The way to hack an oil refinery seemed rather basic, or "basisk" to a team of potential hackers playing the part of nation-state, backed perhaps by the Chinese or Russian governments.
That's because the word "basisk" was the default user name and password for an internet-connected valve on an oil storage system in a mythical European refinery they hacked as part of a cyber wargame event Monday organized by information technology giant SAIC during a cyberspace symposium at The Broadmoor hotel's Colorado Hall.
It took the five-person team most of the 55 minutes set side during the exercise to accomplish their goal, but they succeeded in shutting off the value, making the tank overflow and shutting down the refinery - making their team the winner and the team defending the refinery from the hack the loser.
The nation-state team, which called itself EtherApe, was one of two hacking teams targeting the refinery's website, databases and industrial control systems and had help on the inside from a spy that placed a beacon on the server that controlled the value to make it easier to find and compromise. The other team was modeled after the international hacking group Anonymous, though they didn't wear the group's trademark hoodies or masks, and wanted to retaliate against the refinery for spilling millions of gallons of oil into the Atlantic Ocean.
The defending team admitted that its biggest mistake was failing to update quickly enough a browser plug-in, which proved to be the route EtherApe used to first access the refinery's networks. The team's spokesman also said they should have locked down critical technology immediately after detecting the intrusion.
"The Blue (defending) team operated well as a team; they knew their roles. But they were just a step behind the attackers," said Jason Nichols, solutions architect for SAIC in Reston, Va., who led the exercise and was part of the group that scored how well each team did to determine who won and lost the wargame.
Participants were symposium attendees who signed up for the exercise as one of several training events offered on the first day of the four-day conference, hosted by the Rocky Mountain chapter of the Armed Forces Communications and Electronics Association. Rhonda Dyer, SAIC's vice president of cyber capture and strategy, said Nichols selected participants for each team to balance their cyber experience and expertise to have a broad spectrum of talent.
The exercise is designed to be a game of cat-and-mouse, with the defenders responding and blocking the attackers, who try instead to exploit another vulnerability in the network, Nichols said.
"We were successful in getting people to think about cybersecurity in different ways, whether they had extensive or very little cybersecurity experience," Nichols said. "You have got to assume the bad guys will break in and expect that your network will be penetrated. You have to figure it out and contain the damage."
The exercise was the first time that SAIC had run the wargame outside the company, Dyer said. The event has been offered about "a half dozen" times in the past nine months, mostly for members of the company's board of directors or senior management to raise awareness about cybersecurity risks, she said.
"People are sitting at computers and trying to prevent an oil spill or a dam releasing too much water and causing a flood," Dyer said. "These hacks have real-life effects. People think that it is all about information technology and computers, but it is really about protecting critical infrastructure."
Contact Wayne Heilman: 636-0234
Facebook Wayne Heilman