Fun with flags

Plenty of readers are sure to be familiar with the classic outdoor game of “Capture the Flag” (CTF), but what about the digital version? I also admit that at the beginning I had no idea what I had to imagine. But I have dived into the cyber world and was able to bring exciting things to light…

On the occasion of the European Cyber Security Month, the Syskron Security team developed their own online cyber security competition in their spare time: Syskron Security CTF. So what could it be about? Entrants taking part in the event are confronted by a wide range of challenges – albeit in the form of small puzzles – relating to industrial security. They have to solve these as quickly as possible, and in some cases by employing creative solutions. The work is done in teams, generally comprising several members. The solution to the puzzle is then the “flag”, which may consist of a word or several letters. The flag is submitted on an online platform, and the team gets points for it. The group with the most points wins the competition. But what exactly does such a cyber-puzzle look like?

A challenge for every taste

The Syskron Security CTF included 25 challenges with varying degrees of difficulty and involving various categories of industrial security. The areas covered included forensics, Open Source intelligence, cryptography, a multi-level insider attack, confidentiality, facts worth knowing, and fun facts. Some tasks, such as identifying the location of a factory plant from a photo, were readily solved using internet research. Other questions called for programming skills and a willingness to read up on various subjects. In the challenge “Bottle Inspection” a QR code was hidden steganographically in photos of filled bottles – and let’s put it this way: I’m still searching…

A lot of work for three days of fun

Eight Syskron colleagues invested several weeks of preparation into the project. It was designed to appeal mainly to school pupils and students, but anyone was allowed to give it a go. The competition was held over a defined time-frame of 120 hours, so that people in work were also able to enter. From 9 to 13 October, around 1,500 players in over 1,000 teams attempted to find the flags. The astonishing result was that 600 groups succeeded in solving at least one or more of the challenges, but no-one managed to fully master all the challenges! First place – and the accompanying fame and honour – went to a team from France. Second and third places went to Denmark and Upper Austria respectively. There was no tribute, as it is not common at events of this kind, I was assured. However, I immediately ask myself the question: Does the whole effort serve a higher purpose?

OT security made entertaining

The main aim behind the event was to make people aware of industrial security, or “Operational Technology security” (OT security). Benjamin Süß, co-developer of Syskron Security CTF, explains: “Broadly speaking, we differentiate between three aims for protection in data security: confidentiality, integrity and availability. All these aims are always important, both in IT and in OT environments. But the prioritisation is different: in IT, confidentiality generally comes first, followed by availability and integrity. Generally, the reverse is true for OT.” He further elaborates: “With IT, it doesn’t matter if the employee restarts his laptop once a day for security updates. Availability is not so important here. But if the laptop crashes every ten minutes, availability becomes relevant here as well. In an OT environment, for example in a production line, a system cannot simply be restarted once a day for security updates. It must be and remain available 24/7.” And this of course has serious consequences, as I finally understand.

“The consequences of this are that many security mechanisms from the IT world don’t work in the OT world. Therefore it is important to sensitise for this ‘other’ OT-world.” Benjamin Süß sums up once again. The competition is therefore aimed at creating, or possibly expanding, an awareness of industrial security amongst colleagues, students and, not least, amongst potential job applicants too. In my case, they have definitely achieved this goal. Given the large number of entrants and the many positive comments received by way of feedback, the event will be staged again next year.