Newswise — According to recent estimates by Cybersecurity Ventures—a leading researcher for the global cyber economy—3.5 million cybersecurity jobs could be unfilled by 2021. As cyberattacks become more frequent and sophisticated, building a highly skilled cybersecurity workforce has become a national priority.

In 2016, the U.S. Department of Energy (DOE) began the CyberForce Competition, now an annual collegiate cyberdefense competition in which students defend a simulated energy infrastructure network from cyberattack. Outages resulting from cyberattacks targeting the nation’s electric power grid, oil and gas pipelines, and other energy delivery systems could endanger people’s lives and cause significant economic loss. Ensuring the reliability, resiliency, and security of these systems requires highly skilled individuals who can respond to ever-evolving threats and vulnerabilities. The CyberForce Competition is one of the many ways that DOE promotes the development of the next generation of cybersecurity professionals with competencies relevant to the energy sector.   

The fourth competition was held on Dec. 1, with a total of 66 teams from 24 U.S. states and Puerto Rico hosted at Argonne, Brookhaven, Idaho, Lawrence Berkeley, Oak Ridge, Pacific Northwest, and Sandia National Laboratories. Brookhaven hosted five teams, which were from Columbia University, New York University (NYU), Suffolk County Community College (SCCC), the United States Military Academy at West Point, and the University of Maryland, Baltimore County (UMBC).

“This CyberForce competition is the inaugural one for Brookhaven,” said local co-organizer Patrick Looney, chair of Brookhaven’s Sustainable Energy Technologies Department. “It is exciting to watch the students learn how to defend a piece of virtual infrastructure as they were attacked by cybersecurity experts whose job it is to penetrate their systems. Brookhaven’s participation in the competition is important because it speaks directly to our educational mission in helping prepare researchers of the future—in this case, cybersecurity experts.”

Before the competition began, participants heard welcome remarks from Congressman Lee Zeldin; Scott Smith, chief information security officer for the city of Bryan, Texas; Congressman Bill Foster; Energy Secretary Rick Perry; and Karen Evans, assistant secretary for Cybersecurity, Energy Security, and Emergency Response.

“Today, the digital infrastructure that serves this country is literally under attack,” said U.S. Energy Secretary Rick Perry during a video broadcast. “Protecting our energy infrastructure against those threats is my highest priority as secretary. To meet them, we’ll need new talent, new technologies, and new training opportunities. And most of all, we’ll need all of you. You are this nation’s next generation of innovators, defenders, and cyberwarriors. We need you to bring your knowledge, passion, and competitive spirit to the job at hand. That’s why I am pleased that this competition has grown so rapidly, becoming a key component of our cyber workforce development initiatives.”

The cyber battlefield

For eight hours, the college students (blue teams) hardened and defended simulated cyber-physical infrastructure—an oil transportation network, a power delivery system, and a high-performance computing system—against staged cyberattacks launched by volunteer cybersecurity experts from government and industry (red team).

“Red teaming means conducting network penetration testing,” explained red team member John Hammond, who teaches cybersecurity to military personnel at the Defense Cyber Investigation Training Academy (DCITA). “We coordinate the attacks at specific times throughout the day. Initially, we target low-hanging fruit—the most public vulnerabilities for which there are resources and materials. The teams had time to secure their systems against these vulnerabilities.”

For example, within the first hour, the red team launched an exploit of Samba, a file-sharing protocol of Microsoft Windows. The hacking group Shadow Brokers released this exploit—named EternalBlue—to the public in 2017. Later that hour, the red team tried to compromise the teams’ web servers through the Shellshock vulnerability, which is present in systems with an unpatched and older version of the web server software Apache. As the day went on, the attacks became more complicated and targeted specific aspects of particular services.

“Red teamers have 1,000 things to hit,” said Hammond. “The blue team has to protect against all vulnerabilities, but the red team only has to find one vulnerability.”

“For this challenge, there are a lot of open ports, which are basically back doors for attackers that allow them to get the highest privileges,” said NYU team member Liyun Li, who is studying cybersecurity as part of the new NYU Tandon Cyber Fellows graduate program and intends to pursue a career as a security consultant. “We installed firewalls, alert systems, and intrusion-detection systems as precautions but cyberdefense is a continuous process. Right now, we are working on fixing an SQL [sequential query language] injection vulnerability. SQL is a computer language that interacts with databases, and the injection vulnerability exploits an incomplete or incorrect application logic to allow unauthorized database access.”

Throughout the day, the students were presented with anomalies—unusual or unexpected activities—that they had to distinguish from malicious network behavior. The anomalies were designed to mimic real-world distractions.

“Anomalies are actions that have been noticed in files, such as repeated logins,” said fellow NYU team member Julio Nunez, who is also part of the Cyber Fellows cohort and works as an engineer at a banking firm. “I am supposed to be tracking every case and triangulating them with the log files to figure out who is committing these actions. Everything you ever do on a computer is logged. You can ascertain malicious behavior by going into the log file and analyzing the actions within the file, either manually or with a tool. The main tool we are using here is called Splunk.”

After launching each attack, the red team assessed the blue teams’ responses. Representatives from the blue teams presented their team’s defense strategy to a panel of chief information security officers (CISO) and industry experts. At the same time the blue teams were defending their systems, they had to continue the operation of websites, mail servers, and other services for volunteer end users (green team).

A points-based system was used to assess how successful the teams were at thwarting cyberattacks and maintaining the usability of services, and the level of creativity and innovation in their defense strategies. The University of Central Florida team was named the national winner, and UMBC won first place locally at Brookhaven.

“I’m in charge of everything Windows for the industrial control system,” said local winner Seamus Burke, who is expected to graduate from UMBC in 2020 with a degree in computer science. “My job is to make it as hard as possible for the red team to hack into our Windows machines and try to keep the system functioning. I came up with a way to differentiate between authorized and unauthorized traffic. Unauthorized users can view the status and query the device, but they cannot make any changes.”

Beyond technical skills

The competition not only developed the students’ technical skills in cybersecurity but also their soft skills in teamwork and communication.

“Research has shown that what makes a better team is not necessarily technical knowledge but how well the team members relate to one another,” said CISO panel volunteer Jim Boardman, an academy technical engineer at Palo Alto Networks. “As a former coach of competitions like this one, I saw that communication is key. In this competition, each of the teams has two minutes to state their case, telling us what vulnerabilities they discovered on their network and how they are trying to abate them. If the presenter cannot succinctly and clearly explain the strategy, then the team will not be well represented even though the team may be great.”

West Point team member Gary Gray II especially understands that cybersecurity involves more than technical skills. Unlike most of the participants who are studying cybersecurity, information technology (IT), or computer science, Gray II is a business management major. He became involved in the competition through his fellow teammate and roommate Derek Nunn, a junior cadet studying IT.

“I don’t necessarily know all the technical aspects, but management—keeping a team together and running processes—is where I can help,” said Gray II. “In this competition, I am less involved than my teammates in regard to solving problems. However, when problems do come down the shoot, I can tell my teammates what needs to be solved in a timely manner. Today, I had to pitch to the CISO panel what our team did in terms of securing and hardening our defensive network. There was a steep learning curve in understanding all of the technological jargon. But just because you’re not a technological person doesn’t mean you can’t learn or incorporate it in at least a small subset of your life.” 

In the future, Gray II plans to start his own business—one that integrates technological approaches to provide solutions to real-world problems.

In this video, local event organizers and team members at Brookhaven Lab discuss their experiences at the 2018 U.S. DOE CyberForce Competition.

“So many different aspects encompass network management,” added Nunn, who is studying IT and plans to enter the Army’s Cyber Branch when he graduates. “We not only need people who can diagnose and fix problems but also people who can properly manage teams.”

“When there is stove piping of information, the team suffers as whole,” said West Point coach Major Eric Sturzinger, a network systems engineer and instructor in the Department of Electrical Engineering and Computer Science. “In the Army, we try to break that down as much as possible. Ensuring everyone is on the same page is difficult in this competition. It requires learning how to communicate as a team.”

Learning opportunities for all

For many of the Brookhaven-hosted teams, this CyberForce competition marked their first time participating in the event.

“We weren’t quite sure what to expect,” said Columbia team member Christopher Vasquez, a junior studying computer science. “It is one thing to do classroom assignments and be surrounded by phenomenal instructors and classmates, but there is a gap between education and application. That’s where coming to Brookhaven and participating in this competition comes in. The Raspberry Pi machines are so small and use basic water cooling, so we can do this back on campus. I definitely want to bring this experience back to my peers, and I look forward to participating again.”

“All of this is really new to me, so I’m trying to figure it out,” said Jonathan Delia, who is pursuing an associate’s degree in cybersecurity at SCCC. “We don’t get to do this kind of activity in the classroom. Competitions like this one are definitely the best way to learn and to get ready for a career in cybersecurity.”

For coaches of inexperienced teams, the competition provided a hands-on opportunity to expose students to cyberdefense.

“The blue team is new for West Point this year, joining our Capture the Flag and red teams,” said Major Sturzinger. “Our cadets are participating in the CyberForce competition to develop their skills and knowledge and to prepare for future competitions, including the National Collegiate Cyber Defense Competition in the spring. The Army recently created a Cyber Branch, and cadets who participate on the cyberdefense team are more likely to be selected for this career path.”

The students were not the only ones who benefitted from the experience. For some red team volunteers, their participation provided them with a chance to “play” on the other side.

“My day job is to manage the security devices for the U.S. Coast Guard network, kind of the opposite of what I am doing here,” said red team volunteer Caleb Stewart of the U.S. Coast Guard Cyber Command.

“I am a security analyst in the fintech [financial technology] industry, so my day to day consists primarily of blue team activities, such as going through different logs to see if anything looks out of the ordinary,” said red team volunteer Jeff Matthew.

The CISO panel also found the competition worthwhile.

“I am writing notes as the students give their presentations,” said Boardman. “It is always a two-way street—the students learn but we learn too.”

Brookhaven Lab plans to co-host next year’s CyberForce Competition, which is scheduled for November 16, 2019.

“This competition was a great opportunity for students to better understand what it takes to protect a real-world system against cyberattacks and to interact with industry experts,” said local co-organizer Robert Lofaro, leader of the Renewable Energy Group in Brookhaven’s Sustainable Energy Technologies Department. “We look forward to hosting teams again next year.”

The competition is co-funded by the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response; Office of Electricity; Office of Science; Office of the Chief Information Officer; and the National Nuclear Security Administration. Corporate sponsors of this year’s event were American Fuel and Petroleum Manufacturers, American Public Power Association, Claroty, CybatiWorks, Federal Training Partnership, General Atomics Electromagnetics, National Association of State Energy Officials, Microsoft Azure Government, Tennessee Department of Environment and Conservation, and West Monroe.

Brookhaven National Laboratory is supported by the Office of Science of the U.S. Department of Energy. The Office of Science is the single largest supporter of basic research in the physical sciences in the United States, and is working to address some of the most pressing challenges of our time. For more information, please visit science.energy.gov.

Follow @BrookhavenLab on Twitter or find us on Facebook.