Do the names Industroyer/CrashOverride, Stuxnet, Blackenergy 2, Havex and Triton ring a bell? These are the names of malware targeted at Industrial Control Systems (ICS). Targets were electric grid operators, Iran’s nuclear facilities and Saudi Arabian petrochemical plants . But even non-ICS targeted malware, like Petya , may have an impact on industrial control systems. NotPetya ransomware wreaked havoc at Maersk’s APM Terminal in Rotterdam. IT related crime has already infiltrated ICS. What can we do to protect existing systems without causing downtime?
Does your team know how to secure an OT environment?
Nixu Blog
November 12, 2021 at 10:00
Last week, cybersecurity professionals around the world were once again able to team up and test their skills in a Capture the Flag (CTF) competition organized by the industrial cybersecurity company Dragos. The CTF event took place on 2–4 November in connection with the annual Dragos Industrial Security Conference (DISC), which focuses on ICS cybersecurity. A total of 161 teams took part in the CTF, with seven teams solving all of the challenges. A team of Nixu specialists successfully tackled the CTF challenge and reached fourth place in the competition. What did the Dragos CTF entail and why is it different from the usual ones? Read more to find out.
Solving puzzles in the less traditional OT environment
Capture the Flag events usually involve challenges that are related to an Information Technology (IT) environment. CTFs are an excellent way for cybersecurity professionals to put their threat detection skills to the test in order to identify their strong areas and those that might need further practice. Dragos' CTF event is a newcomer in the field of CTFs, and it differs from the traditional ones because it is one of the few events where challenges are solved in an Operational Technology (OT) environment.
The Dragos CTF is developed to expose players to industrial control systems (ICS) through puzzles, with a heavy focus on defense and forensic concepts. The 15 puzzles ranged from programmable logic controller challenges to network protocol puzzles to flags embedded in memory dumps gathered from engineering workstations. Some of these activities were taken from playbooks by Threat Activity Groups, while others were influenced by Dragos’s customer engagements and experience.
Nixu's team of four cybersecurity specialists was steered by captain Tomi Lukkarinen, who works as Operational Technology Specialist at Nixu. The team also included Jani Hyytiäinen, Heikki Salo, and Lars Timberg, who all have experience in the cybersecurity field from various positions at Nixu.
The team found that the CTF tasks varied in terms of difficulty and scope. They considered challenges involving PLC-related puzzles, like PCAP analysis and Modbus traffic manipulation, to be most interesting. These challenges included descriptions of imaginary cyber-attacks on PLCs that could just as well happen in a real OT environment with a DCS or SCADA system. The team was provided with access to a setup where they had to dig into the OT protocols. One of these tasks was to find out how the PLC is controlling its Inputs and Outputs (I/O) and what could be done to stabilize the process only by sending commands by OT protocol to the PLC.
This was a refreshing CTF competition because instead of the traditional IT, it was focused on spotting and investigating threats that could compromise the security of the ICSs in factories, power plants, and other critical infrastructure.
– Jani Hyytiäinen, Senior Security Specialist, Nixu Cyber Defense Center
We aim at securing factories and industrial processes
Cybersecurity threats are big risks for organizations with industrial environments that have operational technology (OT). This means that also the demand for monitoring services provided by a Security Operations Center (SOC) is high. Yet, at least in Finland, not many cybersecurity companies offer SOC monitoring for OT environments. Some larger industrial companies can monitor their OT systems themselves, at least to some extent, but smaller companies might not have the resources for it.
Therefore, we at Nixu are gradually expanding our SOC services from IT to industrial environments to ensure that no matter what size of a company, its systems can be secured. Hence, this was also a good moment for the Nixu team to take part in a CTF that tests each team member's expertise in managing the security of OT/ICS. Fortunately, we have experts with the required OT/ICS experience, as we already do assessments and roadmaps for companies that want to know their security posture and need analyses on possible security issues in their industrial facilities.
The Dragos CTF was a good test for our team, as passing all of its components shows that we have the knowledge and skills at Nixu to offer SOC monitoring services also for OT environments.
– Tomi Lukkarinen, Operational Technology Specialist, Nixu Cyber Defense Center
What is your organization's safety plan like? Download our whitepaper 'Cybersecurity in an industrial environment', and create a plan X that prepares your company for a cyber-attack!
If you want to discuss your security posture with our specialists, get in touch, and let’s work on it together.