Developing Cyber-risk Centric Courses and Training Material for Cyber Ranges: A Systematic Approach

The use of cyber ranges to train and develop cybersecurity skills and awareness is attracting more attention, both in public and private organizations. However, cyber ranges typically focus mainly on hands-on exercises and do not consider aspects such as courses, learning goals and learning objectives, specific skills to train and develop, etc. We address this gap by proposing a method for developing courses and training material based on identified roles and skills to be trained in cyber ranges. Our method has been used by people with different background grouped in academia, critical infrastructure, research, and service providers who have developed 22 courses including hands-on exercises. The developed courses have been tried out in pilot studies by SMEs. Our assessment shows that the method is feasible and that it considers learning and educational aspects by facilitating the development of courses and training material for specific cybersecurity roles and skills.acceptedVersio

Provably Forgetting of Information in Manufacturing Systems: Verification of the KASTEL Industry Demonstrator

During the manufacturing process, information are generated and aggregated that constitute a business secrets and therefore need a high protection. On the other hand, if we can prove, that an information is absented, the effort for the protection for this system could be invested on different information, aspects or systems. For this, we develop the notion of information forgetting of a reactive system. This notion describes that a reactive system needs to forget the information about a secret within a certain amount of cycles. This property limits the amount of historical information an attacker can learn by observing a manufacturing system. Moreover, we formalise and prove the notion of an information forgetting system with Relational Test Tables. We evaluate the verification on the industry demonstrator for \textsc{kastel svi} project, which was provided by the Fraunhofer IOSB and developed by industrial third-party contractor. In this demonstrator, we are able to show, that a selected business secret – the number of wheel turns – is not forgotten. We suggest and prove a fix of the leak. We close with an elaborate discussion on the verification and results and also with remarks to the how information forgetting relates supports quantifiable security

Design and architecture of an industrial IT security lab

IT security for Industrial control systems or the Industrial Internet of Things is an emerging topic in research and development as well as for operators of real production facilities. In this paper, we will present the Fraunhofer IOSB IT Security Laboratory for industrial control systems, that enables security research, development and testing of products and training of IT security personnel. Due to its architecture based on both real hardware components and a flexible virtual environment, the IT Security Lab offers a realistic setup of today's production facilities and at the same time a high flexibility with regard to future networking technologies and protocols