ICS Detection Challenge: Phase I Identification Results

Main Stage

The ICS Detection Challenge is an objective test of the growing class of passive ICS detection solutions in the market. This session will announce the results and provide details on the Phase I – Identification.

The contestants will be provided with pcap files from span ports on a number of ICS switches and tasked with documenting the ICS to the greatest degree possible. These pcap files are from an actual ICS of moderate size and complexity in the oil/gas sector. The packets will be anonymized, but they are a representative, real world test.

Cyber asset identification will be at a variety of specificity levels with additional points granted for increased specificity. Bonus points can be won for correctly identifying cyber assets in a shorter time frame to recognize the difference between automated analysis and human analysis.

For example, basic points could be won by identifying a cyber asset as a PLC running a specific protocol. Additional points could be won by identifying the make and model of the PLC. Additional points could be won by identifying the firmware version. Additional points could be won by identifying what the PLC was monitoring and controlling.

Detection & Response