Cybersecurity Training: Simulation of a Cyber Attack at a
Radiotherapy Clinic

This paper presents the simulation of a cobalt-60 radiotherapy clinic, which offers cancer treatment using a teletherapy unit (TTU), that was developed for conducting computer security training and exercises. The simulator allows the execution of two independent cyber-attacks: a ransomware of personal information and the compromise of an access control system (ACS), and the ability of training or exercise participants to recognize and respond to such attacks. This clinic is part of a regional hospital in a fictious country, and includes a teletherapy treatment room, a control room, designed as controlled areas, and a waiting room. The simulated computer-based systems comprise a simplified treatment planning system (TPS), a simulation of the TTU, an ACS and IT equipment. The ACS manages physical access to the premises, and provides images of a CCTV camera, using Modbus and TCP/IP protocols. The TPS has an HMI that allows the operator to configure and control a TTU treatment session, and a database with patient personal information. The ACS has an HMI that allows the training or exercise participants to open and close doors and have access to the CCTV camera. This simulator was developed using Docker containers to reduce the overhead associated with each participant accessing their own simulated environment. It also allows participants real-time access to simulated network data packets using the Wireshark application. This simulation was developed and first used as part of the IAEA Regional Training Course on Computer Security for Industrial Control Systems (25–29 April 2022 and 05-09 December 2022), and it was also the basis of a scenario deployed during a major Brazilian critical infrastructure exercise, Cyber Guardian Exercise 4.0 (16-19 August 2022). The outcomes of both events related to the use of the simulator were: increased learning experience as the participants had access to exercise hands-on environment while sharing remote supervision; enhanced training capability to illustrate the cyber-security challenges of facilities handling radioactive or nuclear materials; and increased instructor capacity to facilitate discussions on the application of computer security measures (technical, administrative and physical) based on the IAEA guidance on computer security.