With the increasing prevalence of cyber attacks around the world, it has become more imperative for cyber physical systems and the associated owners to enhance their defence capabilities. To aid in this respect, iTrust, a Centre for Research in Cyber Security at the Singapore University of Technology (SUTD) has organised a hacking competition on a realistic cyber-physical system. This event is part of its Secure Cyber-Physical (SCy-Phy) Systems Week 2016, a week-long event for cyber security experts from across the world to brainstorm and discuss key issues on the design of secure Cyber Physical Systems (CPS).
The hacking competition, also known as the SWaT Security Showdown (S3), consisted of two phases: a pre-competition online challenge and a “live” challenge, in which cyber attackers, or white hats from both academic and commercial organisations attempt to hack into iTrust’s Secure Water Treatment (SWaT) system. SWaT is a testbed which emulates the physical and chemical processes commonly present in a real-world water treatment plant. Six defence mechanisms were deployed in the SWaT system and six teams of cyber attackers were tasked to hack into various parts of the system, with points awarded for each successful attack. The six teams were from Applied Risk, Ernst and Young (EY), Lancaster University, National University of Singapore (NUS), Siemens AG, and University of Illinois Urbana-Champaign-Advanced Digital Sciences Center (UIUC-ADSC).
The aim of S3 is to (a) assess the robustness of the installed defence mechanisms; (b) compile the attack methodologies used by various cyber attackers; and (c) provide learning points for all parties involved, in order to build a more robust and secure defence system for Singapore’s critical infrastructures.
One of the organisers of the S3, Dr Nils Tippenhauer, an Assistant Professor at the Information Systems Technology and Design (ISTD) Pillar in SUTD said: “The S3 is a one-of-a-kind event not seen anywhere else in the world as it provides a realistic testbed to carry out such security exercises. In organising such an event, we are exposed to a wide range of attacks and defence systems, which will help us design more robust and secure CPS.”
Agreeing with his co-organiser, Dr Martin Ochoa, also an Assistant Professor at ISTD, added: “This event helps us to verify the efficacy of our own countermeasures with respect to advanced cyber attacks. As all participants will share their work (e.g., methodology, reports and findings from the event) with iTrust, and the knowledge gained will be made available in the public domain as part of iTrust’s mandate to share and transfer knowledge back to society.”
At the end of the two days, the NUS GreyHats team was declared as the overall winner based on combined performance in both phases of the competition, while the team from UIUC-ADSC won the live challenge at the SWaT site. All attacks launched by the six attack teams were detected almost immediately by the defense mechanisms installed in SWaT.
NUS GreyHats had this to share about their experience: “This is the first time we are participating in a cyber physical event, particularly on cyber defence. The differentiating factor between CPS and other systems is that consequences are more dire. Other than hardening our virtual defences, we cannot overlook the physical aspects of security such as installations of hardware backdoors. Our advice to organisations is: You don’t own what you can’t defend, and ignorance is a hacker’s greatest weapon.”
One of the observers at the event, Mr Lim Soon Chia, Director of Technology at the Cyber Security Agency of Singapore (CSA), said: “Cyber threat is a clear and present risk, and increasingly so for Industrial Control Systems (ICS). The S3 event brings cyber security alive and into action. For the first time, cyber defenders are pitted against attackers in a realistic ICS water plant setup. This reveals the vulnerabilities and risks that ICSs are subjected to, and highlights the importance of security by design, and the need to be prepared and ready against cyber security threats.”
As part of the SCy-Phy Week, iTrust is also organising an outreach workshop to students from secondary schools, institutes of technical education, junior colleges and polytechnics to expose them to some of the common security loopholes in the Internet of Things (IoT) devices. Participants will also get to try hands-on hacking exercises on some of these devices to understand how vulnerable they are, and finally discuss possible mitigation techniques for the threats discovered.