Cyber-Defence Campus Hackathon on Forensics in Energy Systems
The Cyber-Defence Campus, armasuisse Science and Technology, organised a hackathon on the topic of attack detection in energy systems from 11 – 14 September 2023 together with the Lucerne University of Applied Sciences and Arts (HSLU). In addition, appropriate courses – particularly for specialists from energy supply companies – were offered this year as part of the «Cyber Training» pilot project.
Prof. Dr Sebastian Obermeier, Lucerne University of Applied Sciences and Arts & Andrea Thäler, specialist area Cyber Security and Data Science, competence sector armasuisse Science and Technology
The hackathon brought together more than 35 cyber experts from academia, the private sector and government. The goals were to promote knowledge exchange in the cyber community, to identify vulnerabilities in industrial control systems and to develop effective countermeasures.
The Industrial Control Systems (ICS) Hackathon in Thun took place from 11 to 14 September 2023 and was conducted by the Cyber-Defence Campus together with the Lucerne University of Applied Sciences and Arts. More than 35 participants included researchers from the CYD Campus and the Swiss Armed Forces, employees from energy supply companies such as EWS AG Schwyz, soldiers from the Cyber Battalion 42, students from various universities, experts from the private sector, from OMICRON electronics GmbH, Nozomi Networks, SBB, Hitachi Energy and ALSEC Cyber Security Consulting.
The hackathon was dedicated to the topic of Forensics and attack detection in critical infrastructures, for example, in energy systems. The following case was examined more closely here: A system for attack detection has detected certain indicators for a possible cyber attack, but could not confirm the impending attack with absolute certainty.
At such moments, an in-depth investigation of the system is inevitable. The question is: Is this really an attack that requires immediate countermeasures? Or could a false alarm have been triggered? This is where the novel forensic approach that was tested in the hackathon comes into play. This approach differs from the traditional forensic approaches in that the focus is placed on the system to be examined, and it is either proved that the system is clean or that an attack must be verified. In traditional forensics, the preservation of evidence is in the foreground, while here the availability is very important. This also takes into account the special features of the control system as well as the high requirements for the availability of the Swiss electricity network, as the systems must, on the one hand, remain available, while on the other hand the system is standardised to a high degree.
Hackathon events
Two laboratories were used to host the hackathon from a practical perspective. First, the pumped-storage power station of the Cyber-Defence Campus. This has several water basins which are connected via pipe systems and pumps and are regulated by an industrial control system. The pumped-storage power station has functions for measuring the water level or operating valves and pumps for generating electricity. Second, the Krinflab of the Lucerne University of Applied Sciences and Arts was used. This represents a fictitious Swiss traction substation with a control centre and six substations and uses devices which are also used in reality.
As an introduction to forensic procedures, a cyber training on the topic of «Digital forensics» was carried out at the beginning of the hackathon, under the direction of Dr Hannes Spichiger and Prof. Dr Sebastian Obermeier, both from the Lucerne University of Applied Sciences and Arts (HSLU). Here, the participants were able to acquire specific knowledge and apply it directly in practical exercises. In parallel, all participants were able to work independently in the available laboratories and perform experiments.
Outputs of testing
The following technical results were achieved:
Identifying hardware vulnerabilities:
The participants examined the hardware of the Krinflab and were able to reveal vulnerabilities in it, such as non-protected firmware on compact flash cards or unsecured accesses to the device. These findings are highly significant, as they represent potential gateways for cyber attacks. In the interests of responsible disclosure, the manufacturers of these devices were informed immediately about these vulnerabilities.
Confirming the applicability of forensic approaches:
A further result was the confirmation of applicability of forensic approaches for energy systems. This enables more precise investigation of security incidents and represents a decisive step towards more effective cyber defence. At the same time, however, limitations were also revealed, which will inspire future research and development.
What next?
The Cyber-Defence Campus and the HSLU will evaluate the results of the Hackathon and make them accessible to the general public in the form of publications at a later point in time.
The «Cyber Training» project has been launched as a reaction to the constantly changing requirements and the increasing complexity of cyber security at national level by Viola Amherd, as part of the Cyber Strategy. The goal is to offer technical and strategic exercises for authorities with critical infrastructures which are of national importance and at universities. The planned interdisciplinary practice formats are focused in terms of content on the further development of generally valid mechanisms and decision-making processes to cope with cyber attacks.
