JYVSECTEC Red Team participated in CISS2020-OL Critical Infrastructure Security Showdown 2020 Online competition and placed 3rd out of 17 teams.
CISS2020-OL participants were invited by iTrust, Centre for Research in Cyber Security at the Singapore University of Technology and Design (SUTD).
CISS2020 invites red teams to try their best at disrupting their Secure Water Treatment (SWaT) testbed while the invited blue teams compete on detecting the evil. Our first ride as a red team was a blast.
“Events like this are great for both the individuals and the team for picking up new things. Not only that, they are also a ton of fun to participate to,” says Red Team Technical Specialist Heikki Salo.
Preparing for Target selection and CyberFire
We found iTrust’s SWaT environment to be well designed and interesting. Initially, we were a bit worried about how the fact that the exercise is an online exercise would affect it. Our worry was unnecessary, everything worked nicely and the schedule didn’t suffer any major delays.
We started preparing for the exercise by reading the documentation provided by iTrust and the public Red Team reports from previous years. Both were extremely useful during the exercise. After spending some time reading the documentation and the reports, we had a pretty good idea on what kind of attacks we wanted to try during the CyberFire – the live attack phase. We learned that studying pays off.
Preliminary analysis: Target Selection
First part of the red team challenge was a phase called Target Selection, in which the teams had to familiarize themselves with the given datasets captured from the target environments. The given datasets consisted data from two different environments, where the one was the digital twin and the other the real, physical environment.
Red Teams were awarded with points if they managed to select the datasets consisting data captured from the real environment over those which were captured from the digital twin. We selected the offline option, in which we had 48 hours with the dataset files to make our selection.
Grafana and other data visualization tools were used to differentiate datasets
After participating iTrust’s briefing, reading past reports and waiting for our turn, the target selection was the first hands on time with CISS2020-OL. Perhaps our team was eager to solve this, as first educated guesses arrived in our chat when our team leader was still asleep.
We thought that the target selection phase was a good way to familiarize ourselves with the target environment and it gave us more insights into the devices and operational relationships we could expect in the actual CyberFire phase.
Time to attack: CyberFire!
CISS2020-OL CyberFire is where the cyber finally happens, as each red team has their own CyberFire slot with network access to try their best to gain access and disrupt processes.
The live part is split in two phases: 1 hour for breaking into Secure Water Treatment testbed (SWaT) via Zycron Cyber City (ZCC) and finally 3 hours of wreaking havoc inside SWaT.
We spent most of our preparation time to study the OT environment. We didn’t pay much attention to preparing for ZCC. We should have had a plan to attack ZCC and we would have done a better job at breaking through it to SWaT and would have had more time to attack SWaT.
Secure Water Treatment testbed, SWaT
Screenshot of SWaT status and controls being accessed
The arrangements in participating remotely worked well. When the judges confirmed that a valve was opened, you’d remember that there was indeed a physical plant getting modified. As with any cyber physical havoc, it would’ve been even better to see the plant live. Hopefully once the COVID-19 crisis is over, we can visit SWaT in person!
Final thoughts
Our team was excited to participate in a cyber exercise organized by another organization. We have been organizing cyber exercises in Finland since 2012 and have a lot of experience in organizing exercises for blue teams, but most of our team haven’t participated in a larger exercise organized by someone else before. We saw this as an excellent opportunity to see how other exercises are organized.
The iTrust faculty, as in role of designer and organizer of the event, performed well through the whole exercise. Communication between our Red Team and iTrust staff went very smoothly, even though the duration between briefing and award ceremony was quite long, multiphase and participants globally widespread. We are looking forward to joining in the future events as well!
 |
Joni Ahonen Technical Specialist Institute of Information Technology, JAMK University of Applied Sciences |
 |
Teemu Kontio Technical Specialist and Software Developer Institute of Information Technology, JAMK University of Applied Sciences |
 |
Samir Puuska Cyber Security Researcher Institute of Information Technology, JAMK University of Applied Sciences |
 |
Heikki Salo Technical Specialist Red Team Institute of Information Technology, JAMK University of Applied Sciences |
 |
Marko Silokunnas Technical Specialist Red Team Institute of Information Technology, JAMK University of Applied Sciences |
