Security and Resilience (Cyber and Physical)

Association sponsors DOE cybersecurity competition

Illustrating its ongoing commitment to help solve the cybersecurity workforce shortage, the American Public Power Association was one of the sponsors of a recent Department of Energy competition in which opposing teams face off against each other in a series of cyberattack simulations.

The Cyberforce Competition, which took place from Nov. 30 to Dec. 1 and was held at the DOE’s Argonne National Laboratory in Illinois, involved interactive, scenario-based competitions to give student teams a hands-on cybersecurity experience and raise awareness of the nexus between critical infrastructure and cybersecurity.

Scott Smith, Chief Information Security Officer from Bryan Texas Utilities, gave the industry keynote prior to the start of the exercise. He highlighted the difference between IT (information technology) and OT (operational technology) and why it is important for students to focus on securing OT equipment as that is what the cybersecurity workforce needs.

Argonne was the lead lab for the competition, but six other labs participated: Brookhaven National Lab, Idaho National Lab, Lawrence Berkeley National Lab, Oak Ridge National Lab, Pacific Northwest National Lab and Sandia National Lab. There were teams present at each of those labs.

Through the competition, the DOE has worked to increase hands-on cyber education to college students and professionals, awareness into the critical infrastructure and cyber security nexus and a basic understanding of cyber security within a real-world scenario.

“Cybersecurity threats are ever-evolving and becoming more sophisticated by the day,” said Sam Rozenberg, Engineering Services Security Manager at the Association, who attended the competition. “That is why the country needs a deep bench of cybersecurity professionals who have the right skills to help address these challenges today and into the future and that is what makes this competition critical to the success of security for our nation’s critical infrastructure.”

“Developing the next generation of cybersecurity experts is a critical part of our mission within CESER," said DOE Assistant Secretary for the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) Karen Evans. “The CyberForce Competition provides the opportunity for us to engage our future defenders and let them know we not only support, but also commend, their interest in a field that is critical to our national security.”

Unfilled cybersecurity careers will reach more than 1.5 million by 2019.

DOE’s competitions feature cyber-physical infrastructure, lifelike anomalies and constraints, and actual end users, allowing students to get a realistic experience managing threats and vulnerabilities in the energy system. Students use a hands-on security approach to defend their team’s infrastructure from attacks on the physical devices in front of them.

Competition scenarios are energy focused and incorporate real-world constraints such as limited budget for maintenance or upkeep, insufficient understanding of the system’s needs, website defacement, and lack of permission controls.

A cyber-physical device is provided to each team, allowing students to see the real-world implications of a disruption to critical infrastructure from a cyberattack. When the team’s cyber infrastructure is compromised, the participants will see a light bulb go out indicating a disruption in critical services to utility customers.

The competition encourages teams to utilize unique defense strategies and techniques in safeguarding their cyber assets. Teams are scored on their innovative ideas and ability to develop a working defense to continuously maintain system operations and avoid service disruptions.

Many cyber defense competitions do not account for system usability, which refers to the end users’ ability to continue operations.

The DOE’s competition not only includes this element, but also assesses usability as part of each team’s overall score, requiring teams to balance security and usability. If the users are unable to navigate the system or complete basic tasks within the system, the team’s usability score decreases. Teams face the added challenge of interacting with end users and working through real-world issues and requests made by the end user — all while actively defending their networks.

Competition structure

The competitions use a point system to score a Blue Team’s ability to defend its energy network infrastructure from a Red Team of attackers.

Blue Teams include university students who defend their network infrastructure from the Red Team and maintain system usability for a Green Team, which include volunteers with a variety of skill sets, emulating typical end users.

Red Teams include industry security professionals that play the role of “hackers,” attempting to breach the network infrastructure and defenses of the Blue Teams.

Points are gained and lost based on the actions or inactions from both blue and red teams. The Blue Team with the most points at the end of the competition is declared the winner of the event.

In the attack phase, the Red Team conducts offensive measures to compromise the Blue Teams’ infrastructure and services. During this time, the Green Team tests the Blue Teams’ systems to ensure that the end user is still able to work within the environment.

A White Team scores the Blue Teams on their services, as well as injecting optional activities for bonus points (anomalies). White Teams include industry volunteers and national laboratory employees who support the student teams in setting up their infrastructure and judge the competition.

To add a level of complexity, DOE laboratories are connected via live stream, and color teams will be able to interact with each other across the competition sites.

The Blue Team area at Argonne National Laboratory during the competition

Carter Manucy, Cyber Security Manager at the Florida Municipal Power Agency, was a Red Team participant during the competition.

During the competition, Rozenberg spent time with the Red Team and observed Manucy hack students and talk about how they left common ports unsecure.

Details on competition winners

Winners of the 2018 CyberForce Competition include:

Overall nationwide winner: University of Central Florida, Orlando, Florida

Regional winners

  • From Argonne National Laboratory: 1st Place – Kansas State University, Manhattan, Kansas
  • From Brookhaven National Laboratory: 1st Place – University of Maryland, Baltimore County, Baltimore, Maryland 
  • From Idaho National Laboratory: 1st Place – Brigham Young University, Provo, Utah
  • From Lawrence Berkeley National Laboratory: 1st Place – University of California, Davis, California
  • From Oak Ridge National Laboratory: 1st Place – University of South Alabama, Mobile, Alabama
  • From Pacific Northwest National Laboratory: 1st Place – Oregon State University, Corvallis, Oregon
  • From Sandia National Laboratories: 1st Place – Southern Methodist University, Dallas, Texas 

Since the competition’s inception in 2016, interest has steadily increased. The first competition had nine teams apply, the second had 25, and the most recent had 68 team applicants. The DOE is anticipating over 100 applicants for the next event.

The next competition will be November 15-16, 2019 and the DOE is always looking for utility volunteers. Additional information about volunteering is available by sending an email to: [email protected].