The 2019 CyberForce Competition is the latest in a series that DOE began in 2016 to help train the next generation of cybersecurity specialists in the energy sector. College students (blue teams) stationed at national labs across the country defend a simulated energy infrastructure from cyberattacks launched by cybersecurity experts (red team) while maintaining email, file sharing, and other basic services for end users (green team). National lab and cybersecurity industry staff (white team) help the blue teams set up their infrastructure, inject anomalies (optional puzzle-like activities for bonus points) into the network infrastructure, and judge the competition.
DOE’s Brookhaven National Laboratory first co-hosted the competition last December, with five local teams participating. Brookhaven Lab returned as a co-host for this year’s competition—the fifth in the series—held from Nov. 15 to 16. Seven teams came to Brookhaven: Columbia University, New York University, Northeastern University, St. John’s University, the State University of New York (SUNY) at Albany, Suffolk County Community College (SCCC), and the U.S. Military Academy (USMA) at West Point.
“We’re seeing such a diversified group of students come to compete—from U.S. military academies to community colleges to big athletic powerhouse universities,” said Sean Plankey, principal deputy assistant secretary for DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), who visited Brookhaven during the competition. “We can harness the power of technology to compete across the entire spectrum of the United States.”
The Brookhaven-hosted teams competed against each other and against teams located at nine other DOE labs: Argonne (also the host of the CyberForce Competition Professional Pilot for experienced cyberdefenders), Idaho, Lawrence Berkeley, Lawrence Livermore, National Energy Technology, National Renewable Energy, Oak Ridge, Pacific Northwest, and Sandia.
“One of the awesome things about CyberForce is that schools nationwide are competing at the same time right off the bat, without state and regional qualifier levels as required by other cyberdefense competitions,” said Max Kirby, a sophomore majoring in digital forensics at SUNY Albany, where he is also the captain of the Cyber Defense Organization.
The 2019 competition tasked blue teams with not only defending one of four interconnected infrastructures—a solar energy generation facility, an energy distribution substation, a high-performance-computing (HPC) data center, or a solar panel manufacturing facility—but also communicating with the other three. The infrastructures are made up of networks and faux cyber-physical devices that show disruptions due to a successful cyberattack. The blue teams at Brookhaven were assigned to defend the HPC data center. Each team had a data center replica with colored lights indicating whether the servers were up and running (green) or down (red). Steven Glozek, an intern in Brookhaven Lab’s Nonproliferation and National Security Department (NNSD) and PhD candidate in the Department of Technology and Society at Stony Brook University, built these replicas as part of his internship.
This scenario-based set up with both physical and digital components gives participants a realistic sense of what is entailed in balancing the security and usability of a system as a whole, and enables them to see the real-world implications of compromised critical infrastructure. Teams were scored based on their ability to thwart cyberattacks, maintain usability of services, complete anomalies, share information across different infrastructures, and present a strategy for responding to a hypothetical incident.
“Schools can’t necessarily provide these specialized infrastructures,” said Northeastern University second-year cybersecurity major Fiona McCrae, who is interested in exploring reverse engineering and security operations roles during her co-ops. “The national labs can set up things in a way that is more real world, within the spirit of a competition.”
Local coordinator and NNSD cybersecurity researcher Michael DePhillips explained how CyberForce is different than traditional-style cybersecurity capture-the-flag (CTF) competitions: “In CTF, you typically have to defend and attack, like the game of basketball. CyberForce is just defense.”
“The format of the competition is very helpful in that it develops your practical skills,” added St. John’s University senior Hrishikesh Ramprashad, who is studying cybersecurity and plans to enter the career field immediately following graduation. “In class, the lessons are theory-based, but here you get to do things that you would in real life.”
For example, the blue teams had to provide documentation (a user guide) to the green team—equivalent to the employees and customers of an energy company—on how to access their services to conduct routine operational tasks.
“We have to fill out a survey after doing certain tasks,” explained green team member Biays Bowerman, a chemist and group leader in Brookhaven’s NNSD. “Right now, I can’t access my team’s website, so all I can do is judge them on their user manual. It appears that they’ve been hacked.”
Hacking began with the red teams trying to establish persistence.
“There were a lot of vulnerabilities to start with, such as default credentials,” said red team member Richard Alcade, a technical specialist at Con Edison. “Our goal is to get and maintain access to the blue team systems.”
As the day went on, the attacks became more malicious and sophisticated.
“Hactivism and defacement is stage one—letting the blue teams know we’re there by exploiting low-hanging fruit, and clandestinely installing back doors to get in at a later time,” explained local red team leader Daniel Fedele of Brookhaven’s Information Technology Division (ITD). “Stage two is exfiltration, where we try to copy any sensitive data we find on their servers. In stage three, we are essentially playing whack-a-mole, shutting down services in sequence. Stage four is extremely destructive, with the systems fully down until the teams can figure out how they can undo what we did.”
The blue teams were also presented with a hypothetical incident: an SSL certificate for a company’s e-commerce website expired, and the company could no longer process payment information without violating regulations. One representative from each team gave a presentation to a chief information security officer (CISO) panel—representing the board members of the imaginary company—explaining how their team would respond to the incident.
“I was impressed by the creative ideas of some of the teams that went outside the strict cybersecurity viewpoint to include business outcomes,” said local CISO panel member Ian Ballantyne, a senior technology architect for cybersecurity at Brookhaven. “One of the suggestions was to find out which customers couldn’t complete orders by looking at the logs and offer those customers a discount to retain their business. This scenario-type exercise is really useful because talking about incidents is something they will be doing in the real world—explaining what went on in business terms, not only the technical details, and reassuring senior management that the situation is under control and measures are in place to reduce the chances of an incident like this happening again.”
The national winner of the competition was a team from the University of Maryland, Baltimore County, which took first place locally at Brookhaven last year; the local winner was a Northeastern University team. One senior, three juniors, and two sophomores made up the Northeastern team. None of them had participated in CyberForce before, and three had not previously competed in any cyberdefense event.
Republished courtesy of Brookhaven National Lab. Photo credit Brookhaven.