On April 1st 2017, fifteen collegiate teams from across the country participated in Argonne National Laboratory’s Second Annual Cyber Defense Competition. Blue Teams defended their networking infrastructure and utilities against attacks from the Red Team. This post will detail the highlights of the competition, including how teams were breached, what went into scoring, and how our team built the Industrial Control Systems for the competition.
Welcome to #Argonne's 2nd Annual Cyber Defense Competition! #ArgonneCDC pic.twitter.com/W4PacEaA0L
— Argonne National Lab (@argonne) April 1, 2017
Competition Team Descriptions
Over 150 people came together on the day of the competition to participate in various teams. This CDC caters to both technical and non-technical users, which helps foster learning and a collaborative environment.
Blue Team: Collegiate teams defending their infrastructure against the Red Team
Red Team: The “attackers” attempting to infiltrate the Blue Team infrastructure
Green Team: Users that simulate a real life user of the system. Volunteers followed documentation provided by the Blue Team to navigate the website and control the Human Machine Interface (HMI) via the web portal
Pink Team: The “learn to hack” team. Pink Team members learned the practical application of vulnerabilities and exploits, virtualization, Kali Linux tools, and how to attack a Metasploitable box
White Team: Argonne architecture staff. These members are available for assistance by any team in the event of network failure, hardware failure, or Industrial Control System (ICS) failure
Overview and Scenario
Students had to design a secure network for the country of Pangea, ensuring that the systems maintain availability and run with as much uptime as possible, despite neighboring countries (Red Team) escalating attacks on Pangea’s network. Collegiate teams were also required to secure both the customer facing online portal and industrial services. These services consisted of repair infrastructure and a HMI for the water pumps and power grid. Teams were also required to have the following services active at all times:
- Website/Web Server
- Help Desk
- Email Server
- File Server
- Active Directory Server (provided)
- HMI, and
Teams seem well-prepared to defend their infrastructure from attacks. Teams were able to arrive the day before the competition (March 31st) to set up their services and ensure that these services were communicating correctly with our scoring engine. Some teams had issues properly configuring DNS, but most teams were able to correctly configure services. Some teams attempted to spoof service availability, which was quickly remediated once notified by White Team that this was not allowed. Teams were compromised by Red Team via the following:
- ICS Root Account Change
Red Team attacks simulated real-life infiltration that can happen in the real world, and thus imparted Blue Teams with valuable insight.
Blue Teams were scoring on the following parameters:
Red Team 500 points
White Team 300 points+
Green Team 200 points+
Total 1000 points
Red Team Scoring
Red Team members performed attacks on Blue Team networks, topography, and software. For every successful attack, points were subtracted from the total of 500 points. Red Team points were based on the type of attack, the length of the attack, and the repetition of the attack.
White Team Scoring
Blue Teams were required to submit White Team documentation prior to the competition. Tardy documentation was penalized 10 points/day. Service scoring was based on the required services and their uptime. Teams lost points for services with downtime during the required competition hours. Intrusion reports were required of every team every other hour beginning at 10:00am CT. White team required these reports to contain analysis with each intrusion report, not just a dump of log files. Each report was worth 25 points.
Below are the key points on which White Team based scoring:
|– Details of the team’s network layout
– Network diagram(s)
– Discussion of special measures taken to secure the network
|– Supporting diagrams: ____/50pts
– Detailed write up: ____/30pts
– Professionalism: ____/10pts
– Effectiveness of plan: ____/10pts
Green Team Scoring
The Green Team reviewed, evaluated, and scored the Blue Team’s work based on documentation, overall performance, and helpfulness from Blue Team. Blue Teams were required to provide a user acceptance testing script for their Green Team members. The script should have provided step-by-step guidelines of how a user could navigate the Blue Team’s system. The required testing should have included instructions on the following:
- Logging in
- File Transfer
- Add Comments to posts
- How to access the ICS HMI
- How to request support through the help desk
- How to answer a request from the help desk
Teams that had more detailed Green Team instruction sets tended to score higher than teams that assumed Green Team members had a background in User Acceptance Testing or a high proficiency in computing.
During the competition, anomalies were delivered by White Team staff. These anomalies were worth varying point values based on level of difficulty. Blue Teams had to submit responses to anomalies before they expired in order to earn points.Responding to anomalies was optional. Blue Teams that did not submit responses were not awarded any points. Anomalies accounted for 200 additional points.
Building the Industrial Control System
Building 15 ICS boards proved to be an interesting task. These city boards had power and water utilities that Blue Teams were required to keep running. Blue Teams were scored on availability, which was tested by the Green Team.Building the infrastructure for this competition was a rewarding, yet challenging experience.Our ICS architect first went about separating the electric components from the water components, in case either the water reservoir or pump were to fail. Therefore, a two-tier board was used.
See figure 1 for more details.Figure 1: ICS Design
It also became apparent that the power provided via the Pi was not enough to also power the LEDs AND the relay that was rigged into the board. We decided to power the LED’s with a 9V battery, to ensure that there was enough power provided throughout the length of the competition.We were also initially unsure of what the voltage would be required for the LEDs. We ended up with the following configuration for wiring and power, adding resistors where necessary to reduce current flow so as not to blow up the LEDs.Figure 2 – Circuitry Design
The initial configuration for the ICS system utilized an Arduino, but we then realized we would need a lot of extra components for proper configuration. As such, we decided to use a Raspberry Pi, because it had built-in functionality that required less effort when building these systems. Our ICS architect also realized that he didn’t have a lot of tools needed to construct these devices, so the components needed to finish the system were built ad-hoc.
Figure 3 – ICS Device
Winners and Participants
Congratulations to the following teams to placed in Argonne’s 2017 CDC:
1st Place: University of Illinois Chicago
2nd Place (tied): Dakota State University
2nd Place (tied): Kansas State University
COAR would like to thank the following teams competed in this year’s competition; everyone defended their systems admirably. We hope to see you back here for our 2018 Cyber Defense Competition!