What’s Out At S4x20 … and Why


We are retiring two activities that have been at past S4 events, and of course replacing them with things that we believe will appeal even more to the advanced attendee we target for S4.

The S4 ICS Capture The Flag (CTF) Competition

When we started this back at S4x15 it was the first of its kind. It took over from what we called the ICS Village in the years prior to that. The ICS Village was a great way to introduce attendees to ICS applications and Level 1 devices, but we found that many of the attendees didn’t know what to do on the network. The original CTF provided some guidance to try this and that. We learned a lot that first year.

The technical level and the competition greatly increased as we moved the event down to Miami South Beach and Reid Wightman took over creating and running the CTF. Reid aimed to challenge the top level offensive talent, and the emphasis was on the skills rather than showing how an ICS monitored and controlled a physical process. Teams from Cisco, Booz Allen Hamilton, Claroty, IERAE in Japan, and others spent the entire S4 event competing, including many late nights.

Of course I’m biased, but I believe Reid, along with OSIsoft and some of the other CTF contributors, put together the best ICS CTF and was prepared to do it at least one more time at S4x20. So why are we retiring the CTF after S4x19? Because quality ICS CTF are becoming regular features of many ICS events, and we design S4 to provide content and activities on the bleeding edge that you won’t see and experience elsewhere.

The ICS Village team has a very impressive and constantly improving system that they box up and ship around to a variety of ICS security events. Sometimes they will run a CTF in conjunction with this, and they always have tasks for visitors to tackle. Other security events are having limited ICS and IIoT CTF’s. We knew we made the right decision to retire the S4 CTF when ICSJWG announced last week they are adding a CTF for the Fall Meeting. This capability and event feature is now well established and it’s time for S4 to move on. (And we have some great new activities I’m anxious to announce.)

The ICS Detection Challenge

This is being retired for a completely different and depressing reason … the vendors would not compete. The ICS Detection Challenge at S4x18 had Claroty, Gravwell, Nozomi, and Security Matters competing. Our execution of the Challenge was mediocre in this first try, and it still provided very useful information on the product category capabilities and market leaders.

We entered the S4x19 ICS Detection Challenge with great hopes and lessons learned. We did everything better and put together an amazing and realistic challenge. The team put in many 100’s of hours, and in the end only Dragos and Kaspersky were game to compete. Two companies does not make a competition, so it ended up being a demonstration. You can see links to both ICS Detection Challenges on this page.

The ICS Detection Challenge is needed, particularly to evaluate the detection capabilities in this hotly contested market. It is fairly easy for an asset owner to capture packets and have the vendors provide an asset inventory that can then be evaluated. There is not an easy way to test detection because there are not attacks occurring often on the ICS zone. Today we primarily hear arguments based on emphatic assertion, no ours is really better. Detects more with less noise. Unless an asset owner is prepared to spend 500+ hours of top talent with the right tools they are not going to have a good test of detection.

We had even more volunteers and asset owner interest in the ICS Detection Challenge for S4x20. But there were not vendors clamoring to compete. So regrettably we are retiring the Challenge even though it is a good fit for S4 and needed for the community.

I look forward to announcing the new events being added for S4x20 shortly. We keep changing the event to keep it fresh and interesting for the advanced attendee. Tickets go on sale September 3rd.