Industrial Cybersecurity expert Clint Bodungen returns to the Pipeliners Podcast to discuss an important trend for pipeline safety and training: the gamification of cybersecurity.

In this episode, you will learn about Clint’s new product designed to enhance the training capabilities in pipeline operations and other relevant industries. Russel and Clint will walk through pipeline incidents and events in a simulated environment to get an idea of this futuristic technology that is designed to help prevent future incidents.

This episode is an insightful and compelling resource for control room team training, pipeline security threat awareness, and even for gamers who want to know about the latest technology using virtual reality (VR).

Gamification of Cybersecurity: Show Notes, Links, and Insider Terms

• Clint Bodungen is an ICS cybersecurity guru, the author of “Hacking Exposed: Industrial Control Systems,” and he teaches at the Gas Certification Institute (GCI). Connect with Clint on LinkedIn.
• ThreatGEN is a virtual reality (VR) industrial cyber-physical range for physical threat response training, process improvement, and team events.
  • ThreatGEN Red vs. Blue is an online multiplayer training platform version of ThreatGEN.
• Gamification is a method of using video game environments or gaming principles to simulate real-life events for training or education purposes.
• Kill chain is a defense mechanism used in cybersecurity practice to preempt the action taken by a hacker or intruder.
• Hacker Evolution is a hacking simulation game where the user plays the role of a former intelligence agent who specializes in computer security.
• Counter-Strike is a first-person shooter video game that is built around team concepts to fight terrorists in a simulated war environment.
• Modern Warfare is a video game series within the Call of Duty franchise that simulates team-based military combat against various enemies.
• S4 ‘18 was an ICS cybersecurity conference held in January 2018 in Miami. The event covered the latest cybersecurity issues, technology, and strategies in the industry.
• In the context of computer programming, API is Application Programming Interface. This refers to the set of definitions, protocols, and tools to build application software used for computer platforms and other devices.
• Unity 3D is a popular gaming engine used to build 3D and 2D games for mobile, desktop, VR, and web platforms.
• PLCs (Programmable Logic Controllers) are field devices used in the pipeline industry to automate control in the field.
• U.S. Airways pilots Chesley “Sully” Sullenberger and Jeffrey Skiles successfully landed a disabled plane on the Hudson River in New York on January 15, 2009. The story was eventually turned into the 2016 movie, “Sully: Miracle on the Hudson.”

Gamification of Cybersecurity: Full Episode Transcript

Announcer:  Welcome to the “Pipeliners Podcast,” Episode 22.

[music]

Announcer:  The Pipeliners Podcast, where professionals, Bubba geeks, and industry insiders share their knowledge and experience about technology, projects, and pipeline operations.

And now, your host, Russel Treat.

Russel Treat:  Thanks for listening to the Pipeliners Podcast. We appreciate you taking the time. And to show that appreciation, we’re giving away a customized YETI tumbler to one listener each episode. This week, our winner is Jake Jan, a project engineer with Atmos International.

Jake, your YETI is in the mail. To learn how you can win this signature prize pack, stick around for the announcement at the end of the episode. This week, we have Clint Bodungen coming back.

I hope the listeners appreciate this. It is a bit of a commercial announcement, because we’re talking about a new product that Clint is putting out called ThreatGEN, which is a gamification approach for training in cybersecurity.

I just found the idea so compelling, and I thought it was something that the listeners would be really interested in. Guys, please give me your feedback and let me know if this is something you thought was valuable. With that, please welcome Clint Bodungen. Clint, welcome back to the Pipeliners Podcast.

Clint Bodungen:  Thanks. Good to be back.

Russel:  I’m kind of excited to have this conversation. Let’s just dive in and talk about ThreatGEN. Tell me about ThreatGEN and what it is.

Clint:  In short, ThreatGEN is gamification based training. Gamification is another buzzword, you know me and buzzwords. Ultimately, it is a training method, aside from your traditional training methods, like instructor-led training, classroom training, live training, or CBT training — computer-based training — which we’re all familiar with.

Gamification based training is a training method that puts the user in a game. It turns the training into a game. In short, that’s what it means.

Russel:  Is your goal here to get all the high school and junior high school kids that are sitting in front of their computers playing games to play pipeline and such computer games?

Clint:  It’s funny that you would think that this would appeal to a younger generation. I think a lot of people forget that the current working generation, current working adults, we all grew up as gamers, or many of us did anyway.

I think one of my colleagues, Rob Beason, said it best in a blog post recently, one of the first sentences of the blog was, “Well, we like to game.”

As working adults, I still play video games. Most of my friends still play video games. My colleagues play video games. Even my wife pointed out that things that we have to do, when we have to acquire points or we have to get badges or stats-based things. appeal to us as adults.

She mentioned even on the website, logging into the website, it immediately goes to her profile page and there are these badges. Any forum, the more posts you have, the more stars you have in your icon or whatever, the more badges you get.

She said, immediately seeing that on her profile when she walked in, she immediately wanted to go start making forum posts to get her rating up. It epitomizes that gaming stats-based culture that we live in, no matter what age you are.

Russel:  Right. We all want a trophy, right?

Clint:  Yeah. A trophy or status, or you want to compete, for whatever reason. I think that modern working adults or just people, in general, I think we all like something that is derived from competition, whether it’s status or trophies or points or rewards.

I think the whole gamification of life in general makes learning more fun.

Russel:  I absolutely agree with that. We all like to play games. I mean that in a positive way. Playing games and playing games with others is fun. Competition, friendly competition is fun. I think there’s a lot there.

To talk about this a little bit because we are talking about being a gamer and playing computer games and trying to draw on an analogy for using that as a way to train professionals. I recently watched a YouTube video about somebody who was an expert at FlightSim, a flight simulator, but had never actually flown an airplane.

They took him up in a Cessna single prop aircraft with somebody sitting in the second seat that was a trainer, right, that could watch what they were doing. That person got in the airplane, got it started up, took off, got to altitude, and the only real problem they had was it was a crosswind landing, and they were struggling a little bit with the crosswind landing.

In terms of just understanding how to operate the aircraft, they were all over it, just because they were really advanced that playing this flight simulator game. I think there’s a lot of opportunity here with that kind of idea.

Clint:  I think that there’s two aspects to it. It’s not just the fact that it’s more entertaining and more interesting because it’s in a gamification style or game style. I think if you can successfully merge the hands-on experience or the applied experience with that gamification, I think you’re maximizing the learning opportunities there as well.

The flight simulator, that’s actually just more of a hands-on simulation, more so than a game. A gamification typically means that there’s an element of either competition or there is a risk and reward and penalties, points, badges. A statistics points-based system. That’s what the gamification is.

The hands-on aspect is the other thing that you were talking about with the simulation. That’s what ThreatGEN is. It’s making it more entertaining by putting in a gamification, but it’s also providing an applied aspect. It’s putting your skills to use and then in this case, ThreatGEN puts your skills to use against another human thinking adversary.

That’s why cybersecurity training is so good for gamification, because the nature of cybersecurity is that it is an attack and an offense. You’re defending something and the adversary is attacking something and that lends itself naturally to a competition or gamification.

Russel:  We probably ought to stop there and ask you to give a description of ThreatGEN, what it is and how it works. We’re going to go deep into the Geek Canyon, if you will. In fact, I think you get the supreme Bubba geek award badge.

I should design one of these and give it to you to hang it on your wall for what you’re doing with this tool. Why don’t you tell the listeners very basically, what is ThreatGEN?

Clint:  At its core, it’s a combination of a training card game and it’s a turn-based strategy game. The goal as a blue team player to defend your network. The red team is to attack the network, take control of assets. It’s points-based, as well as goal-based.

We wanted to find a way to be able to teach a red team versus blue team type of training or competition without the learning curve for the red team, because there’s a lot of good red team/blue team training out there, but it’s like five days long.

There’s a huge learning curve to play the part of the hacker if you don’t already have some skills in programming and scripting and know the hacker methodology. We wanted to accomplish two things. We wanted to (a) be able to provide a red team blue team training format without a learning curve and we wanted anybody of any skill level to be able to play the part of the hacker.

The only thing that’s required is your brain, the ability to strategize. We came up with the idea of the things that you do, the actions that you take, deploying a firewall, running a port scan, you don’t have to know the keystroke details of how to do these things, but if you know about the concept, when and why it’s applied and in what order, that’s valuable.

Russel:  That’s actually really interesting, because this is a way to get people who don’t understand the details of the keystrokes, a good solid understanding of what cybersecurity really is.

Clint:  Exactly. That’s the whole point. We wanted to be able to let people who are not hackers or not-programmers play the part of the hacker and learn what the hacker methodology is.

Learn what the kill chain is and what it means and being able to immerse yourself into that role helps you apply the knowledge that you would learn at a red team portion or red team lecture portion of a class. We actually saw this happening during our beta run of the class.

We’re teaching a red team lecture. We are teaching people about the hacker methodology that you’ve got to do your open source intelligence and scan for hosts and port scan, etc. etc. Then you take a hold of the host, rinse, and repeat.

We saw that whenever we got into the gaming portion of the class, students would take control of an asset and then they would stop and say, “Well, now what do I do?”

We would say “Well, go back to the lecture. What is the process, what is the hacker methodology? Where are you at in the kill chain?”

And the light will turn on in their head and they will go, “Oh,” and they will get it because they are applying skills of a hacker without actually having to know how to be a hacker. It’s the procedural conceptual methodology that’s important to most offenders in today’s cybersecurity workforce.

Russel:  Exactly. I think that’s fascinating. I also think it’s fascinating that it’s the kind of thing that somebody could learn without having to learn the keystrokes. That’s very compelling. That’s very compelling.

Clint:  It does go beyond that. There are three or four or what I like to call 3.5 elements of the game.

There’s that aspect, which is the procedural playing of the game. You lay out your cards, and by the way, just like real life, every action that you take from the blue team, every action or every card that you play, it has a cost. It costs money, every action costs money, costs you staff and costs you time.

You deploy that firewall or whatever the action is, it’s going to immediately cost you money and then it will detract staff from your available staff for the amount of turns required until they finish that task. Then you get that staff back and then you get the results of that action and your firewall’s deployed.

If you run out of money, there’s another action you can take to request budget. You may or may not get the budget at all, or you may or may not get the budget you requested. It may take time.

Russel:  That’s getting too much like real life.

Clint:  Yeah, it is. It mimics real life. We built our gaming engine to come up with the same issues and the problems that you face in real life whenever you’re attacking a machine, you won’t know if there’s any vulnerabilities in the machine until you do a vulnerability assessment on that machine.

The game randomizes itself at the beginning. It’s not the same every time. You only know what you know. If you don’t know about an asset in the game, if you haven’t done an asset inventory review, you won’t know about an asset out there, maybe.

There’s a lot of the same things that we built that you find in real life, so you have that procedural level. The next level is, if you are more skilled and you want more of a challenge and you want that command line aspect, we are developing a simulated command line version.

Instead of, as the red team, let’s say you want to feel like you’re writing script and writing code, there is a simulated command line that we are developing. Much like there’s a consumer-based video game for entertainment out there called “Hacker Evolution,” we modeled it after that.

You’re actually in a simulated command line where you can type out the commands and do port scans in the simulated environment instead of playing the cards. That’s the next level of difficulty, and that’s not currently in the beta, but we’re working on it.

Then the next level of detail is, we’re working on a solution to where every asset in your network — in your virtual network in the game that you see graphically — can actually be tied to a virtual machine, so that you can actually interact with these devices like they’re real computers.

They essentially are real computers, because they’re tied to a virtual machine or some sort of virtual device. That’s the next level of detail. The reason why we’re doing that is because we have plans to merge this with ThreatGEN VR.

And so that’s another discussion, but ThreatGEN VR is ThreatGEN 3F or VR, basically it has the environment, in this case the industrial environment in a first-person, shooter-style video game, an FPS. Basically, it’s like playing “Counter-Strike” or “Modern Warfare” or something like that, to where you have a 3F replicated plant environment instead of just pictures on the interface that we have here.

Russel:  I can actually walk around the plant and find valves and transmitters and PLCs and get into cabinets and stuff like that?

Clint:  Right. We released ThreatGEN VR beta this past year, S4 ’18 — at the S4 conference. That’s where you can put on the virtual goggles and run around a plant environment. We are developing both of these aspects in parallel, and so we have a roadmap to merge the two environments.

You have the 3F environment, first-person, shooter-style, if you will. With that, you also have the gaming environment of ThreatGEN online. They will end up merging, so you have the online gaming interface and then you have the option of having the command line interface and also interconnected with virtual machines, so you have real computer simulation and that’s tied to the 3F environment.

You have all different elements of the training that you would need. You can physically or virtually physically run around the plant for your physical aspect. You can have your computers tied to virtual machines, so you can interact with them much like a lab environment, which makes it much more realistic.

Then, what drives it all and turns it into a training environment or a gamified environment is the ThreatGEN online interface, which has the gaming engine.

Russel:  Tell us, how long have you had this on the market? How new is this?

Clint:  We just released beta for ThreatGEN online, we just released beta this week, although the ThreatGEN VR beta was released in January.

Russel:  I want to share with the listeners. I had an opportunity to see this, I guess about three months ago, when Clint came by our shop and showed this to myself and other members of our team. He was telling me about gamification and I was having of very hard time in my mind putting together what is this? What does it look like? How does it work?

I’m certainly familiar with video games, as most of us are. I just didn’t get it. What I didn’t realize is that there are development platforms out there for building games that have very rich toolsets for creating these environments with plants and roads and all that kind of stuff.

The effort to build that is not what I thought it might be. The other thing that I didn’t realize is that there is lots of APIs and points of integration where you can tie this to other stuff, so the ability to tie it to things that model various kinds of equipment and various kinds of computers, there is a lot out there.

I saw it and all of a sudden, my mind just snapped and I’m like — like a whole world of possibilities opened up for me as to what you could do with this. What reaction are you getting from the people that are using it?

Clint:  Let me go back to one thing you said before I answer that. Yeah, developing this was actually pretty easy. Once you learn how to use this, it is called Unity 3D, is what we developed it in. We can absolutely hook up real-world PLCs and connect real-world devices into the gaming department.

Like I said, that’s going to be in later releases, when those two features converge. The reaction that I’m getting so far, people seem to be blown away. I didn’t think this concept was overall that new or that big of a deal.

I just thought it would be something that would help people learn a lot easier and they would just simply be more interested in learning an environment like this, but the reaction is a bit overwhelming, actually.

Ever since we released it and we put notice out on LinkedIn and it’s gone out on a couple of mailing lists, my email has pretty much blown up with people wanting access to the beta. People that are curious about how they can get access to it, how they can use it.

I’ve actually even gotten calls from a few game development firms with people that have come from Blizzard Entertainment, Bioware, Electronic Arts, Sony Entertainment. Somehow, they got word about all this and I’ve gotten calls from them asking if I need help progressing it, just lending me advice and help on how to bring this to market.

That’s what blew me away. I want to know how these people found out about it, but the amount of beta testers, we’ve already got almost 50 beta testers that signed up in a matter of just a couple of days.

To your point earlier, it’s not just a bunch of kids. We have legitimate industry professionals signing up to be beta testers and giving us advice and helping us out. It’s like the community is all coming together to support this.

Russel:  Yeah, in fact, I want to just say that I want to be a beta tester and I haven’t got my invitation yet.

Clint:  Yeah, I kind of forgot to put you on the list. I’m just kidding.

[laughter]

Clint:  No, I think the problem is that I had a whole list of people to send out the registration link to and I got so bombarded with people preemptively asking for access to it, many of them were already on my list, that I forgot to go back and check the list to see who I should contact. Oops, sorry. I’ll make sure you get a link.

Russel:  No worries, just when we get off the episode, that’s your first task, is to send me an invite to get on the beta.

Clint:  My first task is probably to call my boss back, he called me while I was on this call.

Russel:  All right, that’s fine. I guess I can understand that. One of the big issues right now is this issue of team training for pipeline operators. This is a new thing. It’s a requirement and people are trying to do it with tabletop exercises and some combination of computer-based training.

I see this as a real opportunity to do team training in a very different way, where you can kind of immerse people in a real-world situation. I can have people in the control room seeing a control room experience. People in the field seeing a field experience. Managers seeing a management experience and then do exercises and see how they perform together.

Clint:  That dovetails in to the multiplayer aspect that we’re working on. What you are talking about is a multiplayer feature that allows multiple people to play with in the same game, each having their own view, but then they each have their own computer and it’s online, it goes through the web.

Ultimately, this is a going to be a development release that gears towards tabletop exercises for incident response. You and I talked Russel, we have plans to work towards tailoring that multiplayer environment to accommodate pipeline organizations.

I’ll let you talk more about how it would benefit them, but it is a multiplayer environment. They each have their own responsibilities, their own views, and they would act in accordance to how they would responding to different incidences in the pipeline.

Russel:  To explore that a little bit, Clint, last week Charles Alday was the guest on the Pipeliners Podcast. I don’t know if you know Charles, but Charles is very well known in the control room space and the operations training space in pipeline. I would say he is the guru of that domain, as an outside consultant.

We were talking about this a little bit and I think one of the really valuable things about doing a multiplayer game is, now I have the ability to record everything and play it back and debrief it. Where with ThreatGEN as it exists right now, it is me against the other guy, right?

This is more against us against the situation, and then having the ability to go back and replay what occurred and debrief that, I think that’s just hugely valuable. It has lots of applications.

The gaming engine needs to be robust, but the beauty of this is every engagement with the engine and every addition, it just becomes better and better and better. It’s the kind of thing that, with more people working on it and with it, it just improves over time.

Clint:  Yeah. That again, is the epitome of the gamification environment. You are going to have a bunch of people working together. It is still a competition, whether it is a competition against other people or a competition against a scenario, there’s still a goal that they have to achieve.

Just like real-world gaming, the more you play a game, the better you get. In this case, the more you work through incident response incidents and any type of action-oriented task or set of tasks, the more that you practice, the better you are going to get.

That’s why you have tabletop exercises in the first place and that’s why you have training in the first place. Making it hands-on. A lot of martial artists say fight like you train and train like you fight. That’s exactly the case here.

In a game environment and a simulated environment, you have individuals that are able to perform in the same way that they would in a real-life incident.

I haven’t thought about putting a record button in there, per se, to record everything, but you can certainly do screen captures and record, things like that. We can find a way so that you can record it and do a debrief. That’s a good idea.

Russel:  I think that’s important, and I would bet you that’s a capability that exists within the tools you are already using. You’ve just got to implement it. Most games have that ability to play back.

Clint:  Maybe it’s possible. It may be a standard feature, sort of a library you can develop pretty easy, based on the unity framework, for sure.

Russel:  Yeah. I like to talk about Sully, the guy who landed the aircraft in the Hudson River. He had never done that before. He did it perfectly, and the reason he did it perfectly is he had done it before in a simulator, so he knew what was required. All of the training and all of those years were what made the difference for that aircraft and those passengers.

Clint:  I think he was saying he never did it in a simulator, but just due to his training and repetition and everything, going back to the movie, it was the people in the simulator that were saying it couldn’t be done.

The people that only trained on the simulator said it couldn’t be done, but it was his experience that he knew that it could be done. But it’s repetition, repetition, repetition, and experience that lends itself to that knowledge.

Russel:  You’re exactly right. My point being that he had a bird hit is a common thing that you work through in a simulator and in an aircraft.

It was all those repetitions of all those abnormal flight hours that allowed him to do that safely. If he hadn’t had that, there’s no way he could accomplish what he accomplished.

Clint:  Right, exactly, I agree.

Russel:  That was actually proven up in the simulator because the other thing he did was he got off script. He knew what the outcome was if he stayed on the script.

I think that provides a huge opportunity, just to again pull this back and talk a little bit about how I could see it or how it could play in the pipeline world. You could take some of the incidents that have occurred.

You could build those up as a game or a scenario and then you could track, you could score people and how well they are able, as a team and individually, to identify and mitigate the incident.

Clint:  Exactly.

Russel:  I think there’s just a huge opportunity. I am excited about it. I’m excited for you. You’ve been talking to me about this for a long time and for the listeners that don’t know Clint, he got a lot of this done or got it well down the road just working on an evening, nights and weekends around other things, because he just thought it was such a cool idea, he couldn’t put it down. Is that a fair conclusion, Clint?

Clint:  Yeah, this was done by myself and another individual named Aaron Shabib. The two of us exactly worked on this nights and weekends through the graces of our wives, mine taking care of kids and his taking care of other things that needed to be taken care of, letting us work on this on nights and weekends. It was a labor of love, but a lot of burned candles.

Russel:  Yeah, I’ll bet. I wish you all success with this. We’ll put some of these details on the show notes and provide people some links so they can find you and find ThreatGEN, and I’ll be very interested to see where this takes you over the course of the next year and on forward.

Clint:  Hopefully I’ll get some sleep between now and that time.

Russel:  Oh man, you’re too young, you don’t need sleep yet. What are you talking about?

Clint:  You know what? My kids agree with you, so.

Russel:  [laughs] All right. Thanks for joining us again. It was great to have you back, Clint.

Clint:  All right, thanks, it was great being here.

Russel:  I hope you enjoyed this week’s episode of the Pipeliners Podcast with Clint Bodungen about the gamification of training and all that could possibly mean for the future of our industry.

This is the kind of stuff that I enjoy, and I hope you enjoyed it as well. Just a reminder before you go, you should register to win our Pipeliners Podcast YETI tumbler. Simply visit go to pipelinepodcastnetwork.com/win and fill out the form to enter yourself to win a cool YETI tumbler.

If you have ideas, questions or topics, or if you would like to provide us feedback about this or other episodes, please let us know either on the Contact Us page at pipelinepodcastnetwork.com or you can reach out to me directly on LinkedIn. My profile is Russel Treat.

[background music]

Russel:  Thanks for listening. I’ll talk to you next week.

Transcription by CastingWords