CISA ICS CTF Training Overview

This training industrial control system (ICS) capture the flag (CTF) server hosts a variety of ICS CTFs that have been developed by INL and CISA.

CTF Cerulean

Overview

Initially deployed in Spring 2020, CTF Cerulean provides an introduction to a variety of ICS and security concepts and is the easiest of the CTFs on this training server.

All challenges in CTF Cerulean are currently available

Storyline & Challenges

This incident response scenario involves responding to a major incident at Cerulean Inc. Cerulean Inc. was recently hit by a cyber-attack and by solving these incident response challenges, you will uncover the techniques used by the attackers, analyze their techniques and tools, and attempt to prevent them from causing damage to the ICS network.

Challenges in CTF Cerulean are broken down into two categories:

• Incident Response: incident response challenges involving Cerulean Inc.
• ICS Training: various ICS and security concepts including protocols (BACnet, CANbus, Modbus, Serial), cryptography, ransomware, and more.

CTF Tarrey Town

Overview

Developed in 2023, CTF Tarrey Town provides an introduction to incident response within the Critical Manufacturing sector.

All challenges in CTF Tarrey Town are currently available

Storyline & Challenges

This incident response scenario involves investigating malicious activity seen within Tarrey Town Manufacturing. Tarrey Town Manufacturing creates critical pieces of equipment used by a variety of companies and critical infrastructure sectors. Impact to their manufacturing process would cause large downstream effects.

Challenges in CTF Tarry Town are broken down into five categories:

• Sector Knowledge: crossword puzzle for critical manufacturing sector terms/topics
• BACnet Overview: introduction to the BACnet protocol using packet capture and Zeek logs
• Initial Access: investigating the attacker's initial foothold into Tarrey Town Manufacturing’s IT network
• Lateral Movement: investigating the attacker's lateral movement to various devices in the network and traversal from the IT to ICS network
• Persistence: investigating the attacker's persistence mechanism in the ICS network and their command-and-control (C2) channel
• Impact: investigating the attacker's impact they were able to cause to the manufacturing/production line via ICS attacks

CTF Azalea

Overview

Initially deployed in Spring 2021, CTF Azalea provides a wider variety of ICS and security challenges and provide more difficult challenges than CTF Cerulean. This was the first CTF to include Malcolm as part of the incident response scenario.

All challenges in CTF Azalea are currently available

Storyline & Challenges

This incident response scenario involves investigating a major attack on Azalea Power Co.’s infrastructure. Solving challenges in this CTF will uncover the various attacks on Azalea Power Co.'s corporate IT network, as well as attacks in their building management system (BMS) and electric distribution (Electric Dist) networks and devices.

Challenges in CTF Azalea are broken down into three categories:

• Corporate IT: investigating data theft, phishing, ransomware and more on Azalea's corporate IT network
• Building Management: investigating compromised HMIs, ladder logic changes, and fire suppression mishaps on Azalea's building management network
• Electrical Distribution: investigating malicious downloads, obfuscated PowerShell, and tripping breakers on Azalea's electrical distribution network

CTF Rustboro

Overview

Initially deployed in Spring 2022, CTF Rustboro provides a range of challenge difficulties, ranging from introductory to extremely difficult and complex ICS and security challenges.

CTF Rustboro challenges will be made available in January 2025

Storyline & Challenges

This incident response scenario involves investigating a major attack ot Rustboro ONG (oil and natural gas). Alongside the major attack at Rustboro ONG's headquarters, they are also dealing with a number of attacks at once of their outstations located in Petalburg.

Challenges in CTF Rustboro are broken down into the five categories:

• Security Foundations: introductory challenges on various security and ICS concepts
• Rustboro IT: IT incident response challenges investigating the major attack at Rustboro's headquarters
• Rustboro ICS: ICS incident response challenges investigating the major attack at Rustboro's headquarters
• Petalburg IT: IT/security challenges investigating attacks at the Petalburg outstation
• Petalburg ICS: ICS challenges investigating attacks at the Petalburg outstation