Adelaide University
CyberLab
Modelling Cyber Chaos Before It Happens
A system-of-systems cyber range for researching cascading failures across interconnected critical infrastructure
Explore
Modelling Cyber Chaos Before It Happens
A system-of-systems cyber range for researching cascading failures across interconnected critical infrastructure
ExploreModern critical infrastructure is deeply interconnected. A single breach can cascade across multiple other sectors in ways that no isolated analysis has predicted.
An attack on power generation infrastructure causes an outage affecting water treatment. Contaminated water leads to public health issues. Hospitals become overwhelmed. An adversary simultaneously compromises traffic control systems; emergency response becomes gridlocked. The crisis escalates to social media and news coverage, where adversarial misinformation operations amplify panic and destabilise public confidence.
This is not hypothetical. Many of the cascading failures we have already witnessed were accidents — a bad software update, a configuration error, extreme weather. But the damage they caused reveals something deeper: the fragility of interdependent systems. If accidents can cascade this far, imagine what a deliberate attack could achieve. Nation-state adversaries have already demonstrated that they can — and do — engineer cascading failures on purpose.
A faulty CrowdStrike Falcon sensor update crashed 8.5 million Windows machines worldwide on 19 July 2024 — the largest IT outage in history. Healthcare, aviation, banking, and emergency services were disrupted simultaneously.
Wikipedia →Iran-linked group Handala compromised a Stryker administrator account and used Microsoft Intune to mass-wipe over 200,000 devices on 11 March 2026 — no malware needed. The medical technology giant's manufacturing, ordering, and shipping systems went offline across 79 countries, disrupting surgical supply chains to hospitals worldwide.
ACS Information Age →Severe storms on 28 September 2016 destroyed transmission towers, causing cascading failures that blacked out the entire state of South Australia. Loss of interconnectors tripped generation offline in a feedback loop — 850,000 people lost power, hospitals switched to backup, traffic lights failed, and Adelaide's water and sewage systems were disrupted. The event triggered a national debate on energy security.
Wikipedia →ALPHV ransomware compromised Change Healthcare in February 2024 — the hub processing 50% of US medical claims. 900,000 physicians, 33,000 pharmacies, and 5,500 hospitals lost access to claims, prescriptions, and authorisations. 190 million individuals affected.
AHA analysis →On 28 February 2017, an engineer running a routine maintenance command mistyped a single parameter — intending to remove a small number of S3 billing servers but accidentally removing far more. Two critical subsystems went down, cascading across the entire AWS US-East-1 region. Dozens of major services — EC2, Lambda, EBS — failed for nearly five hours. Even the AWS status dashboard could not report the outage, because it too depended on S3. One typo, and a significant portion of the internet went offline.
AWS post-mortem →An oversized configuration file propagated across Cloudflare's edge nodes on 18 November 2025, crashing traffic routing software. Approximately 20% of global internet traffic was affected, disrupting X, ChatGPT, Spotify, Discord, and Shopify.
Cloudflare post-mortem →A vulnerability in the KAR radio system allowed attackers to remotely switch tens of thousands of Dutch traffic lights using software-defined radio — from kilometres away. Full physical replacement is required and will take until 2030.
NL Times →Russian intelligence (SVR/APT29) trojanised the SolarWinds Orion software update, compromising approximately 18,000 organisations including the US Departments of Treasury, Commerce, Homeland Security, Defence, Energy, and State. A single backdoor in one vendor's build system cascaded across the highest levels of government.
Wikipedia →Russian military intelligence (GRU) compromised a Ukrainian tax software update, deploying destructive malware that cascaded globally. Maersk ($300M), Merck ($870M), and FedEx ($400M) were among the victims. Over $10 billion in total damage — the costliest cyber attack in history. Formally attributed by the US, UK, Canada, and Australia.
Wikipedia →These are not isolated events. Research shows that 64–89% of critical infrastructure disruptions involve cascading failures across interdependent systems. See also: Cascading failure (Wikipedia).
The CyberLab replicates realistic, cross-domain interdependencies by integrating software and services representing critical sectors. Each system is a piece of a larger whole. Multiple developers working on individual systems, which then form a whole. To illustrate this idea, click each tile to reveal how they fit together.
OpenEMR electronic medical records — healthcare infrastructure that depends on power and communications
SWIFT financial transaction simulation — banking systems interconnected with every other sector
Mastodon platform for studying influence operations and information warfare in a controlled environment
Wazuh SIEM, Grafana dashboards, and Suricata IDS — a full SOC monitoring the entire ecosystem
MITRE Caldera for automated adversary simulation — realistic attack campaigns against the infrastructure
LLM-based phishing detection, AI/RL agents for autonomous defence, and model poisoning research
Unity-game engine based emulation allows us to visualise systems. User simulation agents generate realistic network behaviour
CTFd-based Capture the Flag challenges integrated into the system-of-systems environment
Click each tile to illustrate how the system-of-systems approach fit together
The complete CyberLab — individual systems forming one interconnected whole
Just as operating systems abstracted hardware — enabling software to run on any machine — CROS abstracts cyber ranges, enabling portable, reproducible, and federated cyber security research.
Cyber ranges today — including platforms like KYPO, DETER, and commercial offerings — are typically bespoke, non-portable, and difficult to reproduce. Researchers spend significant time setting up ad hoc environments. Work is duplicated across institutions. Experiments are hard to share or verify.
Scenarios deploy across different infrastructure — cloud, bare-metal, or hybrid — without modification.
Multiple institutions interconnect their ranges into a single experimentation platform.
Researchers share and reproduce experiments across sites. It is an enabler to start conducting research and minimise the time to setup the experiments.
From a single research lab to a multi-national exercise network. Branch-based configurations for different scenarios.
CyberLab deploys in AWS (we will soon also have a bare-metal version). Pulumi manages the infrastructure deployment, Ansible automates system configuration, and GitOps workflows control deployment and teardown through version-controlled branches. Every cyber range configuration is stored in code, making deployments repeatable and auditable.
Every system in the CyberLab is connected to two separate networks — it is key to understanding how our cyber range works.
This is where the action happens. Attackers probe, defenders block traffic, firewalls are configured, services go up and down. Everything participants do during an exercise — scanning, exploiting, patching, isolating — happens on the game network. It behaves exactly like a real production network would.
This would be an ideally invisible layer that keeps the simulation running. For technical reasons it can not be invisible, but it is out-of-scope for the red team, out-of-scope for the blue team to change. It handles all those things that cannot travel over the game network without breaking the exercise.
Why is the separation between game and management networks necessary? In the real world, if you sit at a computer and block all network traffic, you can still use the machine — you are physically in front of it. But in the CyberLab, every machine runs in AWS and participants access them remotely. If a defender blocks all traffic on the game network, they would lock themselves out of their own system. The management network solves this: it provides a separate path into every machine, emulating the physical access a person would have if they were sitting in front of it. Attackers cannot reach this network — it is off-limits, just as physical access to a server room would be.
Furthermore, for example imagine when the CyberLab simulates a power plant failure, other systems that depend on that power "need to know" about it — a hospital without power (and without backup systems) would lose its systems. But these dependency need to be signaled, as we can and will not cut the power on AWS servers. There needs to be a signalling happening, but this cannot communicate over the game network. If it did, a participant could simply add a firewall rule at the power station to block those messages, and no downstream system would ever fail. The dependencies would be invisible. Instead, a Kafka message bus on the management network carries these signals between systems — modelling real-world physical dependencies without exposing them to game-network interference.
This separation is what makes the CyberLab a genuine system-of-systems simulation rather than just a collection of virtual machines. The game network gives participants full freedom to operate. The management network ensures the simulation stays coherent underneath.
CyberLab operates on an educational philosophy inspired by successful open-source development. Students don't just use the platform — they build it. Their work persists, and others build on it.
AI-generated visualisation — not depicting real individuals or facilities for privacy reasons. All characters and buildings are fictitious and any similarities to actual persons, living or dead, or actual events is purely coincidental.
The CyberLab is completely virtual — running on AWS (and soon Proxmox). If something breaks, reboot the virtual machines. If an experiment goes wrong, roll back. Students and researchers can explore, experiment, and make mistakes without real-world consequences. This isolation is a deliberate architectural choice: it creates the psychological safety needed for genuine exploration and learning.
Just as universities played a crucial role in Linux development — students earning credit while producing code that benefits the broader community — CyberLab students work on projects that become part of real, operational infrastructure. This is not a disposable assignment. Your banking simulation, your SOC dashboard, your AI detection module — they persist, and the next cohort builds on them.
AI is transforming cyber security. Our students work with AI-assisted development, build reinforcement learning agents for autonomous defence, experiment with LLM-based attack detection, and critically evaluate AI-generated code for vulnerabilities. The goal is not to replace human judgment with AI, but to develop graduates who can work effectively alongside AI tools — and understand their limitations.
As AI automates entry-level cyber security tasks, the skills that once came from years of professional practice need to be developed differently. CyberLab provides that pathway.
Adelaide University's first dedicated undergraduate degree in cyber security. Stackable units allow flexible learning paths, and the curriculum is accredited by the Australian Computer Society (ACS). Courses are designed so that components can be reused by the Australian Defence Technology Academy (ADTA) for training defence and government professionals.
CyberLab participation is structured as a work-integrated learning (WIL) experience — an internal internship accessible to all students, regardless of background or industry connections. This is particularly valuable for international students who often face barriers to external placements in cyber security. Students earn credit through internships, honours projects, and master's thesis work.
Students select subsystems they want to contribute to, work in teams, and are mentored by academic staff and tutors. The pedagogical approach combines scaffolded learning, team-based problem solving, pair programming, and inquiry-driven exploration. Students manage real project scope, deadlines, and deliverables — not artificial exercises.
Entry-level positions are being automated. Our graduates develop the deeper skills that remain valuable: systems thinking across interdependent infrastructure, critical evaluation of AI-generated outputs, the ability to design and operate complex platforms, and the judgment that comes from hands-on experience with realistic, messy, system-of-systems problems.
Adelaide University's academic integrity policy is clear: submitting AI-generated work as your own, or using AI to misrepresent your competence, is academic misconduct. We fully support this.
But in the CyberLab, we go further. AI is not just permitted — it is encouraged. We want students to use large language models, code generation tools, and AI assistants as part of their daily workflow. This is deliberate. The cyber security industry is being reshaped by AI, and graduates who cannot work effectively with these tools will be at a serious disadvantage.
However, there is a line — and it matters enormously.
Consider a graduate who has learned to ask AI to produce code, configuration files, or analysis — and submits the output without truly understanding it. They pass their courses. They get hired. Their manager gives them a task; and as they have been doing throughout their studies, they ask AI to do it and hand in the result. But here is the question that should keep every student awake: what value are you adding? Your manager can prompt an AI themselves. If your only skill is relaying AI output, you are not an employee — you are a bottleneck. And bottlenecks get removed.
The digital divide is no longer just about access to technology. It is about the gap between people who master AI and people who are mastered by it. Those who understand what AI produces — who can evaluate it, correct it, extend it, and know when it is wrong — will be indispensable. Those who cannot will find themselves replaceable by the very tools they depend on.
This is what CyberLab teaches. Not how to use AI, but how to think with AI. Students build real systems, debug real failures, and make real architectural decisions — with AI as a tool, not a crutch. When you deploy a SOC dashboard or write firewall rules for a system-of-systems exercise, you have to understand what you built. The system will not work if you do not. That feedback loop — building, breaking, understanding, rebuilding — is what produces genuine competence that no AI can replace.
CyberLab connects directly to Australia's cyber defence ecosystem — through research collaboration, live exercises, and a pipeline of capable graduates.
AI-generated visualisation — not depicting real individuals or facilities for privacy reasons. As always, all characters and buildings are fictitious and any similarities to actual persons, living or dead, or actual events is purely coincidental.
The CyberRange of a System-of-systems approach to research, train and experiment with realistic systems, has been inspired by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) Locked Shields exercise. Many motivated students at Adelaide University work directly alongside current and future leaders in Australia's cyber defence landscape.
However, Locked Shields exercises are still largely manually configured. The CyberLab vision is to automate this — making it possible to deploy, run, and reproduce these complex multi-system scenarios entirely through code.
CyberLab is a testbed for digital twin ideas,contributing to Australia's national cyber security research capability and workforce development.
The work in the CyberLab should be an enabling infrastructure researchers can use to conduct their research.
As AI transforms what entry-level cyber security work looks like, Australia needs new approaches to developing experienced practitioners. CyberLab helps fast-track talented graduates into effective contributors to national security.
CyberLab is an open, collaborative project. Whether you're a student, researcher, or industry professional — there's a place for you.
Join our weekly project meetings. Choose a subsystem that interests you — from hospital infrastructure to AI-based intrusion detection. Earn academic credit through internships, honours projects, or master's thesis work. Don't be scared, come and join us.
CyberLab provides a platform for studying complex system-of-system interactions that cannot safely be examined in production environments. Research topics span cascading failure analysis, AI-enabled attack and defence, influence operations, and critical infrastructure resilience.
The CyberLab infrastructure is built entirely with open-source tools. As the GitHub Ops allow you to start and stop machines, we need to know who you are and who is spending AWS money. That's why you need to contact us first for access. However, we believe that shared infrastructure produces better research and stronger collective defence.
github.com/UAdelaide/CyberLab