To Hack an Oil Refinery in 7 Hours

The finals of Kaspersky Industrial CTF 2017, an industrial cybersecurity contest, were held on October 24, at the GeekPWN conference in Shanghai. This was the third CTF (Capture the Flag) tournament organized by Kaspersky Lab and the first to have the international status. Earlier, 696 teams from different countries had taken part in the qualifications. The three teams that competed in the finals were CyKor (Korea), TokyoWesterns (Japan), and Flappy Pig (China).

Kaspersky Lab co-organized the event with Keen Cloud Tech, which contributed an impressive venue and media coverage, including reporting by China Central Television (CCTV).

That Is Not a Toy!

The industrial CTF (Capture The Flag) competition is a unique contest which covers different aspects of cybersecurity and enables participants to test the virtual enterprise environment for possible vulnerabilities. Such testing is especially important for energy, oil & gas and transportation sectors, since these sectors are part of the critical infrastructure, any successful attack on which may have a disastrous human and economic effect.

In the CTF finals, the teams attempted to hack a model of an oil refinery with a digital substation.

In addition to the industrial part, the model included a corporate network. The teams were expected to gain access to the corporate network, elevate privileges, find vulnerabilities in several services created by the Kaspersky Lab ICS CERT team specifically for the event based on earlier research, and gain access to the industrial network.

Industrial software and controllers were used to create a model imitating an industrial site with an oil refinery loading/unloading rack and an electrical substation. As a result, everything that happened during the competition can easily be applied to real-world infrastructures and used to improve industrial system protection approaches and technologies.

How It Was

The CTF finalists battled for 7 hours.

The main goal of the CTF was to take control of the industrial process or shut it down. In addition, the teams could attack the electrical substation and cause a short circuit, resulting in an imitated breakdown, with the stand giving off smoke.

A Kaspersky Lab product – Kaspersky Industrial Cyber Security (KICS for Networks) – was used to visualize the attacks. All actions performed by hackers on the industrial network were recorded by our security solution and displayed on one of the screens, which could be viewed by the audience.

The South Korean team, which took the lead from the start and stayed ahead throughout the game, won the contest, but there was a close fight for second place. The Japanese team wrestled into second position 30 minutes before the time ran out and managed to keep it until the end of the CTF.

The participants received various valuable prizes and presents.

In the seven hours, none of the teams was able to achieve the main goal of the CTF – to break into the enterprise model’s industrial network. According to Kaspersky Lab experts, the winning team would have needed just 10 or 15 more minutes to achieve that goal.

Real-world attackers are unlikely to have such tight time limits. The results of the contest have demonstrated once again that, by exploiting weaknesses in the corporate network’s protection and network configuration faults, a remote threat actor can gain unauthorized access to the industrial segment of the network.

How It Felt

The Kaspersky Lab experts who organized the CTF were impressed by the intense struggle and emotions during the contest. The teams gave their all, persistently moving towards their goal.

We were also impressed by the efficient and well-coordinated work of our Chinese partners, who helped make the competition lively and memorable.

Chinese journalists reported the contest live. The video is available online, so anyone can view it and form their own opinion of the event.

Here you can get a detailed view of the model attacked by the participants, listen to comments by one of the CTF organizers, Vladimir Dashchenko, and view some episodes of the contest.

What Next?

The next contest will take place in 2018. We will be sure to publish information about the forthcoming competition and the results of Kaspersky Industrial CTF 2018 on our website.

You never know though, perhaps next time it will be Kaspersky IoT CTF!