Students practice defending industrial control systems against Sandia red-teamers at CyberForce
Hundreds of cybersecurity professionals and college students gathered around the country Nov. 16 for a day of cyber wargames.
The event, DOE’s roughly annual CyberForce Competition, was created to teach and inspire the next generation of cybersecurity professionals by giving them an opportunity to apply their skills against realistic problems. A global shortage of cybersecurity professionals could see 3.5 million vacant jobs by 2021, according to the research firm and media company Cybersecurity Ventures.
“We envision this competition to be a tool to assist our sector to close skills gaps and shortages of cybersecurity experts,” said Karen S. Evans, Assistant Secretary for Cybersecurity, Energy Security, and Emergency Response, in a DOE press release.
In its second year hosting a competition site, Sandia worked with 10 teams at the Lobo Rainforest, the anchor building of downtown Albuquerque’s Innovate ABQ complex.
Teams accumulated points by defending their systems against red-teamers like Sandia’s Will Atkins, who has worked professionally in similar roles, helping government agencies and public utilities find weaknesses in their systems. Specialists from Los Alamos National Laboratory also came to support the competition.
Sandia relied on the varied experience of its volunteers to pull off the event.
“I can spot a problem in a system from a mile away, but as far as building systems, I’m not nearly as good at that,” Will said, adding with a laugh, “I guess I would be a good movie critic.”
Jeremy Gin, another Sandia cybersecurity expert, helped build and troubleshoot the systems students used, including a small mechanical device that periodically spun a set of wheels when the pretend facility was operating correctly. It failed or flashed a red light when the system was encountering a problem.
Traveling from Dallas, Texas, the team from Southern Methodist University won the top spot at the Albuquerque regional competition for the second year in a row. The University of Maryland, Baltimore County, team won the national competition.
Live together, die alone
In a new twist this year, CyberForce networked teams together from different locations, each representing a different facility: a power plant, a substation, a data center or a manufacturing facility.
In the real world, Jeremy said, “an adversary taking down a data center could force the security team to have to operate without a section of their network, a suite of tools or some data feeds, whereas an adversary taking down a substation or power generation facility could force the security team to have to operate on time-limited backup power or a temporary blackout.”
If the wheels weren’t turning on a team’s device, they could open a chat channel with other teams to figure out if they were being attacked or if they were seeing the effects of an upstream problem. Teams were awarded points for sharing their vulnerabilities with others.
“They must understand how the whole ecosystem comes together and functions at a high level,” said Jeremy, who was on hand during the competition to help students with questions. “At Sandia, as a team and enterprise, we do this every day.”
Simulation focused on education
The exercise isn’t a perfect analogy to real-world cybersecurity. The imposed time limit, Will said, meant he and his red-team partners didn’t have time to launch subtler, more devious attacks, and blue-team students knew the attacks were coming, which obviously isn’t true in life.
But in some ways, Will said, the imperfect emulation makes CyberForce a better educational tool. Overt attacks help students practice detecting suspicious activity and learn to assess it and respond appropriately. Part of the real challenge of cybersecurity, he said, is determining whether anomalous activity on a system is a targeted attack or a harmless probe.
Despite its artificialities, CyberForce succeeds in exposing students to ideas and experiences they wouldn’t normally get as undergraduates.
“This competition is important to cybersecurity education because it calls attention to the unique functions, vulnerabilities and importance of industrial control systems compared to normal enterprise PCs and networks,” Jeremy said.
“They’re very good at what they do, but they’re not experienced,” Will said.