In recognition of October as National Cybersecurity Awareness Month, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is highlighting some of its cybersecurity initiatives, including its collegiate cyber defense competition, CyberForce, whose fifth installation will be held next month at National Laboratories across the Nation.
Through its CyberForce Competition, CESER supports the Department of Energy’s (DOE) efforts to develop the energy sector cyber workforce of the future. DOE’s CyberForce is a collegiate competition that challenges teams from over 150 colleges and universities to defend simulated energy infrastructure from cyberattacks staged by a team of industry professionals. The next competition takes place November 15-16 at ten DOE National Labs across the country. Teams are scored across multiple indicators of performance, including “user” ability to continue normal operations and innovative implementation of defenses, with regional winners and an overall champion team named at the end of the competition.
Last year, the University of Central Florida won the overall CyberForce Competition, competing regionally from Argonne National Laboratory in Lemont, IL. We spoke with Andrew Hughes, a Central Florida winning team member and current senior computer science major, about the experience and his career aspirations.
How did you come to be involved in the CyberForce Competition?
Andrew: I was a member of the “Hack at UCF Club,” a student-run cybersecurity club, as well as UCF’s artificial intelligence club, and we learned about CyberForce from contacts in those clubs. We probably wouldn’t have been exposed otherwise.
What was the specific scenario that teams were presented with during last year’s competition?
Andrew: Before the competition, we were given advanced access to some simulated industrial control systems (ICS) for a fictional energy-related company. After auditing the systems, the challenge on the day of the competition was to harden the systems while keeping operations up and dealing with all sorts of additional real-time threats and anomalies from hackers [the “adversarial” team of industry professionals].
Our particular scenario this past year was working to secure an ICS for a water pump for an oil and gas company. The overarching challenge was to make sure users could still operate the ICS while we were hardening them for attacks and that we were not killing the system in the process. We could see attackers actually breaching the system, either overflowing or draining the tank. It was very hands-on, because we were able to interact and experience a human-machine interface, getting our hands on an actual device and seeing both the physical and digital side of it. During CyberForce, you’re seeing and hearing the effects of a cyberattack in real time, at your table, which is really cool.
How did your team prepare for the competition?
Andrew: Each team has six people, so a couple of months beforehand the competition organizers gave everyone access to a cloud login with a dashboard, preset plug-ins, and documentation so we could see and evaluate the running system. Each year, the competition features a new non-standard information technology (IT) system – last year, ours was an ICS platform for high-performance computing clusters. Some on our team were more specialized for Windows computers while others had more Linux experience, so within our team it became who could do what the fastest.
What was the key to winning the national CyberForce Competition?
Andrew: Our team is pretty close to each other and we communicate really well. We also put in a lot of time beforehand to coordinate our defenses in advance. We had patches in place and knew what was happening in those systems. Then it becomes a matter of being creative and working through the problems and anomalies in real time, thinking out of the box to come up with innovative solutions.
How has your involvement in CyberForce assisted you with your career aspirations?
Andrew: I have plans to continue working in the cybersecurity realm after college. It’s way too much fun not to. I’ll perhaps contract out to clients in the federal domain, maybe at DOE, in the future. After I graduate, I plan to continue doing security research, more on hardware and processors, and audit and test those systems. Right now, I’m interning at a [cybersecurity] company, so we’ll see where it goes. It’s an exciting career track.
In your experience, what’s the biggest challenge in protecting critical energy infrastructure from cyberattacks?
Andrew: The energy sector has unique cybersecurity needs compared with Microsoft or other IT companies. In my opinion, good standards are being put in place, but it’s very difficult to take systems down and correct them when they’re powering utility systems. We’ll always be playing catch up – but the truth is, we can’t really always be playing catch up, like taking an actual water system down while you’re hardening it against hackers. It’s what makes securing critical infrastructure so challenging.
The great thing about the CyberForce Competition is that it prepares you to think through different scenarios and anomalies very quickly, forcing you to think collaboratively about how to filter attacks live without impacting systems. It’s a very interesting problem. Obviously, we need more research and development as a whole, and by educating people, we’ll make better progress. CyberForce is a very valuable tool in that respect.