As cyberattacks on industrial control systems (ICS) escalate, manufacturers and utilities are turning to Idaho National Laboratory’s immersive training programs to shore up their defenses. Known for its cyber escape rooms and hands-on simulations, INL has emerged as a global leader in preparing professionals to detect and disrupt threats to critical infrastructure. In partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), INL’s ICS 301 course trains participants to respond to real-world cyber incidents in high-stakes environments where safety and uptime are non-negotiable.
“That briefcase with the digital countdown clock might not have an actual electromagnetic pulse device inside it set to go off in an hour, disrupting communications and computing networks in three states. But it’s fun to pretend,” Jeff Hahn, who directs INL’s 301 training, said. “In the escape rooms, we take them to the next level. We work hard to make it fun. By doing it this way, people get more out of it.”
The rise of cyberattacks makes safeguarding the nation’s critical infrastructure more urgent than ever. INL’s cybersecurity team is preparing old hands and newcomers with the skills to counter modern threats that could paralyze society. The 301 training has attracted cyber experts and industrial professionals from all 50 states and over 110 countries since its inception.
The cyber escape room with the briefcase is called ‘Insider Threat,’ and the scenario is this: Bob, a member of the team, has gone rogue. Following clues, team members must find out who he has talked to and what websites he’s been visiting. The clues lead to numbers and passwords that will eventually help participants determine the four-digit combination they need to open the case Bob left behind.
If things are moving too slowly, INL cybersecurity engineers are on hand to help. “The hints can’t be too easy or too hard,” said Christopher Johnson, who helped develop the cyber escape room in 2021. “We want them to have a successful experience. The real goal is to get everybody working together and sharing information. Nobody can solve this by themselves.”
The INL held its initial ICS cybersecurity course in 2007 in a local convention center. Since then, the program has grown into a dedicated operation with its own classrooms, nine full-time instructors, and a global reach. The Cyber Defense Education and Training team has trained professionals from countries ranging from Albania to the Philippines. At the 233rd ICS 301 session held in May, the 43 participants included students from Texas, Washington, Lithuania, and Israel.
The first day starts with a welcome and brief review of ICS cybersecurity, then a process control attack demonstration. Afternoon breakout sessions feature hands-on activities in smaller groups, focusing on network discovery and mapping, defense, detection, and analysis, and exploitation using Metasploit, an open-source framework for security testing. The afternoon of day two is when groups participate in cyber escape rooms. The red team/blue team exercises follow.
Apart from training in Idaho Falls, the escape rooms can be packed up and taken to high-profile cybersecurity events such as Critical Effect in Washington, D.C., and DEFCON in Las Vegas. ‘Insider Threat’ was the first to be mobilized in 2021.
Johnson recalls how nervous he was about getting Bob’s suitcase through security and onto the plane, but because it was packed inside a larger case, it caused no alarm.
Chris Farnell, an assistant professor at the University of Arkansas, first learned about the training when talking with INL National Security Workforce Development specialist Eleanor Taylor. This conversation led to INL bringing an escape room called ‘Solar, Wind, and Fire’ to the RazorHack Cyber Challenge held in Fayetteville, Arkansas, in October 2023. Farnell has since become an INL joint appointment and secured letters of collaboration, which said, ‘are huge for us.’
Taylor emphasized that Farnell’s engagement with INL exemplifies what the lab seeks. “He has really leaned into it and leveraged our capabilities,” she said. INL maintains similar relationships across the U.S., working with universities in states ranging from Texas to Florida and the Carolinas, as well as reaching out to community colleges. “Community colleges are going to be a key factor in this,” she added.
Also, the INL’s institutional involvement in cybersecurity began in 2004 when it received $3 million from the Department of Energy and the newly formed Department of Homeland Security (DHS) to open the Information Operations Research Center. The center’s mission was to study and assess the cybersecurity of industrial control systems. The gap between information technology (IT) and operational technology (OT) became a significant focus for INL.
According to Greg Bastien, CISA’s training program manager, “IT systems change out about every 12 to 18 months, but ICS systems can go on for decades with no upgrade paths. There is no ‘patch Tuesday’ in the OT environment. If something breaks, you just fix it.”
As industrial asset owners identified vulnerabilities in their control systems, particularly after notable cyberattacks like the 2015 shutdown of Ukraine’s power grid and the 2021 ransomware attack on the Colonial Pipeline, INL’s training programs evolved significantly. To address these emerging threats, INL developed innovative cyber escape rooms designed to simulate real-world cyberattacks.
These cyber escape rooms have transformed into advanced training tools that promote teamwork and problem-solving skills crucial for modern cybersecurity challenges. By simulating sophisticated cyberattacks, these hands-on environments allow participants to engage deeply with the material, ensuring they are well-prepared to face the dynamic landscape of cybersecurity threats.
INL’s approach to cybersecurity training, combining traditional instruction with interactive escape rooms, has positioned it as a leader in preparing both veteran professionals and newcomers to protect critical infrastructure worldwide.
