Article written by:
Director of Information Technology Services
GBQ sponsored the October 10, 2019 meeting of CS2AI’s Columbus Chapter meeting where the “SMRT City, USA” capture the flag was the centerpiece of this quarter’s meeting.
You may have played capture the flag (CTF) as a kid where two sides simultaneously try to protect their flag while capturing the other sides. For the cybersecurity community, CTF events are used for skills development. Experienced and inexperienced hackers and other security professionals use the events as a learning lab to understand what might go wrong when systems are set up incorrectly or successfully broken into.
CSA2AI hosted SMRT CITY, USA, a demonstration system built to facilitate an introduction to control system networks. The SMRT CITY, USA system was used as the platform for anyone who brought a laptop to participate in the live hacking competition to see if they had the hacking skills to “capture the flag”.
Developed at Cloudhaus, a local makerspace, the CTF includes an impressive physical mockup of a modern day smart city. Programmable logic controllers (PLCs) automated the SMRT City’s systems’ critical function representing the same modern ICS/SCADA tools that manage today’s cities, utilities, as well as manufacturing and distribution systems. In the SMRT City, an automated dam protects the city from high waters and a fully automated nuclear reactor provides power. Hackers were challenged with disseminating utter chaos and destruction throughout the city!
The creators of the CTF, Chris Hartley and Mike Haas, interrupted play to present on cybersecurity topics related to their model and vulnerabilities that are common in modern day industrial control systems (ICS). As the demonstration continued, Chris and Mike also experienced hackers, and penetration testers had an opportunity to compromise the city before clues are slowly revealed to facilitate beginners.
In the business world, the same technologies that run a smart city operate the utilities our businesses depend on, as well as our building security systems, factory and warehouse floor production systems, and robotics.
So-called operational technologies provide a way for the cyber world to touch the physical world. Those technologies are great when they allow for remote command and control, greater employee safety, higher productivity and so on.
They are not so great when they are improperly protected and the systems they run can be shut down, operated to do things they were not intended to do or cause real physical damage, including deaths.
CSA2AI, Control System Cyber Security Association International is dedicated to the growth and expansion of local and global networking opportunities and professional development for everyone involved in the Control System Cyber Security field.
GBQ is an annual sponsor of the organization as a part of its efforts to empower growth in the cyber community through workforce development, awareness and networking. For more information about getting your firm’s IT and OT workforce in the group, contact Doug Davidson or Ray Tefft.
Mike Haas is a Senior Security Analyst at The Ohio State University and has 17+ years of IT/OT experience. He managed OSU’s building automation network for 11 years before joining Enterprise Security. He specializes in ICS/IoT cybersecurity, process control networks, and building automation technologies. Mike holds a Bachler’s Degree in Managing Information Systems from the University of Central Florida and currently resides on the CS2AI Columbus executive committee.
Chris Hartley is a Lead Security Engineer at The Ohio State University and has 10 years of Information Security experience (primarily Incident Response) and another 10 of networking, IT and development experience. Chris holds a Bachelor of Science, Computer Science and Engineering from OSU. Little has changed over the years: Chris likes to take things apart and sometimes puts them back together.