Hacking PI Is A Big Part Of The S4 CTF (Tips On Competing)

OSIsoft is back for their 4th year of sponsoring the S4 ICS Capture The Flag competition. And they have a been great in creating flags for the CTF. I’ve asked Bryan and others at OSIsoft why they sponsor the CTF. The reason: they want to engage with the ICS security research community to learn more about their product issues and have a relationship to address security problems if they arise.

Having non-trivial PI flags is a big plus for the CTF for at least two important reasons. 1) PI is everywhere. That’s an exaggeration of course, but it seems that way in the 18+ years I’ve been visiting asset owners across all sectors. 2) PI often communicates through one or more cybersecurity perimeters. Attention to security by OSIsoft and the asset owner teams that deploy PI should be a high priority.

Harry Bryan of OSIsoft provided the four items below to help CTF participants get ready for the PI flags.

The Killer Robots PI Challenges are getting a complete overhaul

OSIsoft is stepping up our game for S4x19. At S4x18, the PI System CTF environment was under hellfire. Competitors assaulted all challenges and defeated over 75% of them. This was a stark contrast to S4x17 where fewer than 25% of the PI challenges were conquered. Consequently, the Killer Robots PI environment will feature completely new challenges drawing from many disparate areas.

PI challenges focus on the most pervasive software hazards

Rather than targeted exploits or zero-days, the flags will involve exploiting “forever day” vulnerabilities resulting from misconfiguration, feature abuse through unexpected uses of the system, and credential theft & mismanagement. Though there will be creative twists and puzzle elements added, these are real problems the industry faces and the challenges are designed to serve the dual purposes of education and entertainment.

More technical problem solving, less wandering

We’re listening to feedback from competitors and making flags more objective and technical. Past “open world” style challenges were unpopular for their ambiguity and time consuming nature. This year focuses on reverse engineering, weaponization, stealth tactics, forensics, and OPSEC. A higher proportion of flags will be offline, enabling some of the hardcore competitors that like to work until 2am.

A little preparation can go a long way

The bulk of the online challenges will use the PI Web API and PI Vision. Any competitor that familiarizes themselves with these applications will have a distinct advantage on the PI Challenges.