Gamifying ICS Security Training and Research: Design, Implementation, and Results of S3


Our work considers the challenges related to education and research about the security of industrial control systems (ICS). We propose to address those challenges through gamified security competitions. Those competitions should target a broad range of security professionals (e. g., from academia and industry). Furthermore, they should involve both attack and defense components. This could include the development of new attack techniques and evaluation of novel countermeasures. Our gamification idea resulted in the design and implementation of the SWaT Security Showdown (S3). S3 is a Capture-The-Flag event specifically targeted at Industrial Control Systems security. We developed ICS-specific challenges involving both theoretical and applied ICS security concepts. The participants had access to a real water treatment facility and they interacted with simulated components and ICS honeypots. S3 includes international teams of attackers and defenders both from academia and industry. It was conducted in two phases. The online phase (a jeopardy-style capture the flag event) served as a training session and presented novel categories not found in traditional information security CTFs. The live phase (an attack-defense CTF) involved teams testing new attack and defense techniques on SWaT: our water treatment testbed. During the competition we acted as judges, and we assigned points to the attacker teams according to a scoring system that we developed internally. Our scoring system is based on multiple factors, including realistic ICS attacker models and effectiveness of the detection mechanisms of the defenders. For each phase of the S3 we present the results and relevant statistics derived from the data that we collected during the event.

Proceedings of Workshop on Cyber-Physical Systems Security & Privacy (co-located with CCS)