Inside the FBI's replica small town: what a physical cyberattack range really tests
The FBI has built a full-scale replica small town in the United States to test cyberattack scenarios against real infrastructure. TechCrunch reports that the site replicates a full town's worth of digital and physical infrastructure, including the power grid, water utilities, banking and education systems. Here is what cyber ranges of this kind are actually for.
The cyber range concept has grown over the past decade. Classic digital test environments run on virtual machines and simulation software; physical test environments include real hardware and real network equipment. The FBI facility is a physical range. NIST documents underline that physical ranges deliver "more realistic threat models."
The first question: why real infrastructure? Because industrial control systems (ICS), power grids, water treatment, manufacturing lines have dynamics that classical IT testing cannot capture. Programmable logic controllers (PLCs), human-machine interfaces (HMIs) and bespoke communication protocols (Modbus, DNP3, IEC 61850) cannot be fully modelled on a desktop test environment.
The second question: what does a range test? Three main axes. First, training response teams. Incident response teams learn minute-by-minute decision making in simulation during an attack. Second, defensive equipment evaluation. New monitoring systems, network segmentation tools and EDR (endpoint detection and response) products are stress-tested against realistic attack scenarios. Third, procedure review. Whether existing procedures hold up against a new attack method is decided.
The FBI site points to a public-partner model. It provides a shared testing ground for federal agencies, state-level authorities, private-sector infrastructure operators and academic researchers. That is how inter-agency coordination, essential for critical infrastructure protection, is rehearsed in the field.
Global parallels exist. Israel's Cyberbit and the National Cyber Park at Be'er Sheva, in Europe Estonia's NATO Cooperative Cyber Defence Centre of Excellence, and the UK's Cranfield cyber range are comparable. Germany has built a similar model through its Cyber Innovation Hub.
Context for Turkey: the Presidency's Digital Transformation Office and USOM (the National Cyber Incident Response Centre) run exercises and certification programmes for critical infrastructure operators. National exercises run between the Turkish Armed Forces Cyber Command and the private sector, under BTK regulatory framing, are setting the stage for a full-scale physical range of FBI scope to enter the country's agenda more visibly.
The rising visibility of critical-infrastructure attacks is motivating these investments. The 2021 Colonial Pipeline incident in the US, 2024 ransomware operations against Ulta Beauty and hospital networks, and operational disruptions at various European energy companies showed the physical impacts are real. CISA's 2024 report says security incidents in critical infrastructure sectors are rising at double-digit annual rates.
Cost matters: a physical range is expensive. Annual operating costs for a single facility can run into the millions of dollars. That makes "range time as a service" attractive to smaller countries and private operators. In the US, Idaho National Laboratory's long-running ICS range rents its infrastructure on an hourly basis.
The FBI facility's specific outputs will not be shared publicly; the nature of cyber-defence ranges keeps test outputs confidential. What can be expected is more frequent federal exercises, broader threat briefings and an expansion of private-sector training programmes.
Near-term takeaway: for institutional readers, the concrete takeaway from this story is to review the frequency at which their own organisation participates in cyber exercises. Annual exercise count, equipment testing procedure and incident response team fieldwork frequency should all be benchmarked against the standards set by large facilities like the FBI's. This article is not a security audit recommendation.
Read next
What is Pyodide? Python packages can now publish WebAssembly wheels to PyPI
Pyodide's 314.0 release lets Python packages publish WebAssembly wheels directly to PyPI. The change expands the reach of the Python-in-the-browser ecosystem to a much wider package base.
PeopleSoft zero-day affecting hundreds of organisations leaks gigabytes of data
A zero-day vulnerability discovered in Oracle's PeopleSoft ERP platform has turned into an active campaign exfiltrating gigabytes of data from hundreds of organisations. The attack reaches government, university and healthcare sectors.
Underground fungal networks are long enough to reach beyond the Solar System
The total length of underground mycorrhizal fungal networks is calculated to extend beyond the boundaries of the Solar System. The findings reveal a critical underground infrastructure for the global carbon cycle and soil health.
As Anthropic suspends access, India reopens its debate about its own AI future
Restrictions on access to Anthropic's newest models have reopened a long-running debate in India about whether the country should build its own large language models. TechCrunch is hearing opposing views from Bengaluru and New Delhi.
How much water does AI really use? Putting data centres in the global water picture
Recent headlines have focused on AI data centres' water use. Ars Technica argues that, on a global scale, data centres consume only a small share of total water — but locally they can be a real driver of scarcity. The honest debate is at the level of individual water basins, not national totals.
