‘Capture-the-flag’ challenge alludes to potential vulnerabilities in the water sector
A miniature-sized mock water treatment facility was the target of cyberattacks at the first-ever Passcode Cup hacking competition. A network security challenge using a computer simulation based on the traditional “capture-the-flag” team game was held in Washington, D.C. as a training opportunity for future cybersecurity professionals. Hacking teams from universities and the private sector participated in the 4-hour competition hosted by Passcode, an online security publication of the Christian Science Monitor.
A team of California State Polytechnic University (Cal Poly), Pomona students built the model facility to simulate water treatment operations and outfitted the system with large plastic tubs, aquarium water pumps, and polyvinyl chloride piping. The team also wrote thousands of lines of code, programming the model with hardware, power controllers, network computers, sensors, and other software.
When tasked with developing a target for the competition, Cal Poly Pomona student Joe Needleman, the team lead, researched different systems that serve vital roles in society. He chose a water treatment facility because of the importance of providing clean water and because it represented an area that is “somewhat obscure in terms of network security,” he said.
Needleman found information online on Canadian water treatment facilities, which he used as the basis for the model. “We built a network of pumps and filter systems, trying to emulate the infrastructure of a water treatment [facility] as best we could,” Needleman said. “We tried to make it as realistic as possible.”
Needleman made adjustments for the competition — for example, enabling an intake of “dirty” water to be channeled directly to a “clean” water container. A real facility likely would not have this configuration, “but for the challenge, it demonstrated the importance of managing flow and that being able to securely control these types of systems is essential,” Needleman said.
Once the competition got underway, 13 different hacker teams launched cyberattacks at the Cal Poly Pomona replica plant, searching for vulnerabilities in the constructed network and attempting to gain access to the control system. Needleman and his team, playing the role of facility operators, attempted to keep the facility running during the onslaught, monitoring systems and resetting values when controls were manipulated.
The attacks ranged from overwhelming the facility’s power control system to penetrating the system that controls water levels, to breaching the facility’s network and deleting user accounts and passwords. Eventually, the attacks resulted in the facility losing power as well as causing one of the tanks to overflow.
“One of the teams was able to gain entry and delete entire systems,” Needleman said. “That was entirely unexpected. Luckily, we had backups, but it was something that we hadn’t planned for.”
In working with control systems, programmable logical controllers, and various open hardware consistent with what is used in treatment facilities, Needleman concluded that the components were not made with security in mind, and the exercise revealed vulnerability. “For me, that was the biggest takeaway,” he said. “These devices are not designed to maintain security or maintain authentication, they are designed for operation.”
— Jeff Gunderson, WEF Highlights