Today @ Colorado State has been replaced by SOURCE. This site exists as an archive of Today @ Colorado State stories between January 1, 2009 and September 8, 2014.

Research / Discovery

CSU students incorporate cyber threats into game

August 26, 2014
Kortny Rolston

Members of Colorado State University's Hashdump security club added cyberattacks to the Grid Game to make it more realistic.

Hector Robles Campos was operating his microgrid, sending electricity to customers and buying and selling power to other “utilities,” when the first security alert flashed. The Little Guy virus was in his system.

A few days before, a co-worker had borrowed Campos’ computer to print a report and then downloaded an offer for 1,000 free smileys – and Little Guy with it. Luckily, his antivirus software eradicated it. A CSU student reads a book while he waits for the second half of the Grid Game to start.

But that was only the beginning for the University of Colorado-Denver student.

Three more viruses

Over the next 15 minutes, Campos was hit by three more viruses: Big Guy, which stole his account number and transferred profits to a Swiss bank; Blue Frog, which disabled his automated control system and forced him to run his microgrid manually while also wiping his operating system; and finally Gluxnet, which was implanted by a jealous competitor.

All the while taunting messages like “RESISTANCE IS FUTILE” and “FINAL RESILIENCE. CANNOT PERSIST. FLEE.” appeared on his screen.

Campos fended off the cyber attacks long enough to win the inaugural Grid Game competition, which debuted at the recent Resilience Week 2014 conference in Denver.

“It was hard to keep everything running, make money and avoid the attacks,” he said. “And I kept getting messages telling me to flee. It was crazy and intense.”

It was the response students in Colorado State University’s Hashdump security club hoped for when they began designing the cybersecurity elements of the game.

Changing the game

The Grid Game was developed by Tim McJunkin, an Idaho National Laboratory researcher, for a college course on resilient control systems. He wanted to give his engineering students a sense of how the nation’s electric grid operates.

“Keeping electricity flowing to customers can be complicated,” he said. “Utilities deal with a lot of variables. Demand for power can fluctuate minute to minute.  I wantCSU students were asked to add realistic cyber threats to the Grid Game.ed students to experience what it’s like to work in that area.”

McJunkin originally designed the game as a simulation that taught students to operate a control system, keep power flowing and balance demand with supply.At the urging of colleagues, he decided to expand it into a multi-player game in which participants could buy and sell power, add new generating plants and customers, and defend their microgrids from computer-based attacks.

“We needed to add those features to make it more realistic,” he said.

McJunkin turned to Indrajit Ray, a professor of computer science at CSU, to help.

“Indrajit is very familiar with the electric grid and how it functions and what the vulnerabilities are,” he said. “He also works with the Hashdump security club and I knew they could help with the cyber security component of the game.”

(The University of Denver, the Idaho Regional Optical Network and Craig Rieger, Resilience Week chairman, also supported the Grid Game demonstration.)

Why cyber threats?

Cyber attacks are a real and growing threat to the nation’s electric grid and other critical infrastructures such as transportation.

Hackers have devised worms and viruses to cripple the control systems used to operate power plants, distribution lines and other critical elements of the electric grid., Such attacks disrupt the flow of electricity to consumers.

A few years ago, a worm known as Stuxnet crippled an Iranian nuclear facility. It infiltrated the Programmable Logic Controllers used to automate certain tasks like maintaining temperature and pressure levels and disrupted the plant’s nuclear centrifuges, which enrich uranium, without alerting the control room.

Gluxnet, one of the viruses inflicted on Campos, was modeled after Stuxnet.

Devising scenarios

Members of the Hashdump club participate in and organize numerous competitions each year designed to promote a better understanding of computer security. When Ray approached members about the project, they immediately CSU students donned costumes to mock the perception that all hackers are criminals.accepted.

“The game sounded interesting and we had a chance to make it more realistic,” said Joseph Arnett, a CSU student and Hashdump member.

The students spent the summer programming the Grid Game into a multi-player competition and devising attack scenarios.

They had six viruses and humorous back stories (like the co-worker who downloaded smileys) for each. The bugs ranged from Little Guy, which caused minor computer malfunctions, to Gluxnet and Blue Frog, which disabled equipment and systems.

They also compiled a list of taunts.

How the game is played

The Grid Game is divided into two 15-minutes halves. During the first half, players operate their grid, add customers and buy and sell power to make money.

During the second, they do all that -- and defend against computer-based attacks. The player with the most money at the end wins.

Preparing to attack

On Aug. 19, the CSU students set up just a few feet from the Grid Game players, waiting for the second half – the hacker round - to start. 

Arnett and his CSU teammates, Caleb Begly and Pierce Douglas, donned menacing costumes to, as they say, mock the perception that all hackers are criminals.

(A hacker is someone who exploits weaknesses in a computer system or network. Those who do it for malicious reasons or personal gain are “black hats.” Those who do it to help designers fix them  are “white hats.”)

Then, the team launched the attacks. They targeted players who eschewed antivirus software and computer security, sending them messages like “So you thought you foiled me? You used the cheapo antivirus and look where it got you. Precious. – The Hackers.”

As soon as a player recovered from one bug, the team sent another.

By the end, only Campos and a few other players still had money in the bank.

Begley said they concocted the messages, costumes and scenarios to make the game more intense, add entertainment and most importantly, prod players to take security seriously.

To the players, the team’s antics were fun and kept them alert.

“I wish this would have been around when I was an undergraduate,” said Campos, who is earning his doctorate in electrical engineering. “It gives you a sense of what (the grid) is like.”