Unfilled cybersecurity careers will reach over 1.5 million by 2019. With the ever-increasing amount of technology placed on the internet, security becomes a high priority. The Department of Energy (DOE), capitalizing on the expertise of current national laboratory staff that previously hosted two successful cyber defense competitions to exercise interactive, scenario-based events, where teams engage in cybersecurity activities includes methods, practices, strategy, policy, and ethics. Through the cyber defense competitions, DOE has worked to increase 1) hands-on cyber education to college students and professionals, 2) awareness into the critical infrastructure and cyber security nexus, and 3) basic understanding of cyber security within a real world scenario.
Utilizing critical infrastructure focused scenarios; DOE’s competitions added realistic components to make their competition stand out. This includes a cyber-physical infrastructure, lifelike anomalies and constraints, and actual users of the systems. Additionally, DOE’s competition looks to help participants and volunteers increase their knowledge and understanding of cyber-physical threats, vulnerabilities, and consequences. Moreover, this competition provides students a hands-on security approach to their team’s infrastructure from their servers and virtual machines to the physical devices on their tables. Teams also have the strain of balancing their security with usability; scores of teams include a user’s ability to continue normal work operations.
Scenarios developed have an energy focus. Previous scenarios have focused on power distributors and water and power delivery systems. Additionally, the scenarios developed look at real-world constraints and lifelike anomalies to include no budget for maintenance or upkeep, deficiency in understanding the system’s needs, website defacement, business meetings, or lack of permission controls.
Unique to DOE’s competition, a cyber-physical device is provided to allow the participants a real-world understanding of the implications for defending critical infrastructure. When power distributor’s cyber infrastructure is compromised, the participants may see the light bulb go out or the water pump stop indicating that there is no power or water being distributed.
The competition encourages unique defense strategies and techniques in safeguarding the cyber assets. Teams are scored on their “out-of-the-box” and innovated ideas and defenses. These unique defenses stem from the real-world constraints provided in the scenario such as no budget. Teams develop a working defense utilizing zero dollars and ensuring that the system’s intended purpose is not deprecated.
Most cyber defense competitions do not take into account usability of the system. DOE’s competition not only adds this element in, but also scores this element as part of the overarching competition. Teams must balance the added security of the system with usability of the system. If the users are unable to navigate the system or unable to complete basic tasks within the system, the team’s usability score will decrease each hour the users are unable to navigate. Additionally, the teams have the added layer of interacting with the users and working through real-world issues and requests made by the users on top of actively defending the networks.
The DOE CDC highlights that while security of the system is very important so is the usability of the system. Blue team members must take into account that while their main role is to secure their systems, their users must also be able to complete work in a normal work setting. The figure below highlights how communication flows throughout the competition.