Teaching Users New IoT Tricks: A Model-driven Cyber Range for IoT Security Training

Michalis Smyrlis, George Spanoudakis, and Konstantinos Fysarakis
March 17, 2021


As IoT ecosystems become mainstream, malicious actors routinely launch impactful attacks that affect both organizations and individuals - e.g., see the Mirai IoT botnet and its variants, and the intensification of these attacks in the COVID-19 era - ultimately corroding our trust in IoT applications and services.

While a barrier in tackling these issues is the existence of heterogeneous IoT applications and devices with inherent security flaws [1][2], the situation is further exacerbated by the lack of cybersecurity awareness and training. Users are typically not informed of the relevant risks and how to minimize them, nor are they trained to promptly identify and react to cyber-attacks (e.g., IoT botnets [3], and COVID-19 -focused ones [4])). Instead, users act as enablers for the various threat actors to deploy attacks successfully, and this is true both for enterprise [5] (e.g., Industrial IoT) as well as consumer [6] (e.g., smart home) environments.

In this landscape, cyber-security training is becoming increasingly pertinent as an effective way of mitigating IoT security risks. The need for more skilled cybersecurity professionals and well-trained individuals (e.g., employees, smart homeowners), regardless of their security expertise, is becoming pressing. Nevertheless, to be effective, cybersecurity training should be tailored to the different environments and trainee types, while gained knowledge should be validated to provide evidence of said effectiveness, enabling the adoption of overall security and privacy-aware behavior. To accomplish that, modern training strategies are not only limited to learning software and hardware skills but also include training to understand actual cybersecurity threats, along with resistance-training techniques. However, training should also be adjustable to fit the ever-changing needs of the targeted domains, user behaviors, and the evolution of the threat landscape, to ensure it remains relevant [7].

To address the above requirements, a model-driven IoT Cyber Range approach has been conceived, centered Cyber Threat and Training Preparation (CTTP) Models and associated Training Programmes (CTTP Programmes), and is currently being validated in the EU-funded H2020 THREAT-ARREST project[1] [8]. The delivery of Cyber Range Training Programmes is based on these CTTP models which define the structure and automate the development of the training programs by determining the number of different aspects, such as (a) the assets of a cyber-system, their relations, and the threats covered by the CTTP Programme; (b) the ways these assets will be emulated and simulated; (c) the trainee evaluation, based on their actions and level of expertise, and; (d) the preparedness and effectiveness level that the trainees are expected to achieve on the specific training program. The benefit of having a model for every different aspect of a Training Programme is the direct mapping it provides with the actual cyber system and the automated (model-driven) specification of the training environment that it allows. Furthermore, adaptations to the models can be introduced to facilitate the delivery of training programs that follow current training needs and do not become obsolete. As of today, such a model-driven approach that incorporates emulation, simulation, serious gaming, and visualization techniques, aiming at preparing individuals with different roles and levels of expertise to defend cyber systems against known and new cyber-attacks, does not exist.

The CTTP Models

At the core of the model-driven approach to Cyber Range training, is the development of the CTTP Models:

  1. the Cyber System Asset model; specifies the assets of the cyber system that the training pertains to, their relations, and the relevant threats
  2. an Emulation sub-model; specifies automated generation and interconnection of emulated cyber system components, to be dynamically parsed by virtual infrastructure management solutions (e.g., OpenStack[2], Kubernetes[3])
  3. Simulation sub-model; specifies information for the simulation of different layers in the cyber systems implementation stack, to be dynamically parsed by simulators (e.g., NS-3[4])
  4. Serious Game sub-model; includes information needed to create a Serious Game environment
  5. Data Fabrication sub-model; includes information used for the creation of synthetic events
  6. Training Delivery Parameter model; an orchestrator of the aforementioned models which includes critical information for the instantiation of a new Training session.

Figure 1 provides a view of the model specification Graphical User Interface at the heart of the Cyber Range platform. A Training Programme can only be valid if it contains one Training Delivery Parameter model and at least one of the Cyber System Asset, Emulation, Simulation, Gamification, and Data Fabrication models. The process of Training Programme specification consists of three main phases, namely: (i) the analysis and creation of the Cyber System Asset Model; (ii) the Creation of Training Programme and, finally; (iii) the initiation of it. Figure 2 presents the Training Programme preparation process in detail.

Figure 1: Part of the model specification graphical user interface.Figure 1: Part of the model specification graphical user interface.

 Figure 2: Model-driven IoT Cyber Range approach.

Figure 2: Model-driven IoT Cyber Range approach.


The Training Programmes: Indicative IoT Smart Home Environment Scenario

Let us consider a training program that aims to train IoT device consumers with no security knowledge on how to respond to abnormal behavior and take immediate actions to mitigate the risk.

At first, the user is presented with the scenario background: “As the owner of a smart plug, the plug’s web-based application allows you to monitor its power consumption and/or on/off behavior. It also provides alerts through the system if abnormal behavior is detected. An intruder has gained access to your smart plug and executed a malicious application that stopped the smart plug from reporting its power consumption and turned a switch on and off at random time points. You noticed, when viewing the energy data graphs through the web application, that abnormal behavior was detected, and you are asked to bring the device back to its expected behavior.”

Figure 3: IoT-enabled Smart Home training scenario.

Figure 3: IoT-enabled Smart Home training scenario.


The scenario is implemented using various emulated and simulated components, comprising a smart home (see Figure 3), involving Emulation, Simulation, Gamification, and Training tools. To achieve this, a smart device is simulated within the Simulation Tool. Energy readings from this device are gathered by an emulated edge gateway and pushed to the emulated private cloud broker.

The progression of this simple Training Programme would be as follows:

  • The trainee is informed about the security concerns surrounding smart devices and, upon installation of the edge device, receives an incident response and abnormal behavior guideline.
  • He/she then checks the energy consumption graphs in the homeowner dashboard which displays an abnormal pattern in the smart plug power consumption graph caused by the smart plug not reporting power consumption.
  • As instructed in the Guideline, he/she needs to power cycle the smart plug by turning it off for 20 seconds then back on. He/she checks the graphs presented in the web application but observes that the abnormal behavior is still there (i.e., no power consumption is presented).
  • The trainee then moves to the second step of the guideline and resets the device itself.
  • Finally, the trainee checks the graphs, and observers that both the smart plug started reporting its power consumption and the connected device was not reporting abnormal behavior.

The automated evaluation of the trainee is performed via the simulation tool, which periodically checks if the trainee has made the proper remediating actions for the deployed case. An evaluation report must also be fulfilled in the training tool, where the trainee must complete information related to the type of issue encountered and remediating actions taken.

A card game can also be made available through a Gamification tool [9], to raise awareness around IoT smart device security. Furthermore, Training Programmes of different difficulty levels are also available, such as training for (a) the secure configuration of an IoT system (such as firewall policy of a gateway), (b) the identification of a botnet attack, and (c) a digital investigation analysis on an IoT cloud broker.

Concluding Remarks

Adopting a model-driven approach to Cyber Range training requires some effort and introduces increased complexity to create and parse the Models. Nevertheless, this enables the use of an evidence-based approach to Cyber Range training, and the provision of programs that are mapped to the actual cyber system and its security posture, thus targeting the most pertinent threats in the context of the specific environment. With the core functionality of the CTTP Cyber Range tested and validated through the THREAT-ARREST project, the current focus is on developing adaptation mechanisms allowing CTTP Models to follow changes to the cyber systems and the IoT threat landscape while checking the completeness and consistency of the entire specification of CTTP Models and Programmes in the context of these changes.


  1. OWASP Internet of Things Project, https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project, (accessed Mar. 15, 2021).
  2. Palo Alto Networks, “2020 Unit 42 IoT Threat Report”, Mar. 2020. https://unit42.paloaltonetworks.com/iot-threat-report-2020/ (accessed Mar. 15, 2021).
  3. H. Griffioen and C. Doerr, “Examining Mirai’s Battle over the Internet of Things,” in Proceedings of the ACM Conference on Computer and Communications Security, 2020.
  4. B. Acohido, “Pushing back against IoT attacks intensified by Covid-19”, Avast, Nov. 2020. https://blog.avast.com/iot-attacks-intensified-by-covid-19-avast (accessed Mar. 15, 2021).
  5. IoT security awareness – why it is still a concern for organizations, i-SCOOP. https://www.i-scoop.eu/internet-of-things-guide/iot-security-awareness/ (accessed Mar. 15, 2021).
  6. M. Sharbaf, “Cybersecurity Awareness in IoT Threats”, IEEE Computer Society, 2020. https://www.computer.org/publications/tech-news/events/cybersecurity-month-2020/awareness-iot-threats (accessed Mar. 15, 2021).
  7. Somarakis, M. Smyrlis, K. Fysarakis, and G. Spanoudakis, “Model-Driven Cyber Range Training: A Cyber Security Assurance Perspective,” in Computer Security, 2019 pp. 172–184.
  8. M. Smyrlis, K. Fysarakis, G. Spanoudakis, and G. Hatzivasilis, “Cyber Range Training Programme Specification Through Cyber Threat and Training Preparation Models,” in International Workshop on Model-Driven Simulation and Training Environments for Cybersecurity, 2020 pp. 22–37.
  9. S. Pape, L. Goeke, A. Quintanar, K. and Beckers, “Conceptualization of a CyberSecurity Awareness Quiz” in International Workshop on Model-Driven Simulation and Training Environments for Cybersecurity, 2020 pp. 61-76.

[1] https://www.threat-arrest.eu/

[2] https://www.openstack.org/

[3] https://kubernetes.io/

[4] https://www.nsnam.org/


Michalis SmyrlisMichalis Smyrlis (B.Sc., Ph.D. in progress) is a Senior Software Security Engineer at SPHYNX TECHNOLOGY SOLUTIONS AG. His interests are in software security, privacy, cyber insurance, and big data. He has expertise in the development of security solutions for platforms supporting big data analytics and has worked in multiple H2020 EU projects, including THREAT ARREST, C4IIoT, SEMIoTICS, SPIDER, TOREADOR, and EVOTION. He is also doing a Ph.D. as an external part-time student at City, University of London. His research, as part of his Ph.D., is on cybersecurity risk assessment for cyber systems based on continuous and hybrid assurance assessment schemes.


Konstantinos FysarakisKonstantinos Fysarakis (B.Sc. Applied Mathematics, M.Sc. Information Security, Ph.D. Electronic & Computer Engineering – Embedded Systems Security) is the Chief Technology Officer of SPHYNX ANALYTICS LIMITED. His interests revolve around the security, privacy, dependability, and sustainability challenges that arise with the integration of smart ecosystems and next-generation networking infrastructures into various vertical domains and our everyday lives, having authored over 50 peer-reviewed journal and conference publications (over 800 citations, H-index 15), while also serving as a reviewer and chair at various academic venues about his research interests.


George SpanoudakisGeorge Spanoudakis (B.Sc., M.Sc., Ph.D. Computer Science) is the chairman of the management board of SPHYNX TECHNOLOGY SOLUTIONS AG. His research interests are in software systems security, software engineering, and biomedical computing, having published extensively in these areas (over 175 peer-reviewed publications, over 4500 citations, H-index 34). He has more than 20 years of expertise in managing R&D projects, receiving over  €120m of R&D funding from national funding bodies, the EU, and the industry, being the principal investigator of more than 30 FP6, FP7, and H2020 projects at Sphynx and before it at City, University of London.