of not providing
an experience very similar to the real one.
Hybrid Cyber Ranges : sometimes referred as Cyber-Physical Ranges, this typology is a hy-
brid of the two previous ones. It aims to combine the positive aspects of both approaches,
having the flexibility of a virtual environment with the realism resulting from the use of
real-word hardware components of the reference infrastructure.
2 https://www.merit.edu/cyberrange/
2
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
2.2 Teams Definition
One of the most eminent and successful training activities that a Cyber-Range could offer is
the one in which it provides a battlefield where different teams oppose each other [13].
Red Teams are normally composed of a small number of experts who have the task of at-
tacking or compromising the security simulated scenario, organization or infrastructure.
They must be well conscious of the so-called TTP (Tactics, Techniques and Procedures)
of the attackers [19].
Blue Teams have the task of defending the scenario and have the mentality of the defenders
and are trained to detect, respond, and mitigate the attacks done by Red Teams. Members
of the Blue Team need to stop unauthorised or illegal activities by mitigating potential
vulnerabilities. The capabilities and expertises of Blue Team’s strongly effect the whole
exercise scenario [17].
White Team responsible for the design and construction of the scenario used for the exercises.
Moreover, the White Team acts as supervisor on exercises involving attack and defence
paradigm, establishing the final score. It is essential for the White Team to make sure
that the exercise is conducted according to the scenario and according to the objective.
Admin Team the administration team is responsible for the supervision of the entire cyber
range, are in charge of monitoring the session and assigning scores to each team.
Design Team is composed of the persons in charge of the design of the reference infrastructure
on which the CR is based.
2.3 State-of-the-Art
2.3.1 Physical CRs
As far as Physical Cyber Ranges are concerned, it is very difficult to find examples in literature
of testbed with high level of fidelity with respect to the real-word target infrastructure, both
because of the difficulty of implementing this type of CRs and because the construction of such
structures would often require the disclosure of business secrets and/or the precise topology of
the internal network.
The most prominent and ambitious project of physical cyber range is Cybertropolis [8], a
project of the United State (U.S.) Department of Defence (DoD), situated at the Muscatatuck
Urban Training Complex (MUTC)3 . In continuous evolution and improvement, it aims to pro-
vide participants with the opportunity to interact with a real-word scenario. In fact, it allows the
integration of different dimensions, such as role-players, and interaction with a hyper-realistic
environment. It is composed of several elements such as a prison complex, a full size functioning
water treatment plant and waste water treatment plant, a state-of-the-art implementation of
internet of things systems for smart homes, and so on.
Ahmed et al. proposed a SCADA system testbed [1] for research and training. Built using
real-world industrial components, it its composed of models of a waste water treatment plant,
a power transmission and distribution systems and a gas pipeline. All these systems are small-
scaled but fully functionals. The main drawback of this project is that it provide insufficient
scalability and flexibility and does not give the possibility to design different attack scenario.
3 https://www.atterburymuscatatuck.in.ng.mil/Muscatatuck/CyberTropolis/
3
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
Aditya et al. proposed SWaT [14], a testbed based on a model of a Water Supply System.
Also in this case is a small-scale, fully functional model built with real-world industrial compo-
nents. The goal of the project is to have a safe testbed where to research possible vulnerabilities
and test new cyber defence strategies. As before, the main drawback of this project is that
it provide insufficient scalability and flexibility as well as the impossibility to deliver different
attack scenario for cyber defence training.
2.3.2 Virtual CRs
Virtual Cyber Ranges are the most common and used thanks to their flexibility and relatively
low building and maintenance costs. KYPO Cyber Range is a Czech project [24] funded by the
Ministry of the Interior of the Czech Republic as part of the Security Research Program of the
Czech Republic. The Objectives of the KYPO Project was to build a scenario for carrying out
research and developing methods for mitigating attacks on critical infrastructure in the Czech
Republic.
The Michigan Cyber-Range4 is powered by Merit Network Network5 , the nation’s longest-
running research and education network. Above all, Michigan Cyber Range is the largest
unclassified network, especially designed for cybersecurity training and It offers courses includ-
ing Penetration Testing, Ethical Hacking, Vulnerability Assessment, Secure Coding, and Digital
and Networking Forensics.
Emulab and DETER are two of the most renowned emulation facilities for Virtual Cyber
Ranges developed in academia for performing cyber-security training and exercises. Emulab
[21], was launched by University of Utah and was used for both university facilities and open
source emulation software for testbeds. The Emulab software is used in more than twenty other
emulation testbeds over the globe and it is mainly utilised for carrying out research in the
fields of networking and distributed systems. DETER6 (a derivative of Emulab), founded by
the Department of Homeland Security and the Department of Defence, is an emulation-based
cyber-range having more capabilities as compared to Emulab. The DETER testbed is used for
medium size national-level experimentation and training in cybersecurity.
DARPA (Defence Advanced Research Project Agency) commenced the (U.S.) National
Cyber-Range (NCR) plan to design the architecture and software tools required for a secure,
self-contained cyber testing amenity [18]. DARPA (NCR) is probably the most famous and am-
bitious project for cyber-defense training with the aim of simulating cyber-attacks on computer
networks, it is planned to be built on a large scale to emulate the complexity of commercial net-
works and it should allow new cyber technologies to be tested and validated in a representative
environment.
The Cisco Cyber Range [7] offers a specialised technical training activity to assist staff re-
sponsible for the security to create and improve the skills and experience needed to answer
modern cyber-threats. CISCO Cyber Range offers a specialises scenario that enables security-
staff to play the role of both attacker and defender to discover the latest techniques of vulnera-
bility exploitation and utilizing advanced tools tactics and techniques to minimise and remove
threats.
4 https://www.merit.edu/cyberrange/
5 https://www.merit.edu
6 https://deter-project.org
4
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
2.3.3 Hybrid CRs
The Hybrid Cyber Range, as mentioned above, aims to combine the versatility of virtualisation
with the realism of real components of the infrastructure that has to be recreated. There
are several projects in this field, both academic and industrial, usually focused on critical
infrastructures such as Water Supply Systems and Power Plants [6, 9].
In 2016 Ashok et al. proposed a testbed for assessing security of Smart Grid called Pow-
erCyber [2]. It’s a project of the Iowa State University, composed of a mix of real hardware,
software emulated components and virtualization technologies for scalability. It is remotely
accessible and can be used for simulating different cyber attack scenarios.
Tebekaemi et al. proposed an hybrid testbed [22] for assessing the security in communication
protocols in smart grid. This testbed is composed of a combination of real hardware components
and virtualized ones. This approach allows for a great scalability and modularity since new
components can be added easily and the virtualisation of some components helps in keeping the
overall cost small. However this system is built with the specific goal of security assessing and
thus it does not implement any functionalities allowing different attack scenarios for training
purposes.
3 Our Goal
Our goal is to implement a Hybrid Cyber Range (HCR) through which we can, on the one
hand, assess the security of a CPS and, on the other hand, make serious gaming events and/or
training teams while combining the flexibility of a CR and the realism of a CPS.
As a first step, EVA, an emulator of a real Water Supply System, was built. It is a fully
functional small scale model of a WSS composed of industrial components and devices to achieve
the maximum realism (see Section 4). Then was necessary to equip EVA with additional feature
to make it able to serve also as a Cyber Range (CR). The HCR based on EVA must have some
specific features and need to be used in different context:
• Training the Blue Teams: Blue Teams need isolated and secure environments where
they can be trained. It is often unfeasible to use the real network or infrastructure for
training activities. But the team responsible for defending the corporate infrastructure or
network must be able to respond to real threats quickly. For this reason our HCR must
have the necessary flexibility to support the development of different attack scenarios
while maintaining a good realism to have an experience of use and interaction as close as
possible to the real one.
• Training the Design Team: the Design Team can take advantage of the use of an HCR
as this would give them the flexibility to test new solutions before using them in the field,
having an isolated environment, but at the same time realistic and very similar to the
real one.
• Mock up: for our purposes it is necessary that the HCR is responsible for an easy and
fast replacement and/or addition of new components and devices. This is because many
companies, especially those operating in the field of critical infrastructure, need a system
with which to test new components before using them in the field.
See Section 5 for more detail about EVA as a HCR.
5
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
4 EVA as a CPS
Figure 1: Architecture of the real Water-Supply System
EVA (Emulatore di Vero Acquedotto - Emulator of a Real Aqueduct) is a CPS representing
a functioning model of a real Water Supply System (WSS). Apart from the basic components
such as tanks, pipes, pumps etc., EVA comprises sensors, actuators, communication protocol,
and SCADA/ICS as a controller. The IT and OT part of EVA are composed of industrial
components used in the real WSS, including the SCADA, but other component, such as pump
and sensors, are low-quality equipment just used in this first phase of building the model. The
physical system was designed according to the architecture of a real WSS shown in Figure
17 . As a general overview, the model works in the following way. The water is gathered from
a source, that can represent a lake or aquifer. The water is then purified and collected in a
dedicated storage system before being distributed to the customers (people houses, hospital or
other infrastructures).
4.1 EVA Implementation
Figure 2 sows the model design and the interconnection between all the components of EVA.
The system configuration is based on a star topology, with a single master in the center and
multiple slaves on the vertexes. The different Raspberry Pis8 functioning as slaves are connected
on the same local network using WiFi with Internet access. The role of the master is played by
the JACE 80009 controller. Using this component it is possible to implement a Web Application
with the same functionality of a SCADA, but with all the advantages that its virtualisation
can bring. The user, according to his privileges, can remotely supervise the entire structure:
data logging, alarms, network management and maintenance of the control logic of the entire
plant. The master and the slaves share commands and data using the Modbus protocol10 . This
7 Image taken from https://cargocollective.com/crockhaus/filter/aqueduct--water-system-
acquedotto-infographic-infografica-filera-water-acqua-italia-crockhaus-matteo-riva-
illustration-how-it-works-vita-non-profit-magazine
8 https://www.raspberrypi.org/
9 https://www.tridium.com/products-services/niagara4
10 http://www.modbus.org/
6
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
Figure 2: EVA Implementation Schema.
protocol has been chosen because is one of the most used in industrial facilities. The slaves
Raspberry Pis are directly connected to sensors and actuators. In a first phase data are collected
and sent to the controller, in charge of analysing informations and decide whether or not to
activate actuators and, thus, sending the appropriate commands to the slaves. Since sensor and
actuators are low quality components the purpose of the Raspberry Pi slaves is to implement
the communication protocol, Modbus, for communicating with the master controller. Finally,
also the external environment, namely ecosystem, was implemented in order to give a more
realistic view of the system.
5 EVA as a Cyber Range
In order to convert EVA into a Cyber Range, we must first provide a way to quickly and easily
change the behaviour of the system for representing different scenarios. In addition we should
avoid changing a large part of the composition of the system to represent different scenarios,
since this would require high maintenance costs.
5.1 Model
EVA, as any other CPS, can be modelled splitting its architecture in term of several components,
being them hardware or software; a possible model is shown in Figure 2, where components are
exchanging information items (data, states, and controls) via proper physical communication
infrastructures, wired or wireless, indifferently. In order to upgrade EVA to serve as a Cyber
Range, a plenty of “flexibility” has to be introduced in its structure, to allow all the involved
7
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
CR teams, 2, to properly work at their best. From both a conceptual and a practical point
of view, the structure of Figure 2 has to be modified, inserting an additional Wrapper on top
of each components, aimed at providing the possibility of dynamically changing the behaviour
of the underlying component without physically modifying it. More details in the next section
5.2. In few words, through the use of the Wrapper it is possible to change the input and output
of the given component, changing the source of these signal accordingly to the requirements of
the scenario.
5.2 Wrapper
Figure 3: Wrapper.
In the previous section the concept of Wrapper has been introduced. Within the CR model
this new component will give the possibility to get the flexibility required to serve different
purposes, being them training, gaming or mock-up. As you can see in Figure 3, the Wrapper
connects directly to all the inputs and outputs of each component of the CPS. It will therefore
be possible to arbitrarily control the inputs and outputs of the component by choosing the
appropriate source based on the scenario. In terms of model, the Wrapper is composed by:
• Wrapper Controlloer : this allows to control the behaviour of the Wrapper modifying the
interconnection and data exchange inside it;
• Wrapper Data & Interconnection: managed by the Wrapper Controlle defines how inputs
and outputs of the component are routed.
Moreover Wrappers can communicate directly between each other by means of a dedicated
interconnection, bypassing components or physical interconnections, this for allowing a greater
flexibility in the scenario definition and implementation. In general the Wrapper can work in
the following ways:
• Normal Mode: the Wrapper does not interact with the component, not changing the
component inputs and outputs in any way. This mode of operation can be used when it
is necessary to study the properties of the CPS in general or the specific component in
particular to discover potential vulnerabilities.
• Vulnerability Injection: the Wrapper takes control of the inputs and outputs of the
component for inserting a vulnerability not previously present. This mode of operation
8
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
is used by the White Team during the design and deployment of the scenario, this could
mean, in practice, for example changing the software running on a specific component.
• Vulnerability Remediation: the Wrapper take control only of the component inputs.
In this mode of operation those who interact with the Wrapper, the Blu Team, should not
notice its presence. The Blu Team will interact with the component, as it would do in a
normal way, to be able to apply patches to vulnerabilities (perhaps introduced previously
by the White Team).
• Attack Injection: the Wrapper takes control of the component’s inputs and outputs.
The Red Team can use this mode to carry out a campaign of attacks. It is particularly
useful in the training phase of the Blu Team as it allows the Red Team to simulate an
attack even in the absence of a specific vulnerability (think of the case of a sensor/ac-
tuator, the insertion of a vulnerability would require replacement of it). By modifying
the component inputs, the Red Team will be able to simulate a direct attack on that
component, while, by modifying the outputs appropriately, it will be able to simulate an
attack starting from that component.
• Behaviour Modification: the Wrapper takes control over the inputs and outputs of
the connected component. The Design Team can take advantage of this mode to emulate
new components or interconnections and protocols, bypassing the existing ones, thanks
also to the direct interconnection between two Wrapper. It is therefore possible to test
new solutions, both hardware and software, without the need to modify or rebuild the
cyber physical model.
• Mock Up: the flexibility introduced by the use of Wrappers around each component can
become useful also for mock-up operations. New components, being them hardware or
software, can be easily added to the CPS without the need of rebuilding the entire system
from scratch, while maintaining a good enough realism to gather information about the
performance of the new components before adopting them in the real system.
6 Attacks Modelization
Given the model proposed in the section 6.1 and the cyber physical model on which the proposed
CR is based, we can now see some examples of attacks on similar systems and how these can
be easily modelled with the proposed CR.
6.1 False Data Injection Attacks
As reported in [15] these attacks can be divided into Response Injection Attacks and Command
Injection Attacks, both possible because network of ICS often do not use authentication for
packets. As far as response injection attacks are concerned, the objective is to intercept, modify
and forward the packets containing the measurements coming from the sensors. Allowing, for
example, to switch off pumps of an aqueduct by making the central control system believe that
critical limits have been reached. Command injection attacks instead, works in a similar way
but, an attacker intercepts the commands sent by the central control system to the actuators.
He then proceeds to modify them appropriately and then forwards the desired commands. In
the specific case of EVA it is possible to easily model and simulate this attack thanks to the
use of the Wrapper. In a training scenario, the Red Team responsible for the attack campaign,
9
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
in one case, will take control over the outputs of the sensor (Figure 4), sending arbitrary data
to the central control unity, bypassing the actual sensor outputs.
In the second case, instead, the Red Team will take control over the actuator inputs (Figure 4)
sending, then, arbitrary command bypassing the ones coming from the central control unit.
Figure 4: Attack Emulation Using the Wrapper.
7 Open Issues & Future Works
In Section 5 the model for the Hybrid Cyber Range EVA has been presented. The work is still
in development but it is possibile to identify which are the key issues to address during the
project development.
The CINI Cybersecurity National Laboratory11 has started CyberRange.IT: a national project
for creating a platform for the development of the future Italian cybersecurity community. This
platform is a network of nodes distributed throughout the national territory and each special-
ized on different vertical domains. Each node must offer its users the facilities for learning,
carrying out research, and practical training with cyber threats and challenges originated from
the real world. EVA, within this project, must provide a testbed representing a Water Supply
Systems.
Is therefore crucial that the HCR can be remotely accessible and can provide all the function-
alities to be interconnected with other CR to create a network of distributed testbed. Another
important aspect to be considered is the integration of an orchestrator, to manage the Wrapper
functionalities, for scenario deployment. In this case, as shown in [20], can be used TOSCA 12
a orchestrator language released under Oasis Open Standard.
8 Conclusions
In this paper we have presented a model of Hybrid Cyber Range with the aim of obtaining a
system that is flexible in its use but realistic. The model presented is valid for any CPS that
wants to be transformed into HCR. In this specific case, the modeling was based on EVA, a
model of WSS.
Thanks to the introduction of a Wrapper for each component it has been possible to expand
the functionality of EVA, while avoiding re-building the system, making it possible to deploy
different scenarios for competitions or training.
11 https://www.consorzio-cini.it/index.php/it/lab-nazionali/lab-cyber-security-2
12 https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=tosca
10
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
References
[1] Irfan Ahmed, Vassil Roussev, William Johnson, Saranyan Senthivel, and Sneha Sudhakaran. A
scada system testbed for cybersecurity and forensic research and pedagogy. In Proceedings of the
2nd Annual Industrial Control System Security Workshop, pages 1–9. ACM, 2016.
[2] A. Ashok, S. Krishnaswamy, and M. Govindarasu. Powercyber: A remotely accessible testbed for
cyber physical security of the smart grid. In 2016 IEEE Power Energy Society Innovative Smart
Grid Technologies Conference (ISGT), pages 1–5, Sep. 2016.
[3] R. Baldoni and R. De Nicola. The future of cybersecurity in italy. CINI-Consorzio Interuniversi-
tario Nazionale Informatica, 2016.
[4] Martı́n Barrère, Chris Hankin, Angelo Barboni, Giulio Zizzo, Francesca Boem, Sergio Maffeis, and
Thomas Parisini. Cps-mt: A real-time cyber-physical system monitoring tool for security research.
In 2018 IEEE 24th International Conference on Embedded and Real-Time Computing Systems and
Applications (RTCSA), pages 240–241. IEEE, 2018.
[5] Alvaro A Cardenas, Saurabh Amin, and Shankar Sastry. Secure control: Towards survivable cyber-
physical systems. In 2008 The 28th International Conference on Distributed Computing Systems
Workshops, pages 495–500. IEEE, 2008.
[6] Mehmet Hazar Cintuglu, Osama A Mohammed, Kemal Akkaya, and A Selcuk Uluagac. A sur-
vey on smart grid cyber-physical system testbeds. IEEE Communications Surveys & Tutorials,
19(1):446–464, 2016.
[7] CISCO. Cisco cyber range. https://www.cisco.com/c/dam/en_us/about/doing_business/
legal/service_descriptions/docs/asf-cyber-range-large.pdf, 2016. [Online; accessed 28-
November-2019].
[8] Gary M Deckard. Cybertropolis: breaking the paradigm of cyber-ranges and testbeds. In 2018
IEEE International Symposium on Technologies for Homeland Security (HST), pages 1–4. IEEE,
2018.
[9] Hannes Holm, Martin Karresand, Arne Vidström, and Erik Westring. A survey of industrial
control system testbeds. In Nordic Conference on Secure IT Systems, pages 11–26. Springer, 2015.
[10] Abdulmalik Humayed, Jingqiang Lin, Fengjun Li, and Bo Luo. Cyber-physical systems securitya
survey. IEEE Internet of Things Journal, 4(6):1802–1831, 2017.
[11] Frank Jiang and Michael R Frater. Towards a reliable aquatic-based cyber physical system: A
new contextsituation aware low overhead routing scheme. In 2013 IEEE International Conference
on Cyber Technology in Automation, Control and Intelligent Systems, pages 30–35. IEEE, 2013.
[12] KasperskyLab. Threat landscape for industrial automation systems. https://ics-
cert.kaspersky.com/reports/2019/03/27/threat-landscape-for-industrial-automation-
systems-h2-2018/, 2019. [Online; accessed 28-November-2019].
[13] Hannes Krause. Nato on its way towards a comfort zone in cyber defence. The Tallinn Papers,
1(3):1–6, 2014.
[14] Aditya P Mathur and Nils Ole Tippenhauer. Swat: a water treatment testbed for research and
training on ics security. In 2016 International Workshop on Cyber-physical Systems for Smart
Water Networks (CySWater), pages 31–36. IEEE, 2016.
[15] Thomas H Morris and Wei Gao. Industrial control system cyber attacks. In Proceedings of the 1st
International Symposium on ICS & SCADA Cyber Security Research, pages 22–29, 2013.
[16] NIST. Cyber ranges. https://www.nist.gov/system/files/documents/2018/02/13/cyber_
ranges.pdf, 2018. [Online; accessed 28-November-2019].
[17] Victor-Valeriu Patriciu and Adrian Constantin Furtuna. Guide for designing cyber security ex-
ercises. In Proceedings of the 8th WSEAS International Conference on E-Activities and informa-
tion security and privacy, pages 172–177. World Scientific and Engineering Academy and Society
(WSEAS), 2009.
[18] Michael Rosenstein and Frank Corvese. A secure architecture for the range-level command and
11
�EVA: A Hybrid Cyber Range Ahmad, Maunero and Prinetto
control system of a national cyber range testbed. In CSET, 2012.
[19] Robin Ruefle, Audrey Dorofee, David Mundie, Allen D Householder, Michael Murray, and Samuel J
Perl. Computer security incident response team development and evolution. IEEE Security &
Privacy, 12(5):16–26, 2014.
[20] Enrico Russo, Gabriele Costa, and Alessandro Armando. Scenario design and validation for next
generation cyber ranges. In 2018 IEEE 17th International Symposium on Network Computing and
Applications (NCA), pages 1–4. IEEE, 2018.
[21] Christos Siaterlis, Andres Perez Garcia, and Béla Genge. On the use of emulab testbeds for
scientifically rigorous experiments. IEEE Communications Surveys & Tutorials, 15(2):929–942,
2012.
[22] Eniye Tebekaemi and Duminda Wijesekera. Designing an iec 61850 based power distribution
substation simulation/emulation testbed for cyber-physical security studies. In Proceedings of the
First International Conference on Cyber-Technologies and Cyber-Systems, pages 41–49, 2016.
[23] Vincent E Urias, William MS Stout, Brian Van Leeuwen, and Han Lin. Cyber range infrastructure
limitations and needs of tomorrow: A position paper. In 2018 International Carnahan Conference
on Security Technology (ICCST), pages 1–5. IEEE, 2018.
[24] Jan Vykopal, Radek Ošlejšek, Pavel Čeleda, Martin Vizvary, and Daniel Tovarňák. Kypo cyber
range: Design and use cases. 2017.
12
�