Phase I: Participant Selection
Participation in CISS2020-OL is by invitation only. Participants will be classified into red teams, blue teams and observers. The selection procedure for participants in each category follows:
a. Red teams (up to 6 members):
- Up to 16 local and international teams from government organisations, private sector and academia.
b. Blue teams (no limit on the number of members):
- One from iTrust
- Commercial vendors will be invited based on their past performance in similar events and nominations by Singapore Government agencies
- Academia from centres around the world that have cyber-security as their prime focus and have demonstrated research record in securing critical infrastructure
- The anonymity of blue teams is maintained throughout.
c. Observers: Singapore Government agencies and their invitees. iTrust will execute the event online from where any authorised observer can track the progress – in terms of attacks launched and detected – of the event.
Phase II: Participant Familiarisation
All red and blue teams will be offered an online tour of the Secure Water Treatment (SWaT) testbed – one of the target systems (see below) – and have their questions answered. In addition, they will also be provided:
- information on SWaT, the digital twin, digital twin player, and various anomaly detection and plant safety technologies that will be deployed during the exercise;
- a Frequently Answered Questions (FAQs) (provided separately); and
- access to past data collected from SWaT since 2015, including data collected during CISS 2019.
A link will be provided shortly for red and blue teams to sign up a slot for online tour of SWaT and have their questions answered by the organisers.
Phase III: Target System Selection
[Updated 5 Jul]: User guide for target selection is available for download
Target system selection is the first component of the exercise where red teams are tasked to access the target systems available for attacks. Target systems consist of SWaT and variations of its digital twin. Figure 1 below captures the interactions among the participants and the target systems.
Figure 1: Interactions between red/blue teams with CISS2020-OL systems and tools during CyberFire
[Updated 1 June] Red teams can now select their 2 hour-time slot for the target system selection
Each target system will be kept live during this phase. Red teams will be provided unique URLs to connect to each target system. Data generated by each target system, including OT data captured by the historian and the pcap files, will be piped online and can be viewed through PlantDecode and PlantViz [OT]. All target systems will offer identical, or near identical, user interface.
Each red team will then be asked to make known their target system selection to iTrust; they will then be informed if their selected target system is SWaT or one of its digital twin variant. This selected target system shall be the one in which they will launch their attacks during the next phase: the CyberFire exercise. Bonus points will be awarded to the red teams who are able to correctly select the physical SWaT testbed instead of its digital twin. A red team that selects the digital twin will be granted up to 0.5-CFM (2 hours) to attack SWaT after it has completed launching attacks on the digital twin that it selected, if it so wishes. Note that this 0.5-CFM is included in its allotted 1 CFM slot.
A link will be provided shortly for red teams to register for a slot to perform target system selection.
Phase IV: CyberFire
As listed in Table 1 below, the CyberFire activities will be spread over 16 CyberFire modules (CFM.) Each CFM slot is 4 hours and is scheduled from 9am to 1pm and from 2pm to 6pm, GMT+8, with a one hour break in between for system reset. The red team attack schedule will be announced on the website two weeks before the exercise.
[Updated 1 June] Red teams can now select their 4 hour-time slot for the CyberFire
Table 1: CISS2020-OL Schedule for red teams
Top three red teams will be announced on 11 Aug 2020, 5pm (GMT+8).
At the start, each red team is assigned one CFM (4 hours); it may request for one additional and continuous CFM (total 8 hours) on the same day. In such a case, the one-hour system reset will not be applicable. The criteria to request for an additional CFM are that the red team has:
- Past experience in participating in cyber-security exercises, and is multinational;
- Demonstrated the ability to design complex attacks; and
- Selected SWaT as its target system in Phase III.
For added realism, all red teams must attack SWaT by first entering the network via the ZyCron Cyber City (ZCC); they will land in ZCC’s corporate network through a VPN connection. ZCC (Figure 2) is a full-fledged virtual organisation comprising of Information Technology (e.g., e-mail server, file server, printer server, CCTV, honeypot and intranet) and Operational Technology (processes in SWaT). To make these entities “alive,” various types of network traffic are also crafted and included in ZCC. As an IT environment ZCC is not set up with best practices i.e., it is intentionally built with minimum security features and contains vulnerabilities for red teams to explore and exploit. Note there is no internet access within the ZCC.
Figure 2: High-level Architecture of ZyCron Cyber City
Active stage: During a CFM the assigned red team will be asked to demonstrate its attacks and achieve the pre-determined goals (see below for details on scoring). At this time, the red team is considered “active” and will have online access to its pre-selected target system via a VPN connection. The CFM duration includes, but is not limited to: reconnaissance, designing and launching attacks, interactions with judges (e.g., via Ticketing System; see Figure 1) and taking breaks.
Hunting stage: Active teams will be able to design attacks on the target system and launch them remotely using the Attack Designer/Launcher (see Figure 1). This tool is only applicable to SWaT and is meant to facilitate better understanding of the operational technology environment when under attack. The red team will need to “hunt” for its pre-selected target system (in Phase III) before it can begin to launch attacks. As indicated above, all red teams must enter SWaT via the ZyCron Cyber City (ZCC) to launch attacks. Failure to do so and to identify the pre-selected target system will lead to a lower score for the red team.
Attack launch stage: Prior to launch, the active red team must do the following throughout its CFM:
- Share with iTrust the “live” screen of the computer that is used to launch the attack via an online communication tool (e.g. Skype);
- Allow iTrust to video record the screen; and
- Inform judges (1) the intention of the attack; (2) the targeted component(s); and (3) the launch procedure.
Only one attack can be launched on either SWaT or the digital twin variant, but not both at the same time. The duration of an attack will be determined in real time by iTrust’s cyber security technology engineers stationed physically at SWaT. Attacks that take a long time, e.g., 30 minutes, to have a noticeable impact on the plant will likely be halted by the judges before the impact is visible.
 This is purely for iTrust’s post-event analysis and report writing purposes; recordings will not be shared or made public with anyone without written permission by the red team
[Updated 5 June] Blue teams can now select their 2 hour-time slot for the hardware installation at SWaT, up to three slots per blue team
The performance of each red team will be assessed in real time by a team of judges consisting of cyber security experts and engineers working in the critical infrastructure domain. All teams that successfully complete the exercise will be given a certificate of participation. Judges during the event will score each team based on criteria such as complexity of the attacks launched and success of the attack in resulting in an anomaly in at least one of the plant state variables. Top three red teams will receive cash awards of S$2,000, S$1,000 and S$500 respectively. Scoring will be based on the following individual elements.
- target selection modifier
- point of entry modifier\
- attack target
- attack success and detection modifier
- novel attacks
Attack detection by blue teams
It is important for blue teams to note that CISS2020-OL is being conducted to simulate attacks on a live city-scale plant. Hence, it is assumed that the security systems deployed by each blue team are operational throughout the exercise except when the target system, i.e., SWaT or the digital twin, is not running or is being reset. There shall be no efforts made to prevent, halt or thwart any attacks launched by the red teams.
Phase V: Data Analysis & Reporting
iTrust will begin data analysis soon after the end of the exercise. The analysis will result in metrics such as the number and types of attacks launched, success rate, detection rate (and false positives), and time taken to detect. Technologies developed in iTrust, and tested during the exercise, will also be evaluated and the outcome included in the event report.
Please direct them to email@example.com starting with the subject title [CISS 2020-OL]