Event RPE-006: The Defense at Pemberton Mill

Events

RPE-006: The Defense at Pemberton Mill

Date: June 21, 2019 | Location: DreamPort Facility in Columbia MD
Registration is now full.


Overview

The Pemberton Mill factory was built in 1853 and financed by John A. Lowell and his brother-in-law J. Pickering Putnam. The factory is located near the corner of Canal and Union streets in Lawrence, Massachusetts.

On Tuesday afternoon January 10th, 1860, the mill "buckled and collapsed with a mighty crash" starting on the fifth floor and working down, and many writers claim this was almost completely without warning. After a horrible fire started during the attempted rescue operations from the rubble, it is believed that between 115, and as many as 145 people perished in total with as many, or more, wounded. Many believe this is the worst industrial accident in the Commonwealth of Massachusetts history. While some write the cause of accident that preceded the fire was determined to be faulty iron supports, Wikipedia claims that after being sold as a loss, new owners of Pemberton Mill also added new machinery in attempts to boost output and profits which could have contributed to the demise.

While any such tragedy is hard to deal with alone there are regrettably numerous other factory disasters that happened during this time that caused the unnecessary loss of life such as the Triangle Shirtwaist Factory fire of 1911 and the Oppau Explosion of 1921.

While we regrettably cannot save the workers at Pemberton Mill and similar tragedies, what defenses can we add to factories today to prevent cyber-attacks from halting production, stealing innovation and jobs, and maybe even harming the surrounding environment?

DreamPort is currently building the miniature Acme Corporation Company factory within our Columbia headquarters complete with additive manufacturing (3D printing), subtractive manufacturing (CNC routing), robotic arms, product sorting, and even environmental monitoring. This factory runs a variety of Programmable Logic Controllers (PLCs) from Siemens, Schneider Electric, Mitsubishi and others for operating machines and Internet of Things (IoT) devices executing supervisory and physical security activities ensuring production of the various widgets our ACME Corporation Company makes.

We are currently seeking solutions that monitor the ACME network for vulnerabilities and detect cyber-attacks in progress. We want participants to bring solutions for monitoring a combination of information technology (IT) and operational technology (OT) networks both in live (with network taps) and offline (PCAP) mode.

Factory Networks

The ACME Corporation Company factory contains multiple network segments each with a specific purpose you might see in a normal network connected small to medium manufacturer (SMM) today:

Wireless The wireless network reaches the Internet for device updates and for IoT devices to communicate with the environmental monitoring server.
Factory Floor OT The OT subnet contains PLC and machines on the factory floor. This wired network also contains a historian host.
Users Employees of the factory have physical access to both wired and wireless networks.
Server Wired network consists of domain controller, file server and other IT devices.

DreamPort has installed network taps throughout these various subnets for the purposes of packet capture and will be capturing traffic non-stop until the actual RPE recordings occur. This portion of the traffic is guaranteed to include no overt malicious events, to enable factory baseline characterization.

This network runs a Windows Server 2012 Active Directory domain named theacmecorporation.company and has multiple users with a single Administrator account.

Vulnerabilities

There will be at least 1 vulnerability in each network (IT, OT, IoT), to include at least 1 remotely exploitable vulnerability across all networks. We also reserve the right to have an insider insert vulnerabilities into the network with an overt action such as installing malicious software or hardware.

Attacks

As stated previously, we will be performing network capture on the ACME Corporation Company networks continuously. During the execution of recording this RPE, DreamPort engineers will execute at least one attack or exploit event to determine if participants can detect the occurrence.

Machine Learning

For this RPE we will award additional points to any participant who can prove their use of machine learning (in a one-on-one interview) for the purposes of identification or prediction of vulnerabilities before launch of attacks. We will not require teams to reveal details about their algorithms or features just to provide a demonstration or show documentation of equal error rates (EER) in testing to DreamPort personnel.

Evaluation

Participants will be evaluated by the ability of their solution to detect both vulnerabilities and attacks in progress. Participants must be able to process both live networks (through network taps) and offline pre-recorded PCAP and will be required to ingest both types of data to be considered a full participant. During ingestion time windows, participants should plan to submit the following types of information through our communication system:

  • Observed vulnerabilities (with evidence including CVE, CWE or vulnerability references)
  • Perceived/Potential vulnerabilities (with explanations)
  • Observed attacks (with explanations or evidence)
  • Network maps (as detailed as possible)

When analyzing PCAP, participants should expect to receive one or more PCAP files up to 100 megabytes in size. Each participant group will receive the same PCAP files at the same time via USB stick.

Live Evaluation

We plan to reserve a time window where each participant can monitor one or more of the network taps during execution of scenarios to determine if the participant can detect activities in progress and measure the time delta between execution and detection. The scenarios that will be executed during this time will remain the same for all participants including to the furthest extent possible the time delays between each event that occur. We will only allow 1 participant to connect to the network at a time.

Strong consideration provided to a team who can prove use of machine learning with a demonstration.

Suggested Skills

This RPE requires participants have the at least intermediate the following skills:

  • PCAP
  • Industrial Control System (ICS) understanding
  • PLC/RTU protocol network monitoring
  • IoT protocol network monitoring
  • Vulnerability Scanning/Analysis
  • Intrusion Detection

Execution

Participants should plan to bring their own equipment and a team of no more than 5 personnel. Internet access will be available during the entire RPE but participants should not expect Internet access while connected to the operational network.

Expected Solution

DreamPort is working to clearly establish a suite of critical defenses that a typical small manufacturer network which employs IT, OT and IoT assets should install and operate. While there is no substitute for skilled and motivated personnel, we need to identify what critical hardware and software assets exist in the market that can be used to protect hybrid networks and which a small manufacturer should employ to protect themselves. Just as the firewall and anti-virus became synonymous with endpoint and network security on traditional IT networks, we need to find what we can use on OT and IoT assets.