There is growing demand for cybersecurity professionals all around the world. According to the “2023 Official Cybersecurity Jobs Report,” sponsored by eSentire and released by Cybersecurity Ventures, there will be 3.5 million unfilled jobs in the cybersecurity industry through 2025. Furthermore, having these positions open can be costly. The researchers said damages resulting from cybercrime are expected to reach $10.5 trillion by 2025.
In response to the escalating demand for adept cybersecurity professionals in the U.S., the Department of Energy (DOE) has tried to foster a well-equipped energy cybersecurity workforce through a hands-on operational technology cybersecurity competition with real-world challenges. On Nov. 4, the DOE hosted the ninth edition of its CyberForce Competition. The all-day event, led by DOE’s Argonne National Laboratory (ANL), drew 95 teams—with nearly 550 students total—from universities and colleges across the nation. This year the focus was on distributed energy resources including solar panels and wind turbines.
“The CyberForce Competition comes out of the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, which is CESER for short,” Amanda Theel, group leader for workforce development at ANL, said as a guest on The POWER Podcast. “Their main goal for this is really to help develop the pipeline of qualified cybersecurity applicants for the energy sector. And I say that meaning, we really dive heavily on the competition and looking at the operational technology side, along with the information technology side.”
Theel said each team gets about six or seven virtual machines (VMs) that they have to harden and defend to the best of their ability. Besides monitoring and protecting the VMs, which include normal business systems such as email and file servers, the teams also have to defend grid operations and other energy resources.
“We have a Red Team that’s constantly trying to either come into the system from your regular attack-defend penetration. We also have a portion of our Red Team that we like to call our ‘assumed breach,’ so we assume that adversary is already in the system,” Theel explained. “The Blue Team, which is what we call our college students, their job is to work to try to get those Red Team members out.” She said organizers also have what they call “whack-a-mole” chores for Blue Team members to work on. These are vulnerabilities built into the system that must be identified and patched.
Besides the college students, ANL brings in volunteers—high school students, parents, grandparents, people from the lab, and people from the general public—to test websites and try to pay pretend bills by logging in and out of the simulated systems. Theel said this helps students understand that while security is important, they must also ensure that owners, operators, and end-users can still get in and use the systems as intended. “So, you have to kind of play the balance of that,” she said.
Other distractions are also incorporated into the competition, such as routine meetings and requests from supervisors, for example, to review forensics files and check the last time a person in question logged into the system. The intention is to overload the teams with tasks so evaluators can see if the most critical items are prioritized and remedied.
For the second year in a row a team from the University of Central Florida (UCF) won first place in the competition (Figure 1). The group received a score of 8,538 out of 10,000. Theel said the scores do vary quite significantly from the top-performing teams to lower-ranked groups. “What we’ve found is obviously teams that have returned year after year already have that—I’ll use the word expectation—of already knowing what to expect in the competition,” explained Theel. “Once they come to year two, we’ve definitely seen massive improvements with teams.”
The DOE sponsors other competitions as well. Theel said one focuses on the basics, what some might call “Cyber 101.” Another, called Reign, forces contestants to traverse a virtual escape room that requires them to overcome challenging scenarios, such as hacking into server rooms, interacting with artificial intelligence (AI) robots, and decoding secret messages. This year, 144 college students participated in that event. The winner was UCF’s Cameron Whitehead, who escaped in 4:30:08. Caleb Gindelberger of Baldwin Wallace University won second place and Chandhi Kanhai of Rochester Institute of Technology won third place in the challenge.
In 2024, Theel said a new competition, called Command, will be added. “That one’s going to be set on a task base. So, people will be provided a task, like build out a Windows 2012 server, and then, they’ll have certain specifications that they’ll have to build to,” she explained. “Once they meet those specifications, they’ll be provided a new task.” The intent is to get participants prepared for the CyberForce Competition by ensuring they have a general level understanding.
To hear the full interview with Theel, which contains more about the competitions, feedback she’s received from participants, details on some of the equipment used, other areas ANL has focused on in past competitions, and more, listen to The POWER Podcast. Click on the SoundCloud player below to listen in your browser now or use the following links to reach the show page on your favorite podcast platform:
For more power podcasts, visit The POWER Podcast archives.
—Aaron Larson is POWER’s executive editor (@AaronL_Power, @POWERmagazine).