27 July to 7 August 2020
Critical Infrastructure Security Showdown 2020 – Online (CISS2020-OL) is the fourth run of iTrust’s international technology assessment exercise. As its name suggests, the exercise is organised and held completely online. This year’s exercise is sponsored by the National Research Foundation and the Ministry of Defence.
CISS 2020-OL aims to meet the following key objectives: (a) validate and assess the effectiveness of technologies developed by researchers associated with iTrust ; (b) develop capabilities for defending critical infrastructure under emergency situations such as cyber-attacks; and (c) understand composite Tactics, Techniques and Procedures (TTPs) for enhanced Operation Security (OpSec). Anonymised reports from previous exercises can be downloaded: 2016, 2017 and 2019.
Venue: iTrust’s Secure Water Treatment (SWaT) testbed @ Singapore University of Technology and Design (SUTD)
Date: 27 July to 7 August 2020 (Mon – Fri)
Time: 0900 – 1800 hrs, GMT +8
Details: A full set of guidelines will be available for download shortly.
|I||May 4 – 29, 2020||Participant selection||Red & blue teams, observers|
|II||June 22 – July 3, 2020||Participant familiarisation||Red & blue teams|
|III||July 6 – 16, 2020||Target system selection||Red teams|
|IV||July 27 – Aug 7, 2020||CyberFire||Red & blue teams, observers|
|V||Q3 – Q4, 2020||Data analysis and reporting||iTrust|
Phase I: Participant Selection
Participation in CISS2020-OL is by invitation only. Participants will be classified into red teams, blue teams and observers. The selection procedure for participants in each category follows:
a. Red teams (comprising 4 – 6 members):
- One from Singapore Ministry of Defence (MINDEF)
- One from Singapore Cyber Security Agency (CSA)
- Up to 14 local and international teams from government organisations, private sector and academia.
b. Blue teams (no limit on the number of members):
- One from iTrust
- Commercial vendors will be invited based on their past performance in similar events and nominations by Singapore Government agencies
- Academia from centres around the world that have cyber-security as their prime focus and have demonstrated research record in securing critical infrastructure
- The anonymity of blue teams is maintained throughout.
c. Observers: Singapore Government agencies and their invitees. iTrust will execute the event online from where any authorised observer can track the progress – in terms of attacks launched and detected – of the event.
Phase II: Participant Familiarisation
All red and blue teams will be offered an online tour of the Secure Water Treatment (SWaT) testbed – one of the target systems (see below) – and have their questions answered. In addition, they will also be provided:
- information on SWaT, the digital twin, digital twin player, and various anomaly detection and plant safety technologies that will be deployed during the exercise;
- a Frequently Answered Questions (FAQs) (provided separately); and
- access to past data collected from SWaT since 2015, including data collected during CISS 2019.
A link will be provided shortly for red and blue teams to sign up a slot for online tour of SWaT and have their questions answered by the organisers.
Phase III: Target System Selection
Target system selection is the first component of the exercise where red teams are tasked to access the target systems available for attacks. Target systems consist of SWaT and variations of its digital twin. Figure 1 below captures the interactions among the participants and the target systems.
Figure 1: Target systems and tools to be used during CISS2020-OL
A link will be provided on the CISS2020-OL website where red teams can select their 2 hour-timeslot for the target system selection
Each target system will be kept live during this phase. Red teams will be provided unique URLs to connect to each target system. Data generated by each target system, including OT data captured by the historian and the pcap files, will be piped online and can be viewed through PlantDecode and PlantViz [OT]. All target systems will offer identical, or near identical, user interface.
Each red team will then be asked to make known their target system selection to iTrust; they will then be informed if their selected target system is SWaT or one of its digital twin variant. This selected target system shall be the one in which they will launch their attacks during the next phase: the CyberFire exercise. Bonus points will be awarded to the red teams who are able to correctly select the physical SWaT testbed instead of its digital twin. A red team that selects the digital twin will be granted up to 0.5-CFM (2 hours) to attack SWaT after it has completed launching attacks on the digital twin that it selected, if it so wishes. Note that this 0.5-CFM is included in its allotted 1 CFM slot.
A link will be provided shortly for red teams to register for a slot to perform target system selection.
Phase IV: CyberFire
As listed in Table 1 below, the CyberFire activities will be spread over 16 CyberFire modules (CFM.) Each CFM slot is 4 hours and is scheduled from 9am to 1pm and from 2pm to 6pm, GMT+8, with a one hour break in between for system reset. The red team attack schedule will be announced on the website two weeks before the exercise.
Table 1: CISS2020-OL Schedule for red teams [Team IDs to be filled]
At the start, each red team is assigned one CFM (4 hours); it may request for one additional and continuous CFM (total 8 hours) on the same day. In such a case, the one-hour system reset will not be applicable. The criteria to request for an additional CFM are that the red team has:
- Past experience in participating in cyber-security exercises, and is multinational;
- Demonstrated the ability to design complex attacks; and
- Selected SWaT as its target system in Phase III.
For added realism, all red teams must attack SWaT by first entering the network via the ZyCron Cyber City (ZCC); they will land in ZCC’s corporate network through a VPN connection. ZCC (Figure 2) is a full-fledged virtual organisation comprising of Information Technology (e.g., e-mail server, file server, printer server, CCTV, honeypot and intranet) and Operational Technology (processes in SWaT). To make these entities “alive,” various types of network traffic are also crafted and included in ZCC. As an IT environment ZCC is not set up with best practices i.e., it is intentionally built with minimum security features and contains vulnerabilities for red teams to explore and exploit. Note there is no internet access within the ZCC.
Figure 2: High-level Architecture of ZyCron Cyber City
Active stage: During a CFM the assigned red team will be asked to demonstrate its attacks and achieve the pre-determined goals (see below for details on scoring). At this time, the red team is considered “active” and will have online access to its pre-selected target system via a VPN connection. The CFM duration includes, but is not limited to: reconnaissance, designing and launching attacks, interactions with judges (e.g., via Ticketing System; see Figure 1) and taking breaks.
Hunting stage: Active teams will be able to design attacks on the target system and launch them remotely using the Attack Designer/Launcher (see Figure 1). This tool is only applicable to SWaT and is meant to facilitate better understanding of the operational technology environment when under attack. The red team will need to “hunt” for its pre-selected target system (in Phase III) before it can begin to launch attacks. As indicated above, all red teams must enter SWaT via the ZyCron Cyber City (ZCC) to launch attacks. Failure to do so and to identify the pre-selected target system will lead to a lower score for the red team.
Attack launch stage: Prior to launch, the active red team must do the following throughout its CFM:
- Share with iTrust the “live” screen of the computer that is used to launch the attack via an online communication tool (e.g. Skype);
- Allow iTrust to video record the screen; and
- Inform judges (1) the intention of the attack; (2) the targeted component(s); and (3) the launch procedure.
Only one attack can be launched on either SWaT or the digital twin variant, but not both at the same time. The duration of an attack will be determined in real time by iTrust’s cyber security technology engineers stationed physically at SWaT. Attacks that take a long time, e.g., 30 minutes, to have a noticeable impact on the plant will likely be halted by the judges before the impact is visible.
 This is purely for iTrust’s post-event analysis and report writing purposes; recordings will not be shared or made public with anyone without written permission by the red team
PlantViz [OT] tool, developed in iTrust, will be accessible to the blue teams and the active red teams. PlantViz [OT] will enable the blue teams and the active red teams to view in real time the state of each state variable in the target system. Any anomaly resulting from the attack, or otherwise (i.e., a false alarm), and reported by one or more detectors, will also be visible through another PlantViz, but only to the organisers, observers and judges and not to the red or blue teams.
The performance of each red team will be assessed in real time by a team of judges consisting of cyber security experts and engineers working in the critical infrastructure domain. All teams that successfully complete the exercise will be given a certificate of participation. Judges during the event will score each team based on criteria such as complexity of the attacks launched and success of the attack in resulting in an anomaly in at least one of the plant state variables. Top three red teams will receive cash awards of S$2,000, S$1,000 and S$500 respectively. Scoring will be based on the following individual elements.
- TTP Complexity: a multiplier
- Sensor target : based on different sensors
- Actuator target: based on different actuators
- Impact: normal or high (a multiplier)
- Bonus: disrupt the anomaly detectors
Attack detection by blue teams
Throughout the event the Blue teams will have VPN access to an active target system, i.e. the one selected and in use by the active red team. Blue teams will be able to receive live pcap and OT data for analysis and reporting any anomalies. Blue teams will be encouraged to report any anomaly via PlantViz [OT] using a WEB interface. However, if such reporting is not feasible for any reason then alternate arrangements will be made for reporting anomalies to the event oversight committee. To recap para 3.2.2, there shall be no efforts made to prevent, halt or thwart any attacks launched by the red teams.
Phase V: Data Analysis & Reporting
iTrust will begin data analysis soon after the end of the exercise. The analysis will result in metrics such as the number and types of attacks launched, success rate, detection rate (and false positives), and time taken to detect. Technologies developed in iTrust, and tested during the exercise, will also be evaluated and the outcome included in the event report.
Please direct them to firstname.lastname@example.org starting with the subject title [CISS 2020-OL]