As manufacturers and utilities recognize their automated systems are vulnerable to hackers, the Idaho National Laboratory’s cyber escape rooms have become a go-to training resource for cybersecurity organizations around the world.
INL has taken a leading role training people to detect and respond to malicious cyberattacks against industrial control systems (ICS). These systems ensure that machinery and equipment in industries like manufacturing, power generation, and water treatment operate efficiently, safely, and reliably. Working with the U.S. Cybersecurity and Infrastructure Security Agency, INL offers ICS Cybersecurity & RED – BLUE Exercise (“ICS 301 training” for short), a four-day, instructor-led, hands-on training course. In addition to classroom training and a red team/blue team exercise in an actual control systems environment, participants test their mettle in cyber escape rooms, racing the clock to solve puzzles.
“That briefcase with the digital countdown clock might not have an actual electromagnetic pulse device inside it set to go off in an hour, disrupting communications and computing networks in three states. But it’s fun to pretend,” said Jeff Hahn, who directs INL’s 301 training. “In the escape rooms, we take them to the next level. We work hard to make it fun. By doing it this way, people get more out of it.”
The cyber escape room with the briefcase is called “Insider Threat” and the scenario is this: Bob, a member of the team, has gone rogue. Following clues, team members must find out who he has talked to and what websites he’s been visiting. The clues lead to numbers and passwords that will eventually help participants determine the four-digit combination they need to open the case Bob left behind.
If things are moving too slowly, INL cybersecurity engineers are on hand to help. “The hints can’t be too easy or too hard,” said Christopher Johnson, who helped develop the cyber escape room in 2021. “We want them to have a successful experience. The real goal is to get everybody working together and sharing information. Nobody can solve this by themselves.”
Beginnings in 2007
INL held its first ICS cybersecurity training course in 2007 at a local convention center. Today, the Cyber Defense Education and Training team has its own classrooms and nine full-time instructors. It has trained teams worldwide, from Albania to the Philippines. During the 233rd ICS 301 training in May, 43 students came from points as diverse as Texas, Washington, Lithuania and Israel.
Day 1 starts with a welcome and brief review of cybersecurity for industrial control systems, then a process control attack demonstration. Afternoon breakout sessions feature hands-on activities in smaller groups, focusing on network discovery and mapping, defense, detection and analysis, and exploitation using Metasploit, an open-source framework for security testing. The afternoon of Day 2 is when groups participate in cyber escape rooms. The red team/blue team exercises follow.
In addition to training in Idaho Falls, the escape rooms can be packed up and taken to high-profile cybersecurity events such as Critical Effect in Washington D.C. and DEFCON in Las Vegas. “Insider Threat” was the first to be mobilized in 2021. Johnson recalls how nervous he was about getting Bob’s suitcase through security and onto the plane, but because it was packed inside a larger case it caused no alarm.
National Security Workforce Development
The rise of cyberattacks makes safeguarding the nation’s critical infrastructure more urgent than ever. INL’s cybersecurity team is preparing old hands and newcomers with the skills to counter modern threats that could paralyze society. The 301 training has attracted cyber experts and industrial professionals from all 50 states and over 110 countries since its inception.
Chris Farnell, an assistant professor at the University of Arkansas, first learned about the training when talking with INL National Security Workforce Development specialist Eleanor Taylor. This conversation led to INL bringing an escape room called “Solar, Wind, and Fire” to the RazorHack Cyber Challenge held in Fayetteville, Arkansas, in October 2023. Farnell has since become an INL joint appointment and secured letters of collaboration, which said “are huge for us.”
Taylor emphasized that Farnell’s engagement with INL exemplifies what the lab seeks. “He has really leaned into it and leveraged our capabilities,” she said. INL maintains similar relationships across the U.S., working with universities in states ranging from Texas to Florida and the Carolinas, as well as reaching out to community colleges. “Community colleges are going to be a key factor in this,” she added.
Adapting to New Threats
INL’s institutional involvement in cybersecurity began in 2004 when it received $3 million from the U.S. Department of Energy and the newly formed Department of Homeland Security to open the Information Operations Research Center. The center’s mission was to study and assess the cybersecurity of industrial control systems.
The gap between information technology (IT) and operational technology (OT) became a significant focus for INL. According to Greg Bastien, Cybersecurity and Infrastructure Security Agency training program manager, “IT systems change out about every 12 to 18 months, but ICS systems can go on for decades with no upgrade paths. There is no ‘patch Tuesday’ in the OT environment. If something breaks, you just fix it.”
As industrial asset owners identified vulnerabilities in their control systems, particularly after notable cyberattacks like the 2015 shutdown of Ukraine’s power grid and the 2021 ransomware attack on the Colonial Pipeline, INL’s training programs evolved significantly. To address these emerging threats, INL developed innovative cyber escape rooms designed to simulate real-world cyberattacks.
These cyber escape rooms, such as “Insider Threat,” have transformed into advanced training tools that promote teamwork and problem-solving skills crucial for modern cybersecurity challenges. By simulating sophisticated cyberattacks, these hands-on environments allow participants to engage deeply with the material, ensuring they are well-prepared to face the dynamic landscape of cybersecurity threats.
INL’s approach to cybersecurity training, combining traditional instruction with interactive escape rooms, has positioned it as a leader in preparing both veteran professionals and newcomers to protect critical infrastructure worldwide.
ICS trainings available through the U.S. Cybersecurity and Infrastructure Security Agency and INL can be found here.
