As well as facing the Flag Day Associates in the main Cyber Security Challenge, candidates are also facing a live smart grid security issue.
In the separate challenge, candidates get 70 minutes to defend and provide a security validation test of an industrial control system. With each of the seven teams getting the opportunity to do this, they will also be asked to debrief the organisers from Airbus on their work and actions.
Specifically, the teams will: undertake intelligence gathering about the operation and architecture of the system; provide a vulnerability assessment of the environment; assess the exploitability and impact of the vulnerabilities within the environment; and provide a briefing about the validity of the security architectures in place and make recommendations about improvements to the architectures prior to real world deployment.
In particular, the teams will defend a testing environment which contains industrial control systems configured for electricity smart grid, water treatment and purification and a chemical waste handling facility.
Joe Stirland, cyber security research engineer at Airbus who organised and are managing the challenge, told IT Security Guru that there is a real skills shortage in industrial control system and SCADA security and with the live demo, it will give candidates the opportunity to be responsible for a real system.
“This is a new experience of securing an architecture and identifying who is going to find the vulnerabilities and be sympathetic to them, as some vulnerabilities can fail and the candidates will have to find a way to protect them from the cyber criminals,” he said.
“The candidates are doing penetration testing and identifying vulnerabilities for fun, and the idea is to go through and identify processes based on how they work. Afterwards they give us details of the vulnerabilities.”
Stirland admitted that the test will take the candidates out of their comfort zone as they will not have dealt with something like this. “The winning team will do an assessment of the environment and we are looking for penetration testing that will not compromise the industrial control system,” he said.
Cyber Security Challenge CEO Stephanie Damon said that the timing is pertient for critical national infrastructure considering how many systems are now being brought online.
Speaking to IT Security Guru, Cyber Security Challenge director Nigel Harrison said that this will enable a new area and new skills. “As industrial control systems and signalling all have potential vulnerabilities, it is good for the candidates to down tools and look at the attack potential of this,” he said.