Critical Infrastructure Security Showdown (CISS) – Results


The Critical Infrastructure Security Showdown (CISS) 2019

In August 2019, SIGA participated at the Critical Infrastructure Security Showdown (CISS) 2019 in Singapore, together with Radiflow and ST Engineering Cybersecurity.

The full report has finally come through and is now fully available, and the results show that the SIGA product as part of Product D received the highest ranking score for detection of most of the anomalies related to the OT process.


The Critical Infrastructure Security Showdown (CISS) 2019 is the third run of iTrust’s technology assessment exercise.  Organized by iTrust, the CISS 2019 exercise took place at SUTD (The Singapore University of Technology and Design) from the 26th to the 30th of August, 2019, and involved seven Red Teams and five Blue Teams from both academia and industry.  The testbed consisted of a modern six-stage water treatment process that closely mimics a real world treatment plant. Among the objectives of the exercise was to enable blue teams to showcase their detection capabilities against cyber-attacks.

The Process

Stage 1 of the physical process begins by taking in raw water, followed by chemical dosing (Stage 2), filtering it through an Ultrafiltration (UF) system (Stage 3), dechlorination using UV lamps (Stage 4), and then feeding it to a Reverse Osmosis (RO) system (Stage 5). A backwash process (Stage 6) cleans the membranes in UF using the RO permeate.


The network and cyber portion of SWaT consists of a layered communications network, Allen-Bradley Programmable Logic Controllers (PLCs), Human Machine Interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) workstation, and a Historian. Data from sensors is available to the SCADA system and recorded by the Historian for subsequent analysis.


SIGA Level 0 Monitoring and Anomaly Detection

SIGA provided the SigaGuard solution for level 0 monitoring by integrating into the electrical signals of the water treatment process, gaining direct visibility into the OT process. The integration was made into 18 analog I/O’s as depicted below and provided an isolated out-of-band monitoring environment which cannot be affected by the network level.


Almost 90% of documented successful attacks were level 0 attacks (i.e. attackers objective was manipulation of the process).  85% of total OT anomalies were detected by Product D (while the next runner up succeeded detecting only 57%). In total, 54 physical process anomalies were recorded. With respect to sensor data anomalies, “Product D performed significantly better than all other technologies;… Product D detected 30 out of 35 attacks i.e., about 85% of the attacks.”

As seen in the graph below “Across the commercial products, Product D outperformed the other products. It had a 100% detection rate for (e) and superior detection rates for attacks (a) to (d).

SIGA’s anomaly detection screen shots from the CISS Showdown