3 December 2018

Practice makes perfect at FOI’s IT security training facility

Seldom is everything perfect the first time around, but practice leads to perfection. FOI has taken note and since 2008 has built up a unique training facility, CRATE, where IT technicians from Swedish authorities and companies can practise cyber defence.


Photo from CRATE. Photo: FOI.

CRATE, which is one of Europe’s first training facilities with a focus on IT security, was established in the wake of the cyber attacks directed against Estonia in 2007, after a war monument was moved. FOI has modelled its approach on Idaho National Laboratory, in the USA, which compared to Sweden was early in studying IT security in control systems and critical infrastructure.

It has now been exactly ten years since the first exercise was conducted in CRATE, when IT technicians/system administrators practised dealing with IT intrusions and incidents. The exercise was conducted in cooperation with Estonia. Since then, the facility has been under continual development and today comprises no less than approximately 800 servers that are connected to a simulated internet – a game net – with thousands of virtual computers in a network.

“To emulate the Internet, one has to build large nets and we try to make them as realistic as possible, with the difference that they can be reset afterwards,” explains Mikael Wedlin, Deputy Research Director in the Department of Information Security and IT Architecture, in Linköping.

Resembles a military exercise

The training can be compared to a military exercise where one team is the attacker and the other has to defend itself. FOI sets up scenarios, or games, where IT technicians have to try to protect their authorities from cyberattacks.

“Previously, there wasn’t any good way to train how to deal with attacks across a broad front. But with CRATE, the IT technicians can practise how to respond to large-scale attacks in a controlled environment. Afterwards, they are hopefully better at dealing with different crisis situations,” says Mikael Wedlin.

A national resource

FOI has conducted most of the major exercises with Swedish authorities. The main customers are the Swedish Civil Contingencies Agency – MSB – and the Armed Forces, which have both contributed to the development of CRATE. Training can also be conducted outside the facility, via an external connection to the game net. It is also possible to connect printers, telephones, control systems and various monitoring stations.

In the spring of 2018, CRATE received a visit from the Minister of Defence, who emphasised how important it is that Sweden has a national resource in working with information security.

“This is an activity that we have built up gradually and now we are shifting from having solely been a research facility to one that also works in production,” says Mikael Wedlin.