A hackathon took place in Thun together with partners from industry, academia and business between 19 and 23 September 2022. The Cyber-Defence (CYD) Campus Hackathon focused on attacks and the defence of industrial control systems as well as operative technologies (OT). Such systems are of critical importance for Switzerland’s energy and water supply and are being increasingly networked with IT systems. This makes them, in turn, more vulnerable to espionage and sabotage. You can find more details on the process and the goal of the hackathon in the following article: CYD Campus hackathon on industrial control systems.

The Krinflab

The CYD Campus Hackathon provided two different laboratories in which the participants were able to learn about various attack vectors and simulate attacks on industrial control systems. One of the laboratories was the Krinflab of the Lucerne University of Applied Sciences and Arts (HSLU). This laboratory simulates a Swiss energy substation. The most frequent attack vectors here are the connection to the corporate IT network and poorly secured remote maintenance access.

Upon closer examination of the Krinflab, the participants discovered three hitherto unknown, significant security vulnerabilities in one of the devices. This discovery could have had a direct impact on the security of the critical infrastructure of Switzerland, as identical devices are used in energy substations. For security reasons, this article will not go into the technical details of vulnerabilities. Nevertheless, this discovery offers a suitable opportunity to take a look behind the scenes of vulnerability research and how it was remedied.

Eureka! A vulnerability has been discovered.

In contrast to Archimedes, who ran through the town loudly crying out “Eureka!” when he discovered the Archimedean Principle, the discovery of a security vulnerability is treated much more discreetly. Information on a cyber security vulnerability is published according to a systematic procedure. Security gaps can thus be closed as efficiently as possible, without the information falling into the wrong hands.

Types of disclosure

The first step in identifying cyber security vulnerabilities is the internal documentation. After the security gaps were documented, the researchers who had discovered them had the choice between a “Coordinated Vulnerability Disclosure” and a “Full Vulnerability Disclosure”. With the coordinated disclosure, the vulnerability is first reported to the manufacturer and only published after a jointly agreed deadline for rectification. A complete disclosure, on the other hand, implies the publication of all vulnerabilities without consulting the manufacturer. In order to prevent any information reaching the public, the manufacturers can also decide on a private disclosure. This is normally the case if the vulnerability is discovered by the manufacturer themselves.

Transfer of information

In the example of the CYD Campus hackathon, the vulnerabilities in a device of the industrial control systems were reported directly to the manufacturer after documentation as part of a coordinated disclosure. As soon as the contact with the manufacturer had been established, a secure medium needed to be found to transfer the details. In this case, a PGP-encrypted email was used, as the sending of an unencrypted email could pose unnecessary risks with critical security vulnerabilities. The manufacturer of the Krinflab device concerned reacted professionally and efficiently to the vulnerability report and after receiving the details, developed an update to close the security gaps. The procedure to eliminate the vulnerability was then coordinated again with the CYD Campus Hackathon Team.

Knowledge transfer

In a final step, the manufacturer was asked to have the discovered vulnerabilities provided with a unique number for common vulnerabilities and exposure (abbreviated as CVE number). The international CVE designation system assigns unique numbers to known vulnerabilities in order to avoid multiple entries of the same security gaps and to facilitate the exchange of information between different databases. These numbers are only assigned by one particular CVE numbering authority, (CVE Numbering Authorities, known as CNA). In Switzerland, this control and numbering function is performed by the National Cyber Security Centre (NCSC). The manufacturer was cooperative and worked together with the NCSC to assign a unique CVE number to each of the three vulnerabilities detected:

• CVE-2022-4778
• CVE-2022-4779
• CVE-2022-4780

After the update comes the import

Despite the manufacturer’s exemplary reaction in the development of an update and the disclosure of the vulnerabilities, there still remains a residual risk that the security vulnerabilities could be exploited. Although the manufacturer provided an update immediately, the operators of critical infrastructures might not be prepared to import it promptly, as they only have limited resources (time and staff) or fear the risk of a partial system failure. For this reason, the operators will weigh up the likelihood of exploiting a vulnerability against the risk and the additional resources that are required for importing the update. Contrary to the general recommendation to regularly update the software, practice shows that this is often not the case. It is therefore essential to keep up to date with the latest security updates, in order to guarantee cyber security.

Collaborative advantage

In the end, the CYD Campus Hackathon did not only pursue the goal of finding vulnerabilities in ICS, but also focused on networking experts and young cyber talents from industry, academia and public administration. The collaborative advantage in anticipating cyber threats is not only a fundamental feature of the CYD Campus, but also a necessary means of keeping up to date in a constantly changing working environment. The CYD Campus Hackathon for ICS is therefore considered a flagship project for the future cooperation of business, science and government for cyber security in Switzerland.