Banks, insurance companies and other financial institutions are banding together to design and build a series of cyber ranges — computer environments where defenders can exercise, train and test tools to defend their real computer networks against online attackers.
The initiative, by the Financial Sector Information Sharing and Analysis Council, or FS-ISAC, has already built out the first range and will stage the first exercise on it at the end of November at the Federal Reserve Bank of Boston, according to Shaun Brady, a consultant with FS-ISAC.
“Some will be there physically, others will take part remotely,” Brady told CyberScoop on the fringes of the Integrated Cyber Conferencestaged by the John Hopkins University Applied Physics Lab as part of DC CyberWeek.
The sector “does a great job with table top exercises,” said Brady, but those are more policy and management orientated. There was a dearth of “hands-on-keyboards” style war games, he said.
Eventually, FS-ISAC wants to stage two regional exercises a month on the range, each based at one of the 12 regional Federal Reserve Banks, he said.
But that’s just the beginning. “The bank environment is the first we stood up,” said Brady, “but every segment of the [financial] sector is different … The insurance companies are different from the banks, and so are the [trading] exchanges.” In due course, he said, each segment would have its own range, simulating that IT environment.
The ranges will represent what Brady called a “good enough” simulation of the IT environment in their particular segment — very different from the high-end cyber ranges built and used by the military, he said.
The initial range, simulating a banking IT network was stood up by technology contractor ManTech, said Brady.”They provided the upfront costs,” he said, but the range would be sustained by fees paid by users.
“We know people will pay to send their people there to train because they’re doing it already,” he said.
“We’re looking at a couple of different cost models,” he said. The ranges cost up to $500,000 to stand up, he said, but then each exercise has to be planned and built— at a cost of $50,000 to $100,000 each. Those ongoing costs would be met through fees paid by exercise participants and by security vendors and customers who want to use the environment to test their tools.
“We hope the government will support this,” he said, “The upfront costs have to come from somewhere.”
Brady said he expected a high level of participation in the banking range and the others once they are stood up, because the users had been involved in designing them. “I’ll tell you how to build it so that I will use it, then I’ll support it once it’s built by using it.”