149. DOE Competition Helps College Students Prepare for Cyber Jobs in the Energy Industry
There is growing demand for cybersecurity professionals all around the world. According to the “2023 Official Cybersecurity Jobs Report,” sponsored by eSentire and released by Cybersecurity Ventures, there will be 3.5 million unfilled jobs in the cybersecurity industry through 2025. Furthermore, having these positions open can be costly. The researchers said damages resulting from cybercrime are expected to reach $10.5 trillion by 2025. In response to the escalating demand for adept cybersecurity professionals in the U.S., the Department of Energy (DOE) has tried to foster a well-equipped energy cybersecurity workforce through a hands-on operational technology cybersecurity competition with real-world challenges. On Nov. 4, the DOE hosted the ninth edition of its CyberForce Competition. The all-day event, led by DOE’s Argonne National Laboratory (ANL), drew 95 teams—with nearly 550 students total—from universities and colleges across the nation. This year the focus was on distributed energy resources including solar panels and wind turbines. “The CyberForce Competition comes out of the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, which is CESER for short,” Amanda Theel, group leader for workforce development at ANL, said as a guest on The POWER Podcast. “Their main goal for this is really to help develop the pipeline of qualified cybersecurity applicants for the energy sector. And I say that meaning, we really dive heavily on the competition and looking at the operational technology side, along with the information technology side.” Theel said each team gets about six or seven virtual machines (VMs) that they have to harden and defend to the best of their ability. Besides monitoring and protecting the VMs, which include normal business systems such as email and file servers, the teams also have to defend grid operations and other energy resources. “We have a Red Team that’s constantly trying to either come into the system from your regular attack-defend penetration. We also have a portion of our Red Team that we like to call our ‘assumed breach,’ so we assume that adversary is already in the system,” Theel explained. “The Blue Team, which is what we call our college students, their job is to work to try to get those Red Team members out.” She said they also have what they call “our whack-a-mole,” which are vulnerabilities built into the system for the Blue Team members to identify and patch. Besides the college students, ANL brings in volunteers—high school students, parents, grandparents, people from the lab, and people from the general public—to test websites and try to pay pretend bills by logging in and out of the simulated systems. Theel said this helps students understand that while security is important, they must also ensure that owners, operators, and end-users can still get in and use the systems as intended. “So, you have to kind of play the balance of that,” she said. Other distractions are also incorporated into the competition, such as routine meetings and requests from supervisors, for example, to review a forensics file and check the last time a person in question logged into the system. The intention is to overload the teams with tasks so evaluators can see if the most critical items are prioritized and remedied. For the second year in a row, a team from the University of Central Florida (UCF) won first place in the competition (Figure 1). They received a score of 8,538 out of 10,000. Theel said the scores do vary quite significantly from the top-performing teams to lower-ranked groups. “What we’ve found is obviously teams that have returned year after year already have that—I’ll use the word expectation—of already knowing what to expect in the competition,” explained Theel. “Once they come to year two, we’ve definitely seen massive improvements with teams.”