The theme of this year's competition is cyberattack detection, isolation, and mitigation for Programmable Logic Controllers (PLCs). PLCs are embedded systems deployed in cyber-physical environments, oftentimes controlling critical infrastructure. These systems are currently undergoing a modernization transformation, through the convergence of Operation Technology (OT) and Information Technology (IT), and the increasing use of Commercial-Off-The-Shelf (COTS) hardware and software commonly found in embedded devices. An unwanted side effect of this modernization trend is the increased exposure of the underlying physical systems to cyberattacks. Several real examples of cyberattacks against industrial settings have been reported over the past years, with the most prominent being Stuxnet, which targeted a uranium enrichment plant. ESC 2017 invites contestants to develop solutions for securing PLCs, and by extension critical infrastructure, from the far-reaching effects of cyberattacks. More specifically, the challenge focuses on the development of cyberattack-induced error detection, isolation, and mitigation strategies that can be retrofitted to legacy PLCs making them more resilient to contemporary cyberattacks.
More information regarding the challenge is given through the following motivational scenario:
You have just been hired as a Chief Security Officer (CSO) at CannotPwn Factory. The previous CSO resigned after a sustained cybersecurity breach caused huge financial losses to the factory through injection of malicious logic on PLCs, which caused the industrial process to run suboptimally. To expedite incident response for future cyberattacks, before leaving the company, your predecessor procured several PLCs from different vendors and preprogrammed them as backup. You, as the new CSO, must come up with a solution that makes use of these redundant, diverse PLCs and would avoid future compromise. The assumptions and high-level requirements you pass along to your team of engineers for the new intrusion detection and prevention system you want to roll out are:
- You need an error detection, isolation, and mitigation system that can detect cyberattacks against vulnerable PLCs, isolate/filter the malicious inputs, and recover/mitigate their effects, providing resiliency and fault tolerance to the process. The cyberattacks you want to protect against may (a) introduce malicious inputs to PLCs, which will in turn manifest as errors in the PLCs outputs, or (b) subvert the control flow of the controller and generate malicious outputs irrespective of the inputs.
- You can make use of the redundant PLCs which have been programmed to have the same blackbox functionality, but achieve it through different implementations. Effectively, this means that when a cyberattack occurs it can affect all PLCs, but the attack will not manifest in the same way in all PLCs, or an unknown subset of the PLCs may remain unaffected. Moreover, redundant PLCs may be used as hot-backups that remain on stand-by until needed.
- Your new security system must be able to be retrofitted to the field-deployed legacy PLCs, without the need to make any modifications to the legacy controller (i.e., the PLC program source may not be available, and cannot be updated).
- The physical process in CannotPwn Factory has inertia meaning that it can sustain minor fluctuations, without rendering the entire system unusable.
- The controller must be able to handle physical processes that that periodically update outputs with a frequency of at least 100Hz.
Based on the motivational scenario described above, the 2017 challenge is divided in two phases: the qualification phase and the final phase. For the qualification phase, participating teams are invited to compile a proposal for cyberattack detection, isolation, and mitigation targeting legacy PLCs. Competitive solutions to the challenge need to propose novel mitigations as much as possible, and avoid reusing previously published solutions or already known techniques. The best solutions need to impact the performance of the PLCs as little as possible, while incurring a minimal false-alarm rate. Solutions that focus only on detection (but not mitigation) or only on mitigation (but not detection) may not receive full consideration at the ESC competition finals.
Evaluation of the qualification phase reports will be performed by a team of experts, and will take into account the correctness, potential, novelty, practicality and universality of the proposed strategy. The teams are asked to clearly discuss all their assumptions and justify why their proposed design will be effective in light of cyberattacks. Moreover, the qualification phase report must discuss how the proposed strategy can be retrofitted to existing legacy PLCs, and what is the proposed evaluation plan for the team during the final phase of the competition.
The 10 best submissions of each region (US, Europe, MENA, India) will qualify to the final phase that requires implementing and demonstrating the proposed cyberattack detection, isolation, and mitigation design using a Raspberry Pi 3 B board. The Raspberry Pi board will be running OpenPLC software, which is compatible with C/C++ or python libraries that read/write digital output pins (e.g., software libraries such as wiringpi, or gpiozero, as well as Modbus. Likewise, OpenPLC can simulate multiple redundant PLCs by using different rungs in the same controller (each using a subset of the I/O pins). The teams need to develop a concrete evaluation plan to showcase the correct functionality and effectiveness of their proposed strategy. In their evaluation plan, the teams should simulate a cyberattack by triggering their own faults in PLC programs (e.g., in ladder logic, structured text, or compiled OpenPLC binaries). The definitive goal is to implement a robust detection, isolation and mitigation solution, along with a comprehensive plan to argue about and demonstrate its effectiveness.
Evaluation of the finalist teams will be based on their aggregate score across five criteria. Specifically, on the day of the live finals, points will be awarded based on:
- The evaluation plan developed by the teams, including the complexity and realism of the employed testbench. The teams are expected to develop non-trivial PLC programs to showcase the effectiveness of their detection and protection methodology. (20%)
- The correctness of the implementation and live demonstration at the finals, using the aforementioned evaluation plan on a Raspberry Pi board. (20%)
- The sensitivity of the implemented methodology in detecting errors caused by cyberattacks, including false positive/false negative rates and response times, for non-trivial case studies in the aforementioned evaluation plan. (20%)
- The robustness of the developed isolation and mitigation strategy across different types of PLC controllers and different target processes. Special emphasis will be given to strategies that can protect Pulse Width Modulation (PWM) output signals. (20%)
- The quality and elaboration of the final report submitted through the HotCRP registration system, which should list all assumptions, provide details on the effectiveness of the proposed methodology using the team's evaluation plan. (20%)
All deliverables in both the qualification and final phase (developed files, code, configurations etc.), should work out of the box by just typing a simple command (like make <target>), and need to be accompanied by simple step by step instructions on how the organizers and judges can verify each deliverable offline using a Raspberry Pi board running OpenPLC on the latest Raspbian operating system. On the day of the finals, demonstration of the correctness proposed methodology using the evaluation plan will be a responsibility of each team. Moreover, the evaluation plan should be flexible to allow the judges and organizers to be able to provide new PLC programs on the fly, for testing the developed detection, isolation and mitigation strategy on the day of the finals.
The evaluation of the finalists based on the above metrics will be the responsibility of a panel of industry expert judges in each region. During the day of the finals, each team should be able to answer the questions posed by the judges, in addition to demonstrating live the correctness and effectiveness of their solution on a Raspberry Pi. Furthermore, the finalists should prepare a PowerPoint presentation and a poster of their work, to present on the day of the finals, which complements the submitted final report.
Teams are encouraged to start investigating the challenge as early as possible.