DOE hosting simulated cyberattack for students

More than 100 teams of students from around the country on Saturday are taking on the role of an energy company defending itself from cyberattacks, part of a broader effort to keep up with quickly changing workforce needs.

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) and the Argonne National Laboratory are hosting the ninth CyberForce Competition. The exercise will put students in the role of managing a quickly growing market in distributed energy resources (DER), such as a type of small-scale energy like rooftop solar panels or electric vehicle chargers, where the generation and consumption of electricity is close to its use.

“This year’s competition scenario is focused on hardening and defending a distributed energy resources management company,” said Mara Winn, deputy director of preparedness, policy, and risk analysis at CESER. “Students will be playing the technical role in a DER management company that is responsible for communications between the local customer and the energy provider.”

DERs are a keystone in the Biden administration’s effort to transition the nation’s power grid to clean energy, and billions of dollars have been invested into the technology. Last month, the administration announced a $3.5 billion investment into clean energy systems — the largest ever, according to DOE Secretary Jennifer Granholm — in an effort to improve the resiliency of technology like DERs, among others.

“We know that there are about 90 gigawatts of distributed energy resources installed in the U.S. today, half of which are rooftop solar, which is over 3 million systems. But by 2025, it’s predicted to quadruple to approximately 380 gigawatts,” Winn said. A single gigawatt would power roughly 100 million LED light bulbs, according to DOE.

The competition, which started in 2016, is aimed at giving students a hands-on, worst-case scenario that some might face in the coming years. “These scenarios are done to represent the real world, but also make sure that students can see themselves working on a day-to-day basis in this world,” Winn said.

Reports from the Office of the Director of National Intelligence have pointed to threats posed by both China and Russia against critical infrastructure like the energy sectors. The Biden administration has also made securing the clean energy transition a priority in the National Cybersecurity Strategy, which calls on the development of the new tech to be secure-by-design using the cyber-informed engineering strategy developed by DOE.

DOE released a report on threats to DERs in 2022 that noted a key challenge to protecting these types of technologies: utilities often don’t operate them. Many players in the broader DER industry are not a part of the “historical partnerships” and might not have the muscle memory for ensuring vital services are resilient. The report said that “responsibility needs to be established for this emerging industry.”

The concern is that while these new types of technologies are being developed and deployed, new DER players are also able to tackle the complex challenges of protecting critical networks from cyberattacks, particularly as they become increasingly embedded into the electric grid. These digitally native systems are also creating new vectors of attack if not properly defended.

“They might see themselves as a small entity, but they’re an access point now integrated into this greater energy system,” Winn said.

The CyberForce competition is different from most capture the flags, where usually the most technically adept team wins. Instead, the students on the blue team are scored not only on how many attacks they repel, but also on the usability of the system facing attacks by the red team. For example, can a user still check their electric bill during the middle of an attack?

“The student teams must integrate, maintain and secure their internal management systems and industrial control systems for their customers while providing seamless energy buyback and credit systems for the local grid company,” Winn said. “This is real, right? This is exactly what we need people doing on a day-to-day basis.”

Workforce concerns are not limited to the energy sector; the cyber workforce writ large is facing gaps in the demand versus the available supply. The Office of the National Cyber Director also recently rolled out a workforce strategy in response to the issue.

“We know that energy infrastructure in this country is moving towards a significant increase in the number of distributed energy resources,” Winn said. “We want to make sure that they’re designing [security] in. We also want to make sure that they have access to the workforce that can do that work, right? So that’s where CyberForce comes into play.”