On 14-15 September 2023 Bristol Cyber Security Group (BCSG), supported by PETRAS Impact Event Funding, ran the UK’s first Capture-The-Flag (CTF)-style event focused on Critical National Infrastructure (CNI).

We were joined by academic and industry teams from across the UK, who pitted their skills against our CNI-themed challenges inspired by our experimental testbed. Our jeopardy-style red team exercises - a collection of hacking challenges organised according to different categories and pitched at various difficulty levels allowing for a scoring range –  were designed to challenge teams’ Operational Technology (OT) knowledge. 

The teams faced 53 challenges in total across packet capture analysis, logic analysis, asset discovery, data exfiltration, access control, honeypots, value tampering and red team. They began with a few warm up questions, to ensure familiarity with the CTF platform and the flag submission system, but also to introduce some of the key Industrial Control Systems terms. We also included a physical red-team challenge – lockpicking - involving multiple practice locks and a singular end “challenge lock”.

The challenges harnessed multiple aspects of the BCSG experimental testbed which, for the purposes of the event, were relocated to the competition room: servers, training boxes (bespoke equipment developed for our taught units on ICS security), demo box).