OT Systems of Municipality of The Hague (NL) Tested by Hackers
On 30 September, the operational technology (OT) of the municipality of The Hague was tested by 40 honest hackers. During the six-hour hack competition Hâck The Hague, traffic lights, car charging stations, a test setup of movable bridges, the setup of a pumping station and cameras were tested. Several unique reports of vulnerabilities were received. Three reports won a prize, and two findings received an honorable mention. Both professional hackers and students had registered for the hacking competition.
The lobby of The Hague city hall was filled with desks, with people in a black hoodie, a laptop and tools. Visitors who came to apply for a new passport encountered hackers who tried to break open the operational technology of the municipality of The Hague. For example, laptops were read out, cameras were screwed open, it was tested whether the Koningstunnel was accessible via a test simulator and a replica bridge, made available by Siemens, was a target for the hackers. All hackers must agree to special rules. For example, it was mandatory to report all discoveries to the organisation.
Jeroen Schipper, CISO of the municipality of The Hague: “Operational technology is becoming increasingly important when it comes to security. The systems and devices that were tested today are also accessible to malicious parties. During Hâck The Hague we try to gain insight into possible weak spots in a safe and controlled way, so that we can solve them. This not only increases our security, but also that of all other users worldwide. We are very proud of that and are very happy with the forty honest hackers who were present here today. Together with the participating suppliers, they have helped us to further tighten our security. In this way, we make ourselves vulnerable to become less vulnerable.”
Findings Hâck The Hague 2024
The ethical hackers found several vulnerabilities. Three cash prizes were awarded for this: €3,072, €1,536 and €768. Two findings received an honorable mention.
- The first honorable mention was a vulnerability with a low severity, with a concrete feasible suggestion for improving the system.
- The second honorable mention had an average severity, because it could have a possible financial impact.
- The third prize was won for a finding with an average severity level: incorrect input could lead to a portal failure.
- The second prize went to a report with a high severity, where poor segmentation of the network caused a large attack surface.
- The first prize was awarded to hackers who were able to change something in a web portal. This finding also had a high severity.
Collaboration
Hack The Hague is organised by the municipality in close collaboration with many partners, amongst Zerocopter, KPN, Siemens and the Dutch Politie. Hudson Cybertec (a Kiwa company) and Living Lab Scheveningen were amongst of the speakers.
The event is a good example that Municipality of The Hague practice what she preaches in regard to being the international city of Peace, Justice and Security.