Well-known in the IT world, CTF competitions are less common in the domain of industrial cyber security focused on the cyber-resilience of OT. Cyber-attacks on industrial OT are rising as these systems become increasingly connected with IT systems and the Industrial Internet of Things.
Designing the competition
The challenge was designed to emulate a hyper-realistic IT-OT environment where participants had to demonstrate real-world advanced penetration testing tactics to capture the flags.
As in OT production environments , misconfigurations were present in the CTF infrastructure, and could only be identified by experienced offensive ‘red teamers’ for their advantage.
“We also included enterprise-level security controls in the infrastructure that our teams needed to bypass and infiltrate, such as antivirus, firewall, restrictive lateral movement, role-based access and restrictive credential extraction,” explained Misra.
The competition was set up so that the first flag had to be captured to get information that would enable a team to move on to the second flag, and so on along the chain to the eleventh and final flag. The competitors had first to hack the simulated enterprise asset management IT system to be able to gain access to the OT.
Using a proven training tool for the competition
During the simulation, the offensive teams invited to participate were presented with an array of challenges of different levels, including gaining initial access into the port’s IT network, bypassing antivirus solutions, and breaching the OT network to manipulate an industrial process on Applied Risk’s OT Cyber Threat CADET mobile training module for simulated hacking with real devices.
This proven training tool demonstrates an OT industrial process composed of several components such as programmable logic controller, controller logic, sensors/actuators, industrial protocols, and safety alarms.
“All real OT environments have similar components with more complex programming logic and some level of hardware/technical changes,” observed Misra. “Threat CADET boards help us understand the importance of analysing each element in isolation from a cyber-security perspective.”
The exploitation of such industrial process would require a combination of skills such as an adversary mindset, red-teaming skills, out-of-the-box thinking, and understanding of industrial protocols and technologies, he added.
Who captured the flags?
The six invited teams included cyber-security experts from global management consultancies KPMG and Deloitte; groups of students from Delft and Radboud universities; Vitens, the Netherlands’ largest water company; and artificial intelligence (AI) experts from DNV Group Research & Development.
KPMG and Deloitte each captured several flags, the student groups and DNV’s AI team 2 each, and the water company 1.
“It was interesting to see that while participants were from different backgrounds, all were very close to each other in principle. Some responded to hints and guidance more than others just because they already had some field experience,” Misra said.
Could AI outpace the cyber security experts?
DNV’s AI experts effectively had three days to prepare for the competition working in a team of two with only one Linux laptop compared with the other teams of three people with three laptops and hence able to work in parallel with each other. The DNV team had no previous cyber security experience but, used the AI tools ChatGPT and HackerGPT to capture Flag 0 and Flag 1 and were close to capturing Flag 2 when the competition ended. They effectively picked the lock of the IT system in order to get into the OT system before the competition was over.
Aleksandar Babic, principal Researcher at DNV Group Healthcare, said: “We worked in an iterative process with these AI tools, asking them questions like ‘how do we?’ and feeding back into them any error output from the command lines on our laptop. The AI knew what we had asked it, what we did, and the error that we reported back to it, allowing it to give us more precise instructions on where to go next and what to do.”
Misra commented: “We should understand that there is a difference in the mindset of an adversary with hacking experience and someone with only AI skills. But with little guidance, the AI team was able to fairly closely imitate actions that the students or a junior red teamer took. This is clearly an indication that AI and large language modules can enhance our own existing capabilities as red teamers and security experts. I strongly believe that they can.”
None of the other teams were enabled with AI, raising the question that if they had used it, would they have been able to access the IT quicker and move on to capture even more flags than they did?
Babic said: “I think AI will shorten the time to make some attacks, probably more for skill levels below the top guys. Maybe it will also help more bad guys who make a lot of noise about having hacked something to get their names recognized. But it will also let the good guys get faster and learn quicker in what is always a cat-and-mouse game.”
The CTF was part of The NightWatch 2023, our flagship industrial cyber security event, which brought together top-tier speakers and leading experts in industrial cyber security from across sectors including tech, energy, and defence to explore the opportunities and challenges created by disruptive technologies – such as AI, machine learning, and quantum computing, with a focus on safeguarding critical infrastructure. You can now access recordings of the presentations and discussions on-demand by registering here.