MWR to compete in Industrial Control System CTF

MWR is to compete in a Capture the Flag event in Singapore focused on ICS security, but how do such events aid the industry and the defence of ICS in particular?

From June 5-9, MWR InfoSecurity will be at Singapore University of Technology and Design (SUTD) for a competition based on the cyber security of Industrial Control Systems (ICS). This event, called S317, is a Capture The Flag (CTF) style event, designed to pit experts in ICS security from academia and industry against each other.

Activities such as this competition are invaluable, as they show the real-world possibilities and their disastrous consequences should an attacker be able to bypass perimeter security and target the often outdated systems that govern Critical National Infrastructure (CNI).

SUTD recently held an online qualifier phase and MWR, as one of the top five teams, will now venture to Singapore for a chance to tackle the university’s world-leading ICS testbeds. These systems mimic real-life water treatment and distribution systems that are used across the CNI of countries including Singapore and the UK. More detail on SUTD’s water control testbeds, SWaT and WADI, can be found here and here.

For the competition, MWR has partnered with Lancaster University to field a joint team of four ICS experts, all of whom have published work in the field of securing control systems and processes.

What’s different about this event?

An ICS CTF differs from regular CTFs in that, where regular CTFs may be based on web applications, reverse engineering, etc., an ICS CTF is very much based on targeting computer systems that monitor and have a degree of control and interaction with the physical world. Teams are challenged to target both IT components (engineer workstations and PCs, system routers, etc.) and the Operational Technology (OT) side. OT includes components such as Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs) and SCADA (Supervisory Control and Data Acquisition) systems.

Teams therefore have the opportunity to launch sophisticated and real-world physical attacks against ICS/OT systems, including attempts to disrupt monitoring equipment and overflow water tanks past safe limits.

Preparing for the worst

Attacks against ICS have been well-documented in the past, including the high-profile Stuxnet attack against an Iranian nuclear enrichment facility. Approaches to detecting such attacks have been explored in research by MWR consultants in the past. Recently, this threat has extended to ransomware, as shown in work by researchers from the Georgia Institute of Technology.

The threat of ransomware has also recently been shown to be able to target other critical infrastructure, in terms of the WannaCry attack which hit the UK’s National Health Service (NHS). Ransomware represents a significant risk to critical systems that are part of everyday life, as well as the existing threat to unsuspecting consumers and small business. MWR is active in the ransomware detection and prevention space, with services such as RansomFlare and Countercept aimed at protecting industries from these threats.

CCPT RF screenshot

The benefits of competitions like SUTD’s S3 are therefore multifaceted. Security consultants and researchers are provided with real hands-on time with ICS environments to identify vulnerabilities and test exploits, which would never be possible in a critical environment of a commercial ICS vendor. This also provides invaluable research data which SUTD and invited defensive companies can use to identify potential attack vectors and strategies and help defend against them. Finally, and most importantly, it offers huge benefits to MWR’s clients as it increases the practical ICS expertise of the parties involved, helps identify attack vectors that a malicious hacker may wish to use, and helps strengthen the security posture of systems we all take for granted every day.

ICS vendors may also wish to consider fielding a presence in CTFs like this one to increase the skill and preparedness of their ICS engineers, who may not always have a strictly security-based background. These activities can be as much an exercise in cyber security upskilling for ICS professionals as in ICS familiarization for those working in other fields of the security profession. The cross-discipline cooperation between security professionals and ICS engineers can also only benefit the industry.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.