The last thing that Joe Needleman expected at a cyber security competition was for the showdown to get shut down because of a real-life hacker.
Needleman and Nate Hom represented a team of Cal Poly Pomona students at the inaugural Passcode Cup hacking competition in Washington, D.C. The Passcode Cup aims to diversify and train the next generation of cybersecurity professionals, and also offers networking opportunities for students and a recruitment venue for industry leaders.
Ironically, as Needleman and Hom were setting up a device they built for the competition, a major denial of service attack shut down the server that provides internet access to a wide swath of the East Coast. It wasn’t just the Cal Poly Pomona builders who were affected. The likes of Amazon, Reddit, Netflix and PayPal also were shut out.
“It was no joke. We felt it. We were trying to get things set up to play and the internet wasn’t working. We couldn’t resolve anything, we couldn’t do anything. It wasn’t until hours later when we realized that there’s an attack going on live,” says Needleman, a fifth-year senior studying computer science. “We re-did some things to make it so that we didn’t rely on the internet as much and things were working a little better. It was still a crazy day.”
Passcode usually hosts speakers and panel discussions about the latest threats in cybersecurity, but the Oct. 21 event was the first to incorporate a hands-on component. The five-member Cal Poly Pomona team helped build the physical infrastructure for the competition, and security researchers from Uber devised the capture-the-flag cyber challenges. The project would become a symbol of the university’s learn-by-doing ethos and help elevate the reputation of Cal Poly Pomona in the cybersecurity sector.
“The students built the infrastructure for Passcode’s first capture-the-flag competition. This was the first time out for Passcode and what we wanted to do with our partner was to have something that broke new ground,” says Dan Manson, chair of the Department of Computer Information Systems in the College of Business Administration. “I know our kids like to play, but now I’m starting to see that our kids can build for competitions.”
Building the System
Last June, Manson was introduced to David Grant, the director of content strategy for the Christian Science Monitor. Grant wanted a hands-on component for Passcode’s policy discussions and Manson offered to help make it happen.
Passcode provided the budget for the components and also paid the travel expenses of Manson, Needleman and Hom.
In early September, the Cal Poly Pomona team began constructing a device composed of large plastic tubs, aquarium filters and PVC pipes that replicated the functions of a water-treatment facility. The team wrote 5,000 lines of code in a month to program the sensors and other software inside the device.
Each team member was assigned tasks as the mid-October deadline neared. Needleman was the team lead and worked on the power controllers, network, computers and sensors. Hom, who is studying computer information systems, said he also worked on the sensors in addition to assembling the hardware, making calibrations and “doing a lot of soldering.” Jose Ybanez, who is on track to graduate in June in computer information systems, worked on the controls for the replica plant and the web interface. Raissa Engelhard, who also is studying computer information systems, worked on the design elements of the plant to make it look more realistic. David Zero (’16, computer science) devised additional challenges to hinder would-be hackers.
“Programming alone, I couldn’t tell you how many hours I spent. Lots of late nights,” Hom says. “I’ve tinkered with electronics before in labs and doing robotics but I’ve never set something up and networked them all together so they can all talk to a database and talk to them through the internet.”
At the competition, 13 teams consisting of three or four hackers from colleges and universities, including the University of Virginia and Carnegie Mellon University, probed the water-treatment plant’s computer system for vulnerabilities that hackers could exploit to disrupt operations. A team of professionals from the Tenable Security Network also tried to bring down the system.
For four hours, Needleman and Hom scrambled to keep the water-treatment plant running while fending off wave after wave of attacks against vital systems. One team managed to overwhelm the power-control system and forced the plant to shut down. Another group infiltrated the system that controls water levels and nearly flooded one tank. Yet another team caused mayhem by using a “scorched earth” tactic after gaining entry and wiped out user accounts and passwords.
The destruction wielded on the simulated water-treatment plant was an example of what could happen to crucial infrastructure. The Cal Poly Pomona team learned a valuable lesson by being on the other end of a hack.
“In reality, what is important about being able to defend is to really get into the head of the adversary. People don’t just attack straight on, they move laterally, they move in all directions,” says Susan Wilson, chief of cyber solutions at Northrop Grumman, one of the event’s sponsors. “The better skills you have in hacking and being able to get into that mode, the easier it is to think like an attacker and defend against it.”
Addressing Future Threats
Before the competition started, Phyllis Schneck, the top cybersecurity official in the U.S. Department of Homeland Security, addressed the participants and highlighted the importance of bringing people skilled in cybersecurity into the government. That resonated with Needleman.
“I’ve always had a lot of respect for the people who do infrastructure security and try to make sure these things stay safe. I have more respect now, if anything,” Needleman says. “Every day they are making sure hackers don’t break into a water-treatment plant or a nuclear reactor or anything like that.”
Hom said that the Passcode event made him more aware of the increasing threats looming in cyberspace.
“Knowing what’s out there and actually being involved with the industry has motivated me to listen to more cybersecurity podcasts,” Hom says. “Forget about peeling your eyelids open, it’s ripped them off completely. This is interesting, this is huge.”
In addition to building a device for a prestigious event, Manson said that getting the word out about Cal Poly Pomona’s prowess in cybersecurity was invaluable.
“This raises the stature of Cal Poly Pomona. I think this gives us great visibility and credibility,” Manson says. “It’s something that makes us not a well-kept secret.”
For videos from the Passcode Cup, go to https://passcode.csmonitor.com/passcodecup