The Claroty Blog

Test Your ICS Cybersecurity Skills at the RSA Capture-the-Flag Challenge

| Patrick McBride

Last week, I wrote about ICS Village, a non-profit organization dedicated to education and training on ICS cybersecurity topics.  As part of the ICS Village program at the RSA Conference starting April 16, Airbus and Claroty are co-sponsoring an ICS capture-the-flag competition. 

To sign up for the competition, stop by the ICS Sandbox at the San Francisco Marriot Marquis (one block from the Moscone Convention Center).  Hours are Tuesday, April 17, 4:30pm-6:00pm, Wednesday, April 18, 8:00am-5:00pm, and Thursday April 19, 8:00am-3:30pm.

To learn more about the competition, we sat down with Airbus’ Dr. Kevin Jones and Claroty’s Elhanan Ballas for more detail on the event.

Claroty: Hi Kevin, thanks for joining us.  Let’s start with a little background on what is AirBus doing in industrial cybersecurity?

Kevin Jones:  Airbus is one of the world’s largest manufacturing companies and operates a significant industrial estate therefore it is vital that the latest security technologies and processes are in place, along with highly trained and knowledgeable staff, to protect from cyberattacks.  Airbus is also one of Europe’s leading defense organizations and supports numerous Critical National Infrastructure operators in securing facilities.  One of the key considerations in the emerging landscape of cybersecurity in industrial environments is innovation; therefore, Airbus has developed a leading research facility specializing in ICS systems to develop bespoke and customized solutions.  The innovation laboratories also serve to provide the latest knowledge and awareness to the operational business.

Claroty: What is your role at AirBus?

Kevin Jones:  I am head of Cyber Security Architecture and Innovation, which means I lead a global network of teams, projects and collaborations including; research & innovation, state of the art solutions development, and technology scouting for cyber security across; IT, ICS and Product security domains.

Claroty: How did the Airbus team come to be involved in ICS Village?

Kevin Jones: Airbus has developed leading specialist experts in ICS cyber security within the research & innovation laboratories and is always keen to participate in global events along with other leading experts. In cybersecurity, the people network and collaborations are key.  The ICS Village participates in numerous events and is an amazing group of people, with expert knowledge, that all recognize the need to raise awareness and improve community skills in ICS cyber security.  Being able to participate and provide knowledge, workshops, and challenges has been very beneficial to our Airbus teams and it is always a bonus to be part of such a thriving community.

Claroty: Claroty and AirBus are collaborating on a capture-the-flag competition this year’s RSA Conference.  Tell us about the event?

Kevin Jones:  Airbus has teamed up with Claroty and De Montfort University at the RSAC this year to run a workshop capture-the-flag (CTF) specific to Industrial Control Systems so participants can get hands on experience and advice about how to detect and defend against cyberattacks within these critical environments.  The CTF is designed to be both challenging and fun, but is also a rare opportunity at such major conferences, for participants to undertake specialist training on ICS scenarios.  The CTF at RSA follows on from very successful workshops by all partners of the ICS-Village at Defcon 2017 and continues to ensure the security community has opportunities to develop knowledge in order to continue protecting critical systems in the future.

Claroty: Elhanan, you and the Claroty research team have put a lot of effort into preparing the challenges.  What kind of work goes into designing the challenges?

Elhanan Ballas: Initially, we need to decide on a theme for the challenge.  Obviously, something in the field of information security and how it relates to operational technology, but we want the challenges to represent real-world world scenarios. Of course, we throw some tricks in the mix as well.  We start with more general networking-related challenges, then we dive into more OT-related challenges such as industry level protocols and circumvent practices that have been implemented with different vendors in the past decade. It’s a lot of work but also a lot of fun to come up with challenges that are demanding, but solvable.

Claroty: Is this a team competition or individual?

Elhanan Ballas: The competition is open to either individuals or teams.  From what I’ve seen in past competitions though, it’s the teams that do better seem to have the most fun.

Claroty: What is the format?

Elhanan Ballas: The format of the challenge is gamified so that one must solve the first challenge in order to move to the next. At the beginning of every challenge, users will be provided with a description of what they have to achieve/do as part of the challenge. Scores are not affected by the time it takes to solve each "challenge", but contestants need to use their time efficiently. For some of the challenges, they may receive additional files such as a PCAP/DOC, that is necessary to solve the challenge.  In every challenge, the flag is something that contestants must find and enter into the CTF dashboard. Additionally, there is a different score value for each challenge.  The more difficult challenges are obviously worth more points.  In some challenges, users can receive "hints", but you have to be careful with these because using a hint might deduct points from your score, even if you solve the challenge.

Claroty: What do you expect to see?

Elhanan Ballas: People get really into solving these challenges.  It’s not just the competition against other teams, but also the personal pride as a security professional.  From an OT perspective, and as a sponsor of ICS Village, we strongly believe in the need for education and training opportunities, so we hope the competition gets many people involved and introduced to the specific/unique challenges of exploits in the field of OT security; this can be done either actively as a competitor or passively as a spectator. Bottom line…have fun while solving some challenges and mind-bending riddles. We urge you to drop by ICS Village and ask questions, even if you are not familiar with this world and the OT/ICS environment.

Claroty: How can someone get involved either as a competitor or a spectator?

Elhanan Ballas: The CTF will be published online when the ICS Village goes live.  Anyone coming to the ICS Village should drop by at the Claroty/Airbus booth and sign up for the challenge.

Subscribe to the Blog