Industry, both the OEMs and the supplier community, government engineers and managers, college students, academic researchers, and hackers.
Yes. There are many ways to use the term “hackers” – and not all of them are the “bad guys” – as a society we use researchers and ethical hackers to evaluate banks, hospitals, government organizations, large corporations, the power grid, and almost everything else. In today’s world it is increasingly difficult to find any “thing” that doesn’t have communications with something else and which doesn’t have a computer in it. It is normal to have specialists who review the security of systems and components to look at this system, too. Here at the CyberBoat Challenge we used ethical hackers from major companies and some well-known within academia to provide the perspective and model the actions that a “bad guy” hacker would when faced with assessing the systems.
Succinctly, no. Code evaluations and security evaluations are now mainstream in most industries. We have NDAs and legal protection in place, and all the “hackers” are from professional security firms with significant experience and who are accustomed to providing confidentiality regarding their work. Should anything be found, it would be protected information and would go to the equipment manufacturer who could then take appropriate action with respect to patching or development cycle changes.
Now is the perfect time to do this. Now gives us a chance to address the immense technological changes coming to the industry and proactively plan for how to implement them and secure them. We think it is best to look down the road and be ready for changes rather than responding to them. By helping develop the next generation workforce – running this event for college students – and talking about real and intended technological changes we are creating the underlying capability to do something about potential future vulnerabilities. We believe this is a much better approach than waiting until an urgent response is needed for an unplanned and possibly surprising event.
There are several classes over a two-day period including hardware reverse engineering, software reverse engineering, systems reverse engineering, component analysis, fundamentals of bus or other on-board network architecture and communications, fundamentals of the communications protocols used by these systems, and then some shorter demos and classes. We also spend time up front and at the course conclusion talking about the NDA and their legal, ethical, and moral responsibilities. After the two days of classes, we have a one-day guided assessment exercise in which the teams get to know the system they are assigned. Following the initial event, some students will be invited to participate on an assessment of a larger craft – ship. Details on this second level assessment will be provided to selectees.
It is intended to introduce how an attacker thinks and acts. Hackers tend to think differently than developers. Developers tend to ask themselves “how can I make this work”. Hackers tend to ask themselves “how can I break this” or “how can I make this perform in an unintended way”? This means the minds engaged in cybersecurity tend to look at the world differently from and function differently from standard developers. There is real value to industry in this approach and making it accessible. Think of a football team – if you only practice defense, you might not understand how the offence will work and you might not cover the same spots on the field as you would if you had skirmishes with an offensive line (and the converse is also true). This provides a different point of view to consider during the development and life-cycle maintenance activities.
Teams are composed of college students, industry professionals (primarily engineers from OEM and suppliers, but perhaps an occasional technical manager, too), technicians, government (both engineers and some technical managers), and hackers.
It is modeled after and designed by the same people who founded the CyberAuto Challenge (www.cyberauto-challenge.org), CyberTractor Challenge (www.cybertractorchallenge.org), CyberMedical Challenge (https://www.cybermedicalchallenge.org) and the CyberTruck Challenge (www.cybertruckchallenge.org) which are strongly supported by their respective industries as an educational and recruitment asset.
