Full Report
The finals of Kaspersky Industrial CTF 2017, an industrial cybersecurity contest, were held in Shanghai. This was the third CTF (Capture the Flag) tournament organized by Kaspersky Lab and the first to have the international status
Analysis Summary
# Morning News Roll-up 2017-10-27
## Overview
This report focuses on the technical challenges and findings from the Kaspersky Industrial CTF 2017 finals held in Shanghai. The event simulated real-world cyberattacks against industrial infrastructure, specifically targeting a scaled model of an oil refinery to identify vulnerabilities in Industrial Control Systems (ICS).
## Top Stories
### Kaspersky Industrial CTF 2017: Vulnerabilities in Industrial Infrastructure
- Summary: The competition utilized a functionally accurate model of an oil refinery, including a rail tank farm loading rack and a power substation. Participants engaged in "capture the flag" exercises that involved bypassing perimeter security to gain access to the internal industrial network. Key findings included the discovery of zero-day vulnerabilities in common industrial software and hardware, highlighting the critical need for specialized security in OT (Operational Technology) environments.
- Source: hxxps://ics-cert[.]kaspersky[.]com/publications/reports/2017/10/27/to-hack-an-oil-refinery-in-7-hours/
### Exploiting PLCs and HMI Systems in Oil & Gas Simulations
- Summary: Technical analysis from the CTF revealed that competitors successfully leveraged insecure-by-design protocols to manipulate Programmable Logic Controllers (PLCs) and Human-Machine Interface (HMI) systems. The most successful attacks involved unauthorized command injections and the modification of control logic to disrupt the refinery's simulated physical processes, such as causing tank overflows or emergency shutdowns.
- Source: hxxps://ics-cert[.]kaspersky[.]com/publications/events/
### Bridging the Gap Between IT and OT Security
- Summary: The event highlighted the TTPs used by high-skill actors to pivot from corporate networks into industrial zones. It was observed that even with a limited timeframe (7 hours), attackers could identify and exploit misconfigured gateways and weak authentication in industrial equipment, underscoring the importance of network segmentation and deep packet inspection for industrial protocols.
- Source: hxxps://ics-cert[.]kaspersky[.]com/
---
# Main Topic
Kaspersky Industrial CTF 2017: Security Assessment of Industrial Control Systems (ICS) via Simulated Oil Refinery Attack.
## Key Points
- The simulation focused on a functional model of an oil refinery, testing defenses against professional cybersecurity teams.
- Teams demonstrated the ability to disrupt industrial processes within a very short timeframe (7 hours).
- The event identified several previously unknown (zero-day) vulnerabilities in industrial equipment.
- High-level findings suggested that industrial hardware often lacks the basic security controls found in traditional IT hardware.
## Threat Actors
- **Participants/White-Hat Researchers:** Professional security researchers and CTF teams (e.g., CyKor, TokyoWesterns) simulating Advanced Persistent Threats (APTs).
- **Associated Activity:** The TTPs used mirror those of groups like Sandworm or Xenotime, who target energy sectors and industrial safety systems.
## TTPs
- **Network Reconnaissance:** Scanning for open PLC ports (e.g., Modbus TCP/502, S7comm/102).
- **Exploitation of Insecure Protocols:** Using unauthenticated industrial protocols to send "Stop" or "Force Value" commands to PLCs.
- **Logic Manipulation:** Uploading modified ladder logic or functional block diagrams to alter machine behavior.
- **Bypassing Air Gaps/Perimeters:** Exploiting misconfigured dual-homed machines or engineering workstations.
## Affected Systems
- **Programmable Logic Controllers (PLCs):** Various Schneider Electric, Siemens, and Rockwell Automation hardware models.
- **HMI/SCADA Software:** Software used for visualizing and controlling industrial processes.
- **Industrial Protocols:** Modbus TCP, PROFINET, and EtherNet/IP.
## Mitigations
- **Network Segmentation:** Implementing a strict DMZ between the corporate (IT) and industrial (OT) networks using the Purdue Model.
- **Deep Packet Inspection (DPI):** Utilizing ICS-aware firewalls to monitor and block unauthorized industrial protocol commands.
- **Firmware Integrity:** Regularly updating and signing PLC firmware to prevent unauthorized logic modifications.
- **Physical Security:** Ensuring physical access to engineering ports and consoles is restricted.
## Conclusion
The Kaspersky Industrial CTF 2017 proved that industrial infrastructures, such as oil refineries, are highly susceptible to targeted cyberattacks due to the inherent lack of security in legacy protocols. It is recommended that industrial operators move beyond "security by obscurity" and implement proactive monitoring, network hardening, and regular vulnerability assessments specifically tailored for industrial environments.