Cybersecurity competition offers real-world experience
Clemson University has hosted its share of athletic competitions, but Saturday’s GhostRed Capture the Flag event featured a different kind of game. Nearly 60 students from eight universities gathered around laptops in the Hendrix Student Center as teams worked to best each other in a series of cybersecurity tests engineered by General Electric (GE) employees.
“The skills necessary to secure our infrastructure and computing environments were on full display as the students worked as a team to complete many of the challenges,” said Clemson University Chief Information Security Officer Kevin McKenzie. “This event was not your typical computer capture the flag event – students also had to expose and exploit problems in real industrial controls systems in addition to computer systems. It is real world experiences such as environment simulates that provides each member of what it is like to be involved in cybersecurity as a profession.”
Teams of four students each worked through 95 challenges of varying point values, with easier challenges (defining a cybersecurity term, for example) worth fewer points. A live leaderboard updated standings throughout the all-day challenge and Kennesaw State took home first place, with Auburn and Columbus State coming in second and third, respectively. Between competition periods, guests from GE spoke to the group about current security exploits, the future of cybersecurity and the importance of doing proper security in development.
“I thought it was a fantastic event,” said Scott Russo, a GE Senior Analyst who helped design Saturday’s competition. “It was one of our larger events and it was great to see those students knocking down our challenges.”
Clemson student Spencer Provost, a senior studying computer science who has cybersecurity career aspirations, enjoyed trying to beat the security challenges and exploit vulnerabilities.”
“It was great learning experience,” said Provost. “I hadn’t had experience on the ‘red team’ side, so it was a good twist to see how to break in instead of actually trying to defend.”
Student participants like Spencer relied on their teammates’ strengths to progress in the event. GhostRed organizers planned challenges that rewarded a diverse set of skills and forced students to delegate, simulating a real-world environment. Provost said his team featured one student who handled most of the coding, another who worked on high-value challenges and another who took on anything others missed.
Jeff Hahn, who said GE recruits “very heavily” from Clemson, sees the teamwork scenarios at GhostRed play out in his work as a CyberSecurity Manager at GE Grid Solutions in Atlanta.
“We work together and bounce ideas off each other, that’s how new ideas come up,” said Hahn. “What we see in simulations happens the same way in the real world, and that’s what we’re trying to teach—how to be prepared for the real world and make a difference.”
Hahn stressed the importance of the kinds of new industrial control challenges introduced at Saturday’s GhostRed, saying industrial control systems that control utilities like water and power “run the world.”
Russo, who calls himself a “controls whisperer,” designed some of those challenges based on real-life scenarios. One challenge on Saturday featured a login page for a simulated pump station. Once a team bypassed the page, they could construct a message to overload the station and cause it to overfill.
“It’s a thing a lot of people don’t realize,” said Provost, whose team worked on the station challenge. “If you don’t secure those controls, like in the case of a power grid, people can shut down breakers and power lines. It’s important because there’s more technology into everything we do.”
GhostRed began four years ago with the help of founder and GE Digital Program Manager Jesse Clark. Saturday marked the first GhostRed event at Clemson and a group of six to ten engineers revise the game outside of their normal work duties, spending a couple of hours each week to adding new challenges or handling administration duties.
“We want to give back to the community,” said Clark. “We want to fill some of those gaps that we see where it’s a massive jump from the classroom to the real world. We’re trying to rethink the way that technical material is delivered.”
Russo calls designing the GhostRed tests “like an art form” and emphasized that students needed to learn from the challenges, not just beat them. Though the GE staffers trekked from Virginia and Atlanta for the event, the University of South Alabama trekked nearly 450 miles to Clemson, the farthest of the competition’s eight schools. Auburn, who took second place, made the trip to GhostRed with a relatively new team. Jeff Overbey, an assistant professor of computer science and software engineering, advises the group that began last semester and came to Clemson for its first in-person competition. He hopes his team’s strong showing gets others around campus interested, but sees these types of competitions as important for cybersecurity overall.
“You can only do so much in a classroom,” Overbey said. “It’s not just coursework, they can delve deeper into practicing with tools in a real-world setting, and the competitive aspect makes it fun.”