Top cybersecurity students attack at RIT’s Collegiate Penetration Testing Competition

The world’s greatest collection of cybersecurity talent assembled at Rochester Institute of Technology Jan. 11-14 for the Collegiate Penetration Testing Competition (CPTC) global finals. The annual event wrapped up the largest offense-based cybersecurity competition for college students, which is hosted annually by RIT.

A team of students from Princess Sumaya University for Technology in the country of Jordan took home the top CPTC trophy. Stanford University placed second and University of Massachusetts Amherst placed third.

At the competition, 15 teams used their white hat hacking skills to break into fabricated computer networks, evaluate their weak points, and present plans to better secure them. CPTC helps students build and hone the skills needed for a job in cybersecurity—an industry that has a severe shortage of qualified professionals.

In this year’s scenario, students conducted a pentest for a mock airport, including a special emphasis on people movers and monorails in the facility. The theme sponsor—French mobility technology company Alstom—helped model and develop the competition environment.

Students experienced the challenge of needing to move from one system within the airport to another, including tram operations, flight trackers, mock pilot medical information, and identifying baggage check-in and boarding pass vulnerabilities.

In a “fox hunt” challenge, teams had to locate a source of rouge inference in the building. Every group was given a receiver that they used to find hidden low-power ham radio transmitters. Teams were also given a software-defined radio to analyze protocols for a mock baggage claim system.

“To succeed, teams had to figure out everything in the message from scratch and determine how to send a message to the control systems to trigger it to do things,” said Joe Needleman, a former CPTC competitor who now volunteers on competition’s special projects team. “A lot of teams were able to figure out some of the process, replay messages, and in several cases insert their own confusing messages to the baggage claim systems. I think teams respond positively to actual systems and interactivity. It gets them out from behind a screen and having to problem solve something that isn’t obvious.”

‌

Rocio Slobodzian

For the first time, a team of students from Princess Sumaya University for Technology (PSUT) won the CPTC.

CPTC is unique in that students must work with technical and non-technical clients in a professional manner. Professionalism—along with technical findings, presentations, and reports—play a key role in scoring well. At one point, teams were abruptly tasked with creating a presentation on artificial intelligence applications and a proposal on GPS spoofing.

“The best teams were able to prioritize recommendations and discuss residual risk after they were remediated,” said Justin Pelletier, director of CPTC and director of RIT’s ESL GCI Cyber Range and Training Center. “They also emphasized the discovery of vulnerabilities that could lead to loss of life and were specific about financial impacts, such as fines related to relevant compliance targets.”

Judges and sponsors from the security industry evaluated the performance of the competitors. Students also had the opportunity to meet experts, hand out résumés, and interview with potential employers. Sponsors included IBM Security, Alstom, Maltego, Google Cloud, Alpha Virtual, Battelle, Aventiv Technologies, and Paperclip.

“Events like these are driving the progress being made in the rail cybersecurity industry,” said Nadia Zaari, North America Signaling and Infrastructure Systems Managing Director at Alstom. “We are thrilled about this collaboration with our partners at RIT’s ESL GCI to bring students from universities around the world to face off in a battle of ethical hacking, and to attract such high level of talents to such an impactful career path.”

The competition environment is run through RIT’s ESL Global Cybersecurity Institute (GCI) Cyber Range and Training Center, which is capable of hosting more than 5,000 virtual machines for immersive scenarios.

“What most impressed me was the creativity and innovation demonstrated during the security assessment and penetration test on critical infrastructure," said Eddy Thésée, Vice President of Cybersecurity Products and Solutions at Alstom.

Throughout the fall, more than 400 elite cybersecurity students from 70 schools gathered at regional events across the world. The top 15 collegiate teams from regionals were selected for the weekend-long CPTC global finals. Participating teams included:

• Princess Sumaya University for Technology (Jordan)
• Indiana Institute of Technology
• University of Texas at San Antonio
• University of Central Florida
• United States Military Academy West Point
• Stanford University
• California Polytechnic University, Pomona
• California State University, Fullerton
• Dakota State University
• Fullerton College
• Liberty University
• University of Florida
• University of Massachusetts Amherst
• University of Texas at Austin
• University of Tulsa

CPTC has become the premier offense-based collegiate computing security event, after starting at RIT nine years ago. CPTC is a counterpart to the National Collegiate Cyber Defense Competition (CCDC), which is the premier defense-based event for college students. More information about CPTC is available on the Collegiate Penetration Testing Competition website.