How SCADAfence Defended a DoD Supplier from Over 50 Cyber-Attackers

The event was born from a joint partnership between MISI (Maryland Innovation and Security Institute) and USCYBERCOM (the United States Cyber Command), is an unrivaled, hands-on live facilities critical infrastructure cybersecurity challenge. 

Hackers, federal labs, building automation companies, academia and government agencies all competed to infiltrate, disrupt or take over a connected smart building and the computing systems and data inside of a government-owned building. 

A Real-World Target

The event is built around a specially-designated, real-world target: A live, fully-equipped 150,000 square-foot “smart” office building near Annapolis, Maryland that teams on-site and remote are challenged to attack through its diverse IT, control systems, Internet of Things (IoT), access control, surveillance camera, building automation and other systems.

The Attack Scenarios

The event was split into two parts, two days each. On the first part, 13 pre-planned attack scenarios took place, and on the second part, the network was open to any type of attack, allowing attackers and defenders to play in a more chaotic cyber war zone.

The building was equipped with many types of assets, such as PLCs, BAS controllers, industrial robots, power distribution units (PDU), IoT controllers, IP cameras & NVRs, serial to ethernet converters, and many other devices.

Each scenario targeted different assets and required different methods to reach the targets. For example, in one scenario the attackers broke into the data center’s cooling system, shutting it down, resulting in server shutdown. In another scenario, the fire alarm system has been disabled.

The full list of scenarios is available here. 

To simulate a real scenario, many details about the network were unknown to the defensive team. Moreover, some details that were provided were plain wrong, due to outdated network maps. These missing details made the defender’s job more difficult.

Vulnerabilities Discovered by SCADAfence 

The network had a number of common security issues:

• The network map was inaccurate and had missing information.
• The network was protected by firewalls, but many known and unknown connections between segments were possible.
• Some network segments had a mix of devices in them, for example a conference room camera and engineering stations resided in the same network.
• Some Windows/Linux devices had monitoring/security agents on them, but many devices weren’t covered by monitoring.

The SCADAfence Platform was deployed on a NPB (network packet broker) that was monitoring multiple SPAN ports and network taps. Using the Platform, we were able to monitor the network in real time, and a SOC team was provided by SCADAfence to monitor the Platform and detect attacks.

Over 50 Hackers Attacked the Network at the Same Time

This event is a rare opportunity to stress-test your security product. It’s a lot harder to defend than a normal cyber attack. Over 50 hackers attacked the network at the same time, with each team targeting different assets and arrived from a different place in the network. Some attackers came from the internal network and took over legitimate hosts, then used them to attack other assets. Some came from the company’s VPN, and from other places.

They used a large variety of attack tools and tactics, including physical attacks - hacking an access control system with badge readers.

We were happy to see that the SCADAfence Platform was able to detect the broad spectrum of attacks over the course of these 4 days.

The findings from the SCADAfence Platform were presented to the audience in two live streaming sessions (the full videos will be shared as soon as they become available to us). We were interviewed by Armando Seay, Co-Founder of MISI, and together explained the attack tactics used by the attackers.

Adversaries Play Dirty Using Social Engineering

At one point, one of the red team members was able to infiltrate the blue team live discussion channel, and alerted the red team about our actions. He was able to infiltrate the channel using social engineering, by identifying as a member of one of the blue teams.

When we (the blue team) found out we have a mole in our channel, we started a mole hunt and finally figured out who the adversary was. We’re not sure if it was part of the planned surprises in the exercise, but regardless - it was an important drill that can happen in real life.

This has been a wonderful event, and a rare opportunity to showcase our product and exercise attack/defense scenarios on real industrial hardware, running real processes. We want to thank MISI (Armando, Mark, Alexander, Karissa, Joseph) and USCYBERCOM for planning and executing this event.

We want to thank the red team for the creativity and for the interesting challenges and surprises they had for us, and to the blue team (which we were part of) for the collaboration.

To learn more about SCADAfence’s advanced capabilities, you can watch some short product demos here: https://l.scadafence.com/demo