The ’85 Bears of Cyber Physical Security
A few days ago, our elite cybersecurity team of defenders, faced over 50 of the world’s top hackers and security practitioners in the Hack the Building event.
The event was born from a joint partnership between MISI (Maryland Innovation and Security Institute) and USCYBERCOM (the United States Cyber Command), is an unrivaled, hands-on live facilities critical infrastructure cybersecurity challenge.
Hackers, federal labs, building automation companies, academia and government agencies all competed to infiltrate, disrupt or take over a connected smart building and the computing systems and data inside of a government-owned building.
A Real-World Target
The event is built around a specially-designated, real-world target: A live, fully-equipped 150,000 square-foot “smart” office building near Annapolis, Maryland that teams on-site and remote are challenged to attack through its diverse IT, control systems, Internet of Things (IoT), access control, surveillance camera, building automation and other systems.
The Attack Scenarios
The event was split into two parts, two days each. On the first part, 13 pre-planned attack scenarios took place, and on the second part, the network was open to any type of attack, allowing attackers and defenders to play in a more chaotic cyber war zone.
The building was equipped with many types of assets, such as PLCs, BAS controllers, industrial robots, power distribution units (PDU), IoT controllers, IP cameras & NVRs, serial to ethernet converters, and many other devices.
Each scenario targeted different assets and required different methods to reach the targets. For example, in one scenario the attackers broke into the data center’s cooling system, shutting it down, resulting in server shutdown. In another scenario, the fire alarm system has been disabled.
The full list of scenarios is available here.
To simulate a real scenario, many details about the network were unknown to the defensive team. Moreover, some details that were provided were plain wrong, due to outdated network maps. These missing details made the defender’s job more difficult.
Vulnerabilities Discovered by SCADAfence
The network had a number of common security issues:
- The network map was inaccurate and had missing information.
- The network was protected by firewalls, but many known and unknown connections between segments were possible.
- Some network segments had a mix of devices in them, for example a conference room camera and engineering stations resided in the same network.
- Some Windows/Linux devices had monitoring/security agents on them, but many devices weren’t covered by monitoring.
The SCADAfence Platform was deployed on a NPB (network packet broker) that was monitoring multiple SPAN ports and network taps. Using the Platform, we were able to monitor the network in real time, and a SOC team was provided by SCADAfence to monitor the Platform and detect attacks.
Over 50 Hackers Attacked the Network at the Same Time
This event is a rare opportunity to stress-test your security product. It’s a lot harder to defend than a normal cyber attack. Over 50 hackers attacked the network at the same time, with each team targeting different assets and arrived from a different place in the network. Some attackers came from the internal network and took over legitimate hosts, then used them to attack other assets. Some came from the company’s VPN, and from other places.
They used a large variety of attack tools and tactics, including physical attacks – hacking an access control system with badge readers.
We were happy to see that the SCADAfence Platform was able to detect the broad spectrum of attacks over the course of these 4 days.
The findings from the SCADAfence Platform were presented to the audience in two live streaming sessions (the full videos will be shared as soon as they become available to us). We were interviewed by Armando Seay, Co-Founder of MISI, and together explained the attack tactics used by the attackers.
Adversaries Play Dirty Using Social Engineering
At one point, one of the red team members was able to infiltrate the blue team live discussion channel, and alerted the red team about our actions. He was able to infiltrate the channel using social engineering, by identifying as a member of one of the blue teams.
When we (the blue team) found out we have a mole in our channel, we started a mole hunt and finally figured out who the adversary was. We’re not sure if it was part of the planned surprises in the exercise, but regardless – it was an important drill that can happen in real life.
This has been a wonderful event, and a rare opportunity to showcase our product and exercise attack/defense scenarios on real industrial hardware, running real processes. We want to thank MISI (Armando, Mark, Alexander, Karissa, Joseph) and USCYBERCOM for planning and executing this event.
We want to thank the red team for the creativity and for the interesting challenges and surprises they had for us, and to the blue team (which we were part of) for the collaboration.
To learn more about SCADAfence’s advanced capabilities, you can watch some short product demos here: https://l.scadafence.com/demo
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.