From leaked passwords to identity theft, cybersecurity issues are constantly in the news. Few issues though are as important — or as under-reported by the media — as the security of America’s industrial control infrastructure. Oil rigs, power plants, water treatment facilities and other critical infrastructure are increasingly connecting to the internet, but often without the kinds of foolproof security systems in place to ensure bad actors can’t gain access or disrupt service delivery.
This is a growing area of the economy with a wealth of jobs, but few students even realize that industrial and infrastructure cybersecurity is an interesting career path. So, over the past three years, the Department of Energy has hosted a Cyber Defense Competition to encourage university students to engage in the field. The latest incarnation of the completion was held this past weekend and hosted by Argonne, Pacific Northwest, and Oak Ridge national laboratories.
Lewis University won the competition this year in a total field of 25 entrants. That is up from 15 teams last year, and 9 teams in the inaugural competition.
Nate Evans leads the program at Argonne, and explained to me the design of the competition. Teams get a month before the competition to learn how to defend industrial control systems against hackers. Each team is given a small industrial control system that emulates a real-world model.
Then on the day of the competition, those teams compete and run the operations of the model infrastructure as the cyber defense team. A red team cell tries to hack the system, while a green team of regular, nontechnical people do the normal work of using the system, such as answering emails or responding to requests.
Evans explained that they “add in the usability piece as well, so they’re trying not just trying to defend against the red team but keeping usability.“ Six times an hour, a request to the team comes in, such as a new feature desired by the CEO. The idea is to simulate as closely as possible the conditions of a real piece of industrial infrastructure and forcing the team to project manage different priorities.
Teams are allowed to build anything they want to defend their system. “We try to make it as flexible as possible and so they can bring whatever skills they have,” Evans said. We want the teams to “come out and try new things such as a custom operating system that they wrote in the class,” he explained, “or some crazy firewall or setup or design.”
Since each of the three labs hosting the competition is on ES Net, the Energy Sciences Network that connects all labs in the U.S., the competition can be conducted in real-time across all locations, and lasts about eight hours. Lewis University won the national award, while University of Central Florida, Oregon State University, and University of Memphis won first place regional awards.