Gamifying Education and Research on ICS Security: Design, Implementation and Results of S3
This addresses ICS security training for academia and industry, but it is incremental as it applies existing gamification methods to a new domain.
The paper tackled the challenge of ICS security education and research by designing and implementing a gamified Capture-The-Flag event called S3, which involved six attacker teams and academic defense systems, resulting in collected data and statistics from both training and live phases.
In this work, we consider challenges relating to security for Industrial Control Systems (ICS) in the context of ICS security education and research targeted both to academia and industry. We propose to address those challenges through gamified attack training and countermeasure evaluation. We tested our proposed ICS security gamification idea in the context of the (to the best of our knowledge) first Capture-The-Flag (CTF) event targeted to ICS security called SWaT Security Showdown (S3). Six teams acted as attackers in a security competition leveraging an ICS testbed, with several academic defense systems attempting to detect the ongoing attacks. The event was conducted in two phases. The online phase (a jeopardy-style CTF) served as a training session. The live phase was structured as an attack-defense CTF. We acted as judges and we assigned points to the attacker teams according to a scoring system that we developed internally based on multiple factors, including realistic attacker models. We conclude the paper with an evaluation and discussion of the S3, including statistics derived from the data collected in each phase of S3.