Summary
The Department of Energy (DOE) leverages the technical expertise of its national laboratories to develop unique scenarios and facilitate participation by students from across the United States. Currently in its tenth iteration, the CyberForce Competition works to increase 1) hands-on cyber education to college students and professionals, 2) awareness of the nexus between critical infrastructure and cybersecurity, and 3) basic understanding of cybersecurity within a real-world scenario.
Uniqueness
Utilizing critical infrastructure focused scenarios, DOE’s CyberForce Competition adds realistic components to make the competition stand out. This includes virtual cyber-physical infrastructure, life-like anomalies and constraints, and actual end users of the systems. Additionally, DOE’s CyberForce Competition looks to help participants and volunteers increase their knowledge and understanding of cyber-physical threats, vulnerabilities, and consequences. Moreover, the competition provides students a hands-on security approach to their infrastructure from their servers and virtual machines to the virtual cyber-physical devices they protect. Participants also have to balance security with usability; scores of participants include a user’s ability to continue normal work operations.
ENERGY SECTOR FOCUSED
Competition scenarios have an energy focus. Previous scenarios have focused on power distributors and water and power delivery systems. The 2024 CyberForce Competition scenario will focus on wind energy generation that follow through a dependency chain. Additionally, the scenarios look at real-world constraints and life-like anomalies to include no budget for maintenance or upkeep, deficiency in understanding the system’s needs, website defacement, business meetings, and lack of permission controls.
CYBER-PHYSICAL INFRASTRUCTURE
Unique to DOE’s competition, a virtual cyber-physical device is provided to allow the participants a real-world understanding of the implications for defending critical infrastructure. When a power distributor’s cyber infrastructure is compromised the participants may see the light bulb go out to the water pump stop, indicating there is no power or water being distributed.
UNIQUE DEFENSES
The competition encourages unique defense strategies and techniques in safeguarding the cyber assets. Participants are scored on their “out-of-the-box” and innovative ideas and defenses. These unique defenses stem from the real-world constraints provided in the scenario such as no budget. Participants develop a working defense utilizing zero dollars and ensuring that the system’s intended purpose is not deprecated.
USABILITY
Most cyber defense competitions do not take into account usability of the system. The CyberForce Competition not only adds this element in, but also scores this element as part of the overarching competition. Participants must balance the added security of the system with usability of the system. If the users are unable to navigate the system or unable to complete basic tasks within the system, the participant’s usability score will decrease each hour the users are unable to navigate. Also, the participants have the added layer of interacting with the users and working through real-world issues and requests made by the users on top of actively defending the networks.
Competition Structure
The DOE CyberForce Competition emphasizes that not only is security of the system very important, so is the usability of the system. Blue Team members must take into account that while their main role is to secure their systems, their users must also be able to complete work in a normal work setting. The figure below highlights how communication flows throughout the competition.