2016 Cyber Defense Competition:
The CyberInnovations Critical Hosting Company (CCHC) is a corporation in Metropolitan, Illinois. It functions as a hosting company and has many critical infrastructure clients from around Illinois. Generally, these clients are small power distributors with the responsibility to provide power to customers and homes. Paired with services provided by your team, CCHC’s clients will have secure access to local storage of their own information, without incurring the overhead costs of maintaining an on site information technology (IT) staff. CCHC provides Web, file sharing, and remote operating services for each physical site.
Your team has been put in charge of launching a new CCHC customer installation. Your challenge, should you choose to accept it, is to design a secure network that will hold up to attack and keep client information secure. Your team will set up both the physical devices and virtual services at the customer site. You must maintain servers for the contracted services and be able to guarantee the security of the data and availability of the services. There are many issues to be addressed, including flexibility and usability, which are of the utmost importance; however, the security of client data cannot be sacrificed in the process. Protected data may reside on any of the servers, as clients can log into any of the advertised services. You must additionally provide the infrastructure for these servers (domain name service [DNS], intrusion detection system, and firewalls). You may use network address translation (NAT), but each advertised service (Web, file sharing, remote access, and file sharing) must have a public Internet protocol (IP) address. You will be given a list of user names that must be implemented for each advertised service. Given these ground rules, any implementation is acceptable as long as it provides the following:
Web Server (www.siteN.cchc.competition)
This client currently has an operational Web site (siteN.cchc.com) and will provide your team with a prebuilt Web server once you begin setting up your network. The client will have a login to this server to update its Web content. You may not remove any client content from this machine: doing so will be considered equivalent to taking the Web server offline. Your team should instead focus on implementing global security measures (Apache configuration, PHP configuration, MySQL configuration, ModSecurity, etc.) that will protect your Web server from any malicious or badly written client code.
FTP Server (ftp.siteN.cchc.competition)
Employees currently use an FTP file server to upload and download related content. Users must be able to use file transfer protocol (FTP) or secure file transfer protocol (SFT) into this box to update their Web sites’ content. All files on this folder must be available through the web-based interface on www.siteN.cchc.com. (Note: N is the number of your team.)
Domain Name Server (ns.siteN.cchc.competition)
Management of DNS will need to be handled by your team. You will need to provide the IP address of this machine to the CDC Corporate IT team at least one week before your site goes online. Remember that if this service fails, no one will be able to access any of your services.
Remote Operations Server (rdp.siteN.cchc.competition)
One of the main motivations to moving to CCHC was the ability it provides us to allow for secure access for command and control (C&C) of the site’s associative supervisory control and data acquisition (SCADA) environment. You will need to provide secure access to a Windows box running a human-machine interface (HMI) center that controls two programmable logic controllers (PLCs). The PLCs and HMIs are currently functional, and it is critical that their functionality never be interrupted. It will be your task to find a way to architect this functionality securely into the environment so as to continue providing the services required while also protecting this capability from compromise.
Industrial Control System
This client currently uses a SCADA system for C&C purposes. Your team must take on the challenge of keeping your SCADA system up and running. Each team will have a Raspberry Pi installed with ICS controls which monitors and controls power generation for industrial processes. The Raspberry Pi will have a Light Emitting Diode (LED) to show whether or not the SCADA system is still running and has not been compromised. It is essential that this ICS remains running and functional at all times.
Intrusion Detection Systems and Firewalls
Your team may decide to structure your network to use one or more firewalls to protect your servers. CCHC Corporate recommends pfSense for this task (www.pfsense.org), although other solutions are acceptable, as well. Remember that all advertised services (Web, file sharing, mail, and remote access) must have a unique public IP address.
To ensure the security of your network, CCHC’s corporate also recommends you to employ an intrusion detection system. The recommended product is Snort (www.snort.org) to be used with the BASE Web interface (base.secureideas.net) given that it is free, widely documented and supported, and easy to use. CCHC corporate would appreciate periodic intrusion/counter intrusion reports.
Because of cleanup and remodeling work, the new building is not accessible to you until the day before your site goes online. Consequently, all setup will be performed remotely. The day before your site goes online, you will have a six-hour window in which to put the finishing touches on your network before clients begin using your services, after which the Corporate Red Team is allowed to begin testing. For auditing purposes, CCHC Corporate requires that your network be documented; for public relations, you must have a guide available that your clients can use to access your services. Both of these documents must be provided to CCHC Corporate prior to your site coming online.
2016 Competition Teams:
GSU Jaguars – Governors State University
Faculty Lead: Steve Hyzny
CyberFlyers – Lewis University
Faculty Leads: Ray Klump, Jason Perry
Lewis U Flyers – Lewis University
Faculty Leads: Faisal Abdullah, Safwan Omari
sysSec – Northern Illinois University
Faculty Lead: Daniel Rogness
Fire Team Kernel – University of Illinois at Chicago
Faculty Lead: Rigel Gjomemo
UIUC – University of Illinois at Urbana-Champaign
Faculty Leads: Syed Hasan, John Bambenec
BINAGT – University of Northern Iowa
Faculty Lead: Paul Allen Gray
ISEAGE – Iowa State University
Faculty Lead: Doug Jacobson
Congratulations to the winning teams from ANL’s 2016 CDC competition:
|1st Place – Iowa State University|
|2nd Place – University of Northern Iowa|
|3rd Place – University of Illinois Urbana-Champaign|