William Jardine, Security Consultant
4 mins read
Activities such as this competition are invaluable, as they show the real-world possibilities and their disastrous consequences should an attacker be able to bypass perimeter security and target the often outdated systems that govern Critical National Infrastructure (CNI).
SUTD recently held an online qualifier phase and MWR, as one of the top five teams, will now venture to Singapore for a chance to tackle the university’s world-leading ICS testbeds. These systems mimic real-life water treatment and distribution systems that are used across the CNI of countries including Singapore and the UK. More detail on SUTD’s water control testbeds, SWaT and WADI, can be found here and here.
For the competition, MWR has partnered with Lancaster University to field a joint team of four ICS experts, all of whom have published work in the field of securing control systems and processes.
An ICS CTF differs from regular CTFs in that, where regular CTFs may be based on web applications, reverse engineering, etc., an ICS CTF is very much based on targeting computer systems that monitor and have a degree of control and interaction with the physical world. Teams are challenged to target both IT components (engineer workstations and PCs, system routers, etc.) and the Operational Technology (OT) side. OT includes components such as Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs) and SCADA (Supervisory Control and Data Acquisition) systems.
Teams therefore have the opportunity to launch sophisticated and real-world physical attacks against ICS/OT systems, including attempts to disrupt monitoring equipment and overflow water tanks past safe limits.
Attacks against ICS have been well-documented in the past, including the high-profile Stuxnet attack against an Iranian nuclear enrichment facility. Approaches to detecting such attacks have been explored in research by MWR consultants in the past. Recently, this threat has extended to ransomware, as shown in work by researchers from the Georgia Institute of Technology.
The threat of ransomware has also recently been shown to be able to target other critical infrastructure, in terms of the WannaCry attack which hit the UK’s National Health Service (NHS). Ransomware represents a significant risk to critical systems that are part of everyday life, as well as the existing threat to unsuspecting consumers and small business. MWR is active in the ransomware detection and prevention space, with services such as RansomFlare and Countercept aimed at protecting industries from these threats.
The benefits of competitions like SUTD’s S3 are therefore multifaceted. Security consultants and researchers are provided with real hands-on time with ICS environments to identify vulnerabilities and test exploits, which would never be possible in a critical environment of a commercial ICS vendor. This also provides invaluable research data which SUTD and invited defensive companies can use to identify potential attack vectors and strategies and help defend against them. Finally, and most importantly, it offers huge benefits to MWR’s clients as it increases the practical ICS expertise of the parties involved, helps identify attack vectors that a malicious hacker may wish to use, and helps strengthen the security posture of systems we all take for granted every day.
ICS vendors may also wish to consider fielding a presence in CTFs like this one to increase the skill and preparedness of their ICS engineers, who may not always have a strictly security-based background. These activities can be as much an exercise in cyber security upskilling for ICS professionals as in ICS familiarization for those working in other fields of the security profession. The cross-discipline cooperation between security professionals and ICS engineers can also only benefit the industry.