AT A GLANCE
What is Capture the Flag actually and what does it have to do with your work and the European Cyber Security Month?
Lukas Paulus: Capture The Flag is a computer security competition in which teams have to solve various security-relevant problems. Each time a team solves a problem they receive a flag that is worth a certain amount of points depending on the degree of difficulty. The aim of the game is to solve as many problems as possible to get the highest score at the end.
Benjamin Süß: We deal with cyber security every day and believe the European Cyber Security Month (ECSM) is a great opportunity to make society as a whole aware of issues such as digital security. The ECSM takes place each year in October and educates European citizens about security problems in dealing with IT. This year, we wanted to make our own contribution and set up a CTF contest in which more than 600 teams took part.
What gave you the idea to organise a CTF contest?
Benjamin: I first came into contact with CTF at a security conference. My enthusiasm quickly spread through the entire team and since then we’ve regularly taken part in CTF events in our spare time.
Lukas: By participating in various CTF contests, we’ve noticed that these interactive and playful events have a high learning effect in addition to the fun factor. Since we wanted, in particular, to raise the interest of students and school pupils in cyber security, the next logical step for us was to organise an industrial CTF contest ourselves.
Which challenges did you face?
Lukas: The biggest challenge was to create activities that were quite challenging but not unsolvable. We also needed to make sure that we had various categories and degrees of difficulty, thus ensuring there was something for everyone.
Benjamin: Another challenge was obviously finding real-life industrial problems that can be solved without the need for proprietary tools.
Do you encounter any of the problems that had to be solved in the CTF in everyday life?
Benjamin: Of course. Although we didn’t include any specific gaps in security that the participants had to exploit, the fundamental problems of the industrial sector were, by and large, dealt with.
Lukas: When we examine industrial components, we very often come across default passwords that have never been changed. We used this vulnerability in the CTF to show participants just how easily systems can be exploited. Yet another example are self-built cryptographic protocols, which can represent a considerable security risk. We also discussed the use of leaked access data.
Which parts of your CTF contest could the participants apply to real-life situations?
Lukas: In this case, you need to distinguish between teams that work with cyber security on a daily basis and teams that like to solve puzzles. The latter were made aware of digital security in their everyday lives and reminded to change default passwords for IoT devices and to store access data securely.
Benjamin: The security teams definitely learned about procedures and tools that help when dealing with industrial systems. Furthermore, we presented a number of state-of-the-art protocols (e.g. OPC UA or MQTT) for a range of purposes.
What did you gain from the CTF?
Lukas: I think I can answer that question on behalf of the entire SYSKRON Security Team: The unexpectedly high number of participants and the positive feedback showed that a CTF contest is ideal for raising awareness of cyber security. And that’s why we’ll probably be organising another CTF contest in 2020 as part of the ECSM.
Benjamin and Lukas are part of the SYSKRON Security Team (our experts for Industrial Security) and work daily on developing security solutions for industrial customers. They specialise in safeguarding existing industrial systems and guaranteeing the secure design of future production lines. Find out more about the work of our Security Team here.