A hackathon on the topic of industrial control systems took place between 19 and 23 September 2022 in Thun, organised by the Cyber-Defence (CYD) Campus together with the Cyber Battalion 42. More than 30 participants attended, including researchers from the CYD Campus and the Swiss Armed Forces, employees from NCSC and Swissgrid, soldiers from the Cyber Battalion 42, students from the Lucerne University of Applied Sciences and Arts, ETH Zurich and the Ruhr University Bochum, as well as experts from the private sector, such as the companies ALSEC Cyber Security Consulting and Nozomi Networks. The participants were split up into cross-functional teams, each with different focal points in the area of industrial control systems. This allowed the groups to perform focused vulnerability analyses and examine different vectors of attack. It also enabled interconnected and intensive working in smaller groups. The CYD Campus was pursuing three objectives in the hackathon:  To expand the existing knowledge in the DDPS in this important area, to network experts from industry, universities and public administration as well as to support young talents who want to intensify their expertise in this area.

High security risks in industrial control systems

The term «hackathon» is a portmanteau of the terms «hacking» and «marathon» and describes an event on collaborative software or hardware development. Hackathons have a specific theme or are technology-based and aim to find common solutions for urgent problems.

This year’s CYD Campus hackathon dealt with attacks and defensive actions against industrial control systems and operative technologies (OT). Industrial control systems consist of hardware and software which are used to control, monitor and operate systems, machines and processes in industrial environments. ICS are an important part of OT and need to meet special requirements in terms of security, reliability and availability. They control industrial production processes and can frequently be found in critical infrastructures, such as energy and water supply, oil, gas and coal production as well as in transport and traffic. The control systems are often implemented as SCADA systems or distributed control systems (DCS). The industrial control systems of energy systems were the focal point of this hackathon.

But why are these industrial control systems in particular such a suitable and relevant topic for a hackathon in the area of cyber defence? There are several reasons for this. For one thing, they can be found in many systems which are critical for our national supply. This criticality makes these systems very interesting for attackers, which puts them at particular risk. Unlike information systems, ICS control physical processes. An attack on the system can thus have a physical impact on the environment, which can lead to considerable damage. For example, a cyberattack on a substation can interrupt the power supply, which can have serious consequences for the network operator and its customers. The current electricity situation could further intensify as a result of such an incident. In addition, these control systems have a very long lifespan and are seldom serviced or updated. Traditionally, these are segregated systems which were not networked precisely for security reasons. Through digitalisation, the Internet of Things and modernisation measures, these older and difficult to update systems are now also being increasingly networked. As a result of this networking and merging with IT systems, the area of attack is also expanding. Previously secure systems can thus open the doors to espionage and sabotage.

Laboratories are required for vulnerability tests

Vulnerability testing is easier to implement in information systems, as less damage can be caused. This is because ICS are expensive and have a far longer product life cycle. In order to still be able to carry out tests and simulate attacks, appropriate laboratories are required. Laboratories are also particularly suitable for education and training purposes. To this end, the Cyber-Defence Campus has provided two laboratories for the infrastructure of the hackathon, each of which simulates a different industrial control system. The hackathon participants could thus identify various different vectors of attack on industrial control systems and carry out attacks themselves in the laboratories.

A new ICS laboratory will be opened this year at the CYD Campus in Thun. It will represent a pump-storage power station. The industrial control system regulates functions such as water level measurement or valve and pump operation. The participants succeeded, for example, in manipulating the overflow sensor such that the water flowed out unhindered without being detected by the system. If an attacker gains access to the network to which these types of ICS devices are directly connected, it can easily attack them. This laboratory will be used to develop talents and for further research in the area of cyber defence of ICS systems.

The Krinflab is used for research and training and was provided for the hackathon by the Lucerne University of Applied Sciences and Arts. The laboratory represents a fictitious Swiss energy substation with a control centre and six substations. There are several vectors of attack on the energy system. The vectors of attack most frequently used are the connection to the company IT as well as poorly secured remote maintenance access. However, compromised or infected maintenance and test computers, as well as control centres and switchboards are possible points of attack. The laboratory’s goal is to be able to decide on the further course of action, both from the perspective of the attacker as well as from the perspective of the defender. This enables attack strategies and defensive action to be developed.

This year’s hackathon was a resounding success for the participants and organisers.

The participants appreciated the opportunity to be able to delve into the subject matter for a whole week and to learn much in the process. They also benefited from the exchange with other experts from various different areas. Most participants have a significant background in information technology, which is why they welcomed the opportunity to expand their knowledge in the world of operative technology.

The Cyber-Defence Campus will evaluate the results of the hackathon and examine certain aspects more closely. In addition, it will compile the findings obtained such that they can be used on an optimal basis by the Department of Defence, Civil Protection and Sport. Some findings will be made available to the general public at a later point in time in the form of publications.