His marching orders were clear—infiltrate the programmable logic controller (PLC) that the plant used to control an important piece of manufacturing equipment.
The PLC management ports were protected by a firewall, but the web-enabled system dashboard was not. A flaw in the web app revealed a username and encrypted password, and after some quick decryption assistance from a colleague, this cyber expert was right where he wanted to be—inside the firewall.
With no additional security in place, the PLC was his. Now, were he so inclined, he could manipulate the equipment that it controlled, potentially causing line disruptions that would bring the plant’s production grinding to a halt.
Except, in reality, there was no plant, no line, no production. The people, the PLC, and the firewall were real, but everything else was a fiction, created for one of the S4x18 Capture the Flag (CTF) competition’s 48 challenges. An annual conference focused on cybersecurity for SCADA (supervisory control and data acquisition) and ICS (industrial control systems), S4 brings together industry elites from around the globe. Held in Miami Beach, S4’s 2018 CTF featured teams from as far away as Israel and Japan, and from companies as sizable as Cisco.
There defending Booz Allen’s S4 2017 CTF victory, Tim Nary, Tom Georgen, Rich Sala, and Ryan Brandt worked around the clock to power through challenge after challenge, including the one described above. Their efforts paid off—by competition’s end, they had firmly claimed first place.