The Department of Energy’s CyberForce is an annual red/blue team competition hosted by a coalition of national laboratories, government organizations, and industry sponsors. The fourth annual competition was held online on the weekend of November 14th and focused on defending cyber-physical energy infrastructure while simulating realistic utilities, users, anomalies, and constraints.
Over 180 blue team members were responsible for patching, maintaining, and recovering vulnerable infrastructure, while red team volunteers actively exploited these vulnerabilities to disrupt operations. The CyberForce competition also added a green team — volunteers that simulate users and verify the uptime and accessibility of business applications — and a CISO panel to give blue teams experience interacting with users and reporting to information security managers for additional points. The white team oversees the players and infrastructure to keep the competition running smoothly.
CyberForce is heavily energy, IoT, and embedded devices-focused as these technologies are the specialty of many national laboratories. Past competitors secured distribution infrastructure for power and water generation. More importantly, though, they have seen the direct effects of cyberinfrastructure attacks when integrated lightbulbs or water pumps designated to the blue teams have experienced undesired operations or stop functioning entirely due to cyberattacks.
Throughout the competition, blue teams also encounter unique challenges. Their budget may not exist at the start or may be reduced mid-competition, requiring teams to negotiate with the CISO panel while still defending their infrastructure from the red team. User or policy changes may require them to configure new technologies or access methods, adding additional attack vectors. Further, participants need to be mindful of their systems’ ease of access when making each change to earn the most points.
WindFarm Local is a subsidiary of WindFarm Corporation, a sustainable energy company located in Oklahoma and responsible for generating 20,000 megawatts of wind turbine power. Local does not have any dedicated cybersecurity staff or infrastructure, nor any budget for these types of expenses. They are running their infrastructure on free Windows and Linux instances located in Microsoft’s Azure Cloud platform.
Blue team members are recently-hired security engineers tasked with analyzing and correcting some abnormal network activities, including unresponsive devices, lag time, and communication issues with the human-machine interface (HMI) that controls the turbines.
This event was my first time being on a red team, the attacking side of competitions. CyberForce’s red team lead, Kandy Phan of Sandia National Laboratories, did an excellent job preparing new members for the job with a detailed playbook, teams, and mentoring. While my assignment was to attack and score two blue teams, I was also able to observe other blue and red teams' actions. I noticed that the many blue teams made mistakes that I also made during my first few competitions as a blue teamer.
Unfortunately, I can’t share many details about the red team plays, but I will try to provide enough information for my experience to be useful to future blue teamers.
Blue teams focused only on fixing problems they discovered in their infrastructure, but not resolving the vulnerabilities that allowed our entry.
The HMI for the wind turbines connected directly to the competition's simulated internet, so we could turn it off just as a blue teamer would. Most of the time, the blue teams would turn it back on again without investigating why the turbine turned off. Had they been logging or inspecting the network traffic going to the HMI, they could have allowed communication only from their internal network.
Blue teams did not communicate with the red team.
Some teams went for hours without communicating with us. The point of any red/blue competition is to help the blue teams (and new red teamers like me) learn. If you talk with us when you are stuck and explain the methods you have tried to restore services or correct problems, we can provide hints on what indicators to look for or which tools to use to correct the problem.
Blue teams didn’t read logs.
The competition infrastructure didn’t provide any initial defenses or monitoring tools other than those included or enabled by default. An easy way to start is with network and host monitoring tools like Snort and OSSEC. As another red teamer put it, “It’s tough to get around Snort and people that know how to read logs.”
Blue teams did not change the default passwords.
All blue teamers should assume that the red team has compromised the initial passwords on each box. New passwords should be strong (as described by NIST) and not appear in any standard wordlist. It is often worthwhile to create and stage a script to change the passwords for all the user accounts on a box within the first 5 minutes of the competition. Be sure to host this script and any other tools on a file server that won’t require a login so that personally-owned accounts don’t inadvertently become part of the competition.
Focus on the points, not on obliterating the red team at every opportunity.
The competition infrastructure is only useful to blue teams when they use it to learn and score points. Don’t spend time trying to fix services that aren’t scored or focus on unrelated services when there is a scored service down and an active challenge available to bring it back up in exchange for points.
The point of the competition isn’t to altogether remove the red team. The red team leads helped design the infrastructure to be vulnerable intentionally. There are so many infrastructure holes; it’s unlikely that a blue team will find and patch all of them. We almost always have ways to get back into any of the systems regardless of blue team actions (save disconnecting from the network entirely). The best method is to keep scored services running and follow the instructions for IR during a red team play to earn the most points.
Manage your time wisely.
The rapid pace of red team actions will mean there is a lot to do during the competition. An individual competition like this year’s CyberForce is also different from previous years. As such, we worked to make the workload a bit more manageable, but blue teams still need to do their part.
Prioritize the applications and services that have high value and those with which you are familiar. Don’t spend too long on any one red team challenge or broken service if you aren’t making any progress. Ask for help when needed. Above all, make sure you come away with some new experience. It is sometimes hard to remember that the point of all this is to learn when the infrastructure is burning and services are down, but doing so ensures you will be more successful in future competitions.
My next opportunity
I’m still a blue teamer at heart, but having the opportunity to be on the red team for a few days was an exciting experience. I appreciated the organizers' detailed plays and my teammates' guidance when attacking and assessing the blue teams’ infrastructure. The competition’s unique cyber-physical integration provides a great learning opportunity, and I can’t wait to take a more active role in helping with it next year.