The CyberForce Competition® will be held on November 3-4, 2023.
According to a 2022 study by (ISC)2, the United States reported a shortage of 410,695 cybersecurity professionals, and with the ever-increasing amount of information placed on the internet, security is a high priority. The Department of Energy (DOE) leverages the technical expertise of its national laboratories to develop unique scenarios and facilitate participation by students from across the United States. Currently in its ninth iteration, the CyberForce Competition works to increase 1) hands-on cyber education to college students and professionals, 2) awareness of the nexus between critical infrastructure and cybersecurity, and 3) basic understanding of cybersecurity within a real world scenario.
Utilizing critical infrastructure focused scenarios, DOE’s CyberForce Competition adds realistic components to make the competition stand out. This includes virtual cyber-physical infrastructure, lifelike anomalies and constraints, and actual users of the systems. Additionally, DOE’s CyberForce Competition looks to help participants and volunteers increase their knowledge and understanding of cyber-physical threats, vulnerabilities, and consequences. Moreover, the competition provides students a hands-on security approach to their infrastructure from their servers and virtual machines to the virtual cyber-physical devices they protect. Participants also have to balance security with usability; scores of participants include a user’s ability to continue normal work operations.
ENERGY SECTOR FOCUSED
Competition scenarios have an energy focus. Previous scenarios have focused on power distributors and water and power delivery systems. The 2023 CyberForce Competition scenario will focus on distributed energy resources (DERs). Additionally, the scenarios look at real-world constraints and lifelike anomalies to include no budget for maintenance or upkeep, deficiency in understanding the system’s needs, website defacement, business meetings, and lack of permission controls.
Unique to DOE’s competition, a virtual cyber-physical device is provided to allow the participants a real-world understanding of the implications for defending critical infrastructure. When a power distributor’s cyber infrastructure is compromised the participants may see the light bulb go out to the water pump stop, indicating there is no power or water being distributed.
The competition encourages unique defense strategies and techniques in safeguarding the cyber assets. Participants are scored on their “out-of-the-box” and innovative ideas and defenses. These unique defenses stem from the real-world constraints provided in the scenario such as no budget. Participants develop a working defense utilizing zero dollars and ensuring that the system’s intended purpose is not deprecated.
Most cyber defense competitions do not take into account usability of the system. The CyberForce Competition not only adds this element in, but also scores this element as part of the overarching competition. Participants must balance the added security of the system with usability of the system. If the users are unable to navigate the system or unable to complete basic tasks within the system, the participant’s usability score will decrease each hour the users are unable to navigate. Also, the participants have the added layer of interacting with the users and working through real-world issues and requests made by the users on top of actively defending the networks.
The DOE CyberForce Competition emphasizes that not only is security of the system very important, so is the usability of the system. Blue Team members must take into account that while their main role is to secure their systems, their users must also be able to complete work in a normal work setting. The figure below highlights how communication flows throughout the competition.