Florida public sector training on SimSpace cyber range: Case study
Cyber ranges, once the domain of national defense agencies, are becoming more widely accessible. In the public sector, the state of Florida is leading the charge.
Experience is the best teacher, but in cybersecurity, it often comes at a cost. Just ask anyone -- from a CISO to a Tier 1 analyst -- who has lived through a major breach.
In Florida, however, thousands of public-sector employees can get realistic, hands-on incident response experience for free through a state-funded cyber range. Cyber ranges mirror users' IT environments and deliver dynamic threat simulations that replicate the pressure, chaos and variability of real-life incidents in a safe and controlled setting.
"The best way to prepare is to practice, much like pilots," said Bruce Caulkins, director of cyber solutions and technology at Cyber Florida, the state cybersecurity center that runs the range. "They spend hours in the flight simulator going through all the things that can go wrong and practicing what they would do before they actually fly the plane."
The challenge: Provide realistic incident response training for the public sector
[Pilots] spend hours in the flight simulator going through all the things that can go wrong and practicing what they would do before they actually fly the plane.
Bruce Caulkins, Director of cyber solutions and technology, Cyber Florida
In 2021, Cyber Florida sought ways to nudge the state's public-sector organizations from compliance-driven cybersecurity toward proactive cyber-resilience and cyber-readiness.
"Resilience means being able to do the tasks and functions that you need to do in a cyber environment that might be degraded, disrupted, you name it," Caulkins said.
Unimpressed with basic sandbox options, Cyber Florida began entertaining the possibility of a cyber range -- traditionally within the purview of national defense agencies -- for state, county and municipal use. While a sandboxed environment typically offers a confined, relatively simple training ground, a cyber range aims to mirror an organization's actual network to better simulate complex, real-world conditions.
Cyber Florida enlisted Caulkins -- a retired U.S. Army colonel and expert in cybersecurity modeling and simulations -- to conduct a feasibility study and, ultimately, to serve as the organization's cyber range director.
The decision: Buy or build
Based on the feasibility study, Cyber Florida ruled out DIY and on-premises options, citing upfront hardware and software costs and ongoing operational and maintenance burdens. A third-party, cloud-based offering would let the organization play to its strengths.
"We looked at the things that we're good at and the things that other people would be good at," said Ernie Ferraresso, senior director at Cyber Florida. "We are good at knowing which organizations should be on the range and what types of scenarios and challenges they need. What we don't have expertise in is running data centers."
They vetted around a dozen cyber range vendors and eventually partnered with Boston-based SimSpace. Ferraresso and Caulkins worried that Cyber Florida might get lost in the shuffle at a larger provider, and they were impressed by SimSpace's responsiveness, flexibility and grasp of the public-sector mission.
The results: Live-fire exercises and adapting to emerging threats
Florida's state cyber range went live in early 2023, with both on-demand modules for individual users and scheduled, live-fire team training events that present small groups of tech practitioners with realistic incident response and cyber crisis scenarios.
"They are basically thrown into a situation where they have to find the needle in the haystack -- detect the problem, eradicate the problem and conduct additional activities like calling the FBI," Caulkins said.
Advanced exercises include engaging technical teams and executive managers in tandem to stress-test incident response communication strategies. Practitioners can work with hands-on-keyboards in the SimSpace cyber range while leadership participates in a parallel tabletop exercise.
"What we're trying to do is show the managers what their tech folks do and vice versa," Caulkins said. "So, the tech folks can see how the managers react and maybe [better communicate] about what's going on."
According to Ferraresso, SimSpace can tweak the cyber range environment to feature tools that individual teams use in real life, such as CrowdStrike or ReliaQuest, and to reflect novel, emerging threats.
"For example, we were talking to one of our federal partners about doing a project overseas. One of the guys from the federal side said, 'Hey, do you think you could load up a Volt Typhoon-type incident?'" he said.
Caulkins texted SimSpace's CTO from the meeting to ask if it was possible. The answer was an immediate "yes," according to Ferraresso, who added that the ability to quickly adapt the cyber range to reflect a rapidly shifting threat landscape has proven critical.
"A realistic simulation of a Volt Typhoon attack against a critical infrastructure entity -- that didn't exist before," he said. "You want to be able to say, 'Hey, this is how the landscape is changing, and we need to change the rules.'"
What's next: Cyber-physical attack simulations
Currently, the cyber range's users consist primarily of employees of state and local government agencies. In light of escalating attacks on critical infrastructure, however, Cyber Florida aims to soon expand the user base to include public-private interests, such as utility providers.
"It's important to us to integrate more of the cyber-physical, control-loop type of challenges," Ferraresso said.
He encouraged other organizations to consider the spectrum of potential benefits a cyber range might offer, beyond just annual training and evaluations. For Florida, Ferraresso added, it has become an operational necessity.
Alissa Irei is senior site editor of Informa TechTarget Security.
