SWaT Security Showdown – S3
Date: July 26-27, 2016S3
Time: 9am – 8.30pm
Venue: Building 2 Level 7, 2.705, SWaT Lab
[Update 16 Feb 17: S3 report is now available]


This hands-on security event, named S3, will take place in the SWaT (Secure Water Treatment) laboratory of iTrust housed at the Singapore University of Technology and Design (SUTD) on July 26-27, 2016. The event is sponsored by iTrust, a centre for research in cyber security.

Participants in S3 include attack and defence teams from academia and industry. Teams are expected to be composed of 3-5 cyber security experts. The goal of S3 is two-fold: (a) allow security researchers to empirically test industrial and academic defence mechanisms against skilled attackers; (b) allow ethical attackers and researchers to enhance their practical knowledge on state-of-the-art Industrial Control Systems.

S3 is partitioned into two phases: on-line and live. In the on-line phase, attacker teams will learn about SWaT by means of remotely accessible security challenges. Such challenges include, for instance, forensic tasks based on SWaT network traces and PLC Logic programming. In the live phase, attackers will be challenged to realise concrete goals in the SWaT plant, such as overflowing a tank or taking control of a pump. The points earned by an attacker team will be weighted based on the capabilities needed to launch the attack and the number of defences successfully bypassed during the attack.

Following the live phase, attackers will be ranked based on the total points earned. Top-ranked teams will be awarded prizes. Additionally, the event organisers at iTrust will prepare a report, in collaboration with attackers and defenders, summarising the experience and the lessons learned.

  • Information disclosed to attacker teams: Technical details on SWaT, such as network architecture, protocols and devices used, will be released. Publicly available white papers on mechanisms deployed by defence teams will be shared with the attackers.
  • Information disclosed to defenders: : iTrust will work in close collaboration with defender teams to integrate their defence mechanisms into SWaT. Information about normal operation of SWaT will be disclosed to defenders in order for them to fine-tune their systems and avoid false alarms.

List of participants at S3

Team Industry Academia
Attack Siemens AG (Germany)

Applied Risk (Netherlands)

Ernst & Young

Lancaster University (UK)

National University of Singapore (Singapore)

University of Illinois Urbana-Champaign (US)

Defence RSA (Singapore)

Security Matters (Netherlands)

Checkpoint + ICS2 (Singapore, Israel)

Singapore University of Technology and Design (Singapore, three teams)

As S3 is a useful learning opportunity, selected iTrust collaborators will be invited to the event as observers.

On-line Phase (Slot 1: 27–29 June; Slot 2: 2-4 July)

The on-line phase will have a duration of 48 hours. It will consist of security challenges in various categories, such as forensics, PLC logic, network simulation and miscellaneous. Similar in spirit to Capture-The-Flag (CTF) events, it will allow attacker teams to score points, that will count towards the final ranking. Attackers can participate remotely. Access to challenges and on-line infrastructure might be extended beyond the on-line event dates to allow attackers to practice and prepare for the live phase.

Live Phase (26-27 July)

During the live phase, all defence mechanisms will be integrated into SWaT and operating simultaneously. Since all invited defender teams focus on passive detection, they will run in parallel without affecting each other. Attackers will be given 12 hours for passive reconnaissance on Sunday the 22nd of July. On July 25-26, attacker teams will be assigned a 3-hour slot in which they will be able to launch their attacks. Team members present in Singapore will be given physical access to SWaT, whereas remote team members will be given network access. The success of attacks, the capabilities needed to launch them and the number of alarms raised during their execution will be verified by the event organisers. Based on this information, the points scored by individual teams will be updated. All participants will be given a participation plaque while the winning team will earn a specially designed plaque.

Project Report

Based on the overall experience, the organisers, in collaboration with the participants, will prepare a white-paper summarizing the event in collaboration. The white paper will include lessons learned, interesting observations reported by attackers and defenders, and an overall assessment of the defenses deployed. Where requested, the report will be anonymised. This report will be made public through a suitable channel (technical report or scientific publication) and will serve as a basis for future versions of S3.

Participation of the S3 event is by-invitation-only.