The emergence of COVID-19 in the spring did more than send people home from schools and offices. It had the potential to disrupt capstone projects, even graduation, for some students.
A graduate cybersecurity class at the University of Houston found the answer in a video game. Make that a very sophisticated video game with a serious purpose.
Students earning a Master of Science in cybersecurity in the UH College of Technology complete a capstone project in Information Systems Security Risk Analysis, intended to demonstrate their mastery of SCADA system security – the Supervisory Control and Data Acquisition systems used to control high-level networked systems.
“SCADA systems run everything from stoplights to refineries and mass transit,” said Art Conklin, professor of Computer Information Systems and Information System Security. Students work in the College of Technology’s cybersecurity lab, using real-world equipment and tackling real-world problems as they learn to thwart hackers and other system disruptions in real time.
Enter Clint Bodungen, co-founder, CEO and president of ThreatGEN, a Sugar Land-based startup that provides industrial cybersecurity training.
Conklin, who also is director of the Center for Information Security Research and Education, and Bodungen had known each other for years as members of the national industrial cybersecurity community. Bodungen had been a guest lecturer at UH. As they talked about Hou.Sec.Con, the annual Houston Information Security Conference that was postponed by the pandemic, Conklin mentioned a more immediate problem.
How could he create a realistic capstone project for a class that no longer had access to the college’s sophisticated lab equipment?
Bodungen suggested a cybersecurity simulation game developed by ThreatGEN called Red vs. Blue, focused on industrial cybersecurity, with players taking on the role of both those defending the system and those trying to subvert it.
Conklin was skeptical. “I wanted something real. He said, ‘Let’s try it.’ We did, and it was very real.”
While the game didn’t allow students to physically operate the equipment used by industry, Conklin said it allowed them to problem-solve and react in realistic ways.
Bodungen wasn’t surprised. The game was developed as an engaging way to train people in the nitty gritty of cybersecurity.
“Cybersecurity isn’t a ‘set it and forget it’ thing,” he said. “It’s a real cat-and-mouse chess game.”
In cybersecurity circles, “red vs. blue” is commonly used to describe that game – members of the red team are hackers, while members of the blue team are the good guys. The game is used in ThreatGEN’s work with industrial customers, where the stakes are high.
While cybersecurity at a financial institution or consumer firm is important, the risks at power plants, oil and gas production sites and other industrial sites can literally be life and death, Bodungen said.
The game makes training more fun but also allows it to be done remotely and with larger groups.
For Conklin’s class, it provided an exciting, if socially distanced, replacement for the traditional final presentations. “Instead, we had a tournament of champions,” Conklin said. “Everyone spent time both as the attacker and as the defender. It wasn’t about scoring the most points. It was about doing the most.”
Playing both roles helps participants learn to adjust strategies on the fly – hackers don’t do just one thing, changing tactics in ongoing efforts to beat a company’s defenses.
In the end, Conklin said, ThreatGEN’s game became more than a crunch-time solution.
“It will become a major part of our curriculum going forward,” he said. “The whole problem-solving aspect is difficult to simulate in class. This game allows us to do that.”