Mechanics of STANDOFF 13
How the cyberbattle will go down for both attackers and defenders
In this document, we will describe how the cyberbattle will go down: the phases both types of team will face and how the results and rankings will be determined.
What you will find in this document
Mechanics for attackers
For the red teams, Standoff 13 will go down in two phases.
In this phase, the red teams will be divided into two states. The attackers will perform two types of tasks: those for ranking the states and those for earning team scores.
This phase will go down:
● In playoffs between the top four teams from the winning state
● In a play-in between the top four teams from the runner-up state
State S
13 red teams
State F
13 red teams
Confrontation of the States
The top four teams of the winning state
The top four teams of the second state
Playoff
Play-in
Phase 1. Confrontation between states
The phase will last three days:
—May 22 from 10:00 a.m. to 8:00 p.m.
—May 23 from 10:00 a.m. to 8:00 p.m.
—May 24 from 10:00 a.m. to 6:00 p.m.

In the first phase of the cyberbattle, the attacking teams will be divided into two states. The goal of the teams is to lead their state to victory while earning as high a team score as possible.
How the assignments will be scored
The attackers will have two types of assignments, the results of which will affect the state’s and the team’s performance.
Critical events for a state
When a critical event occurs for a state, points will be awarded to the state whose teams caused it. If any team causes such an event for their own state, it will not count.

Such events are worth one point each. The team that caused the event does not receive points for their team score. There are 10 types of state-critical events that can be brought upon an opposing state.
Example
A team from State S caused a critical event for State F by knocking out a switch in the OT network of a water intake station. The point will go to State S, and their score will be displayed on the Standoff 13 landing page:
—on the scoreboard of their state
—in the team rankings in the column State Events opposite the team or teams that caused it.

If a team from State F caused an event for State F, it will not count and they will not lose points.
When causing state events, teams belonging to a particular state can cooperate to lead their state to victory.
Tasks for team scoring
Ordinary critical events, rather than state events, can be caused for one’s own state or for another one. Such critical events or any vulnerabilities identified will go towards the ranking of the team versus the others within its state.

The calculation of the scores is dynamic. To read more about score calculation, see How to earn points.
How the winning state is determined
In the confrontation phase, the state whose teams cause the most state events will win. To view the results, see the Standoff 13 Cyberbattle website.
If two or more states rack up the same number of state critical events
If two or more states rack up the same number of state critical events, the state whose teams got the most normal critical events and identified the most vulnerabilities wins.

If one team is disqualified for breaking the rules, its score at the time of the violation will count as final. All team points earned after such a violation are forfeited.
If the states have differing numbers of teams
26 attacking teams have been approved to participate in the cyberbattle: 13 teams for each state. The number of teams may decrease as the game progresses.

If a team finishes with a zero in all columns: State critical events, Critical events caused, and Vulnerabilities identified, it will not be counted in the team standings for its state.
Important: A team will not be counted in its state's standings if the organizers discover any malicious action that violates either state's mechanics with the aim of undermining a given state's achievements.

Example. A team earned 100 points for vulnerabilities and 1,000 for critical events and then stopped playing. In this case, the organizers reserve the right to exclude the team from the state standings on the grounds of sabotage.
If states do not have an equal number of teams by the end of the phase, the winner will be determined by the average number of state events caused:

Example
State F
—Teams: 10
—CEs caused by the state: 20
—Calculation of the average: 20 ÷ 10 = 2

State S
—Teams: 9
—CEs caused by the state: 20
—Calculation of the average: 19 ÷ 9 = 2.1

Result: State S wins
How the top teams for each state will be determined
Team rankings within each state will be determined by the number of team points earned:
—for normal critical events
—for vulnerabilities detected

If all a state’s teams caused the same number of state events, but no team has caused events or identified vulnerabilities that count for team scoring, they will be ranked by the earliest state CE caused by each team.
Phase 2. Playoffs + Play-in
This phase will take place on May 25:
—playoffs: 10:00 a.m. to 6:00 p.m.
—play-in: 10:00 a.m. to 4:00 p.m.
Playoffs
The four leading teams from the winning state will qualify for the playoffs. Points earned in the confrontation between states phase will not count: all teams will start with an equal score.

The playoffs may have two phases depending on whether the attackers can cause non-tolerable events:
Main phase
During the main phase of the playoffs, the goal of the red teams is to cause non-tolerable events in the digital twin of the target Positive Technologies information systems:
  1. Interfering with software development or the build and delivery process.
  2. Stealing funds from corporate accounts.
How points are awarded

The calculation of scores is dynamic, with the score decreasing by 15% for each subsequent event. For a detailed description, see How to earn points.


How the winner is determined

Based on the total points for events caused.


Penalty phase
If no team manages to cause a non-tolerable event during the main phase, a penalty phase will take place from 4:00 p.m. to 6:00 p.m.
How points are awarded

The number of points specified in the task brief will be awarded for each event caused regardless of the order in which they are caused.

How the winner is determined

The winner is determined from the total points for non-tolerable events caused in the penalty phase. If no team causes any events during this phase, the winner will be determined by the points scored during the first three days of the cyberbattle, the confrontation between states phase.
Play-in
The four leading teams from the runner-up state will qualify for the play-in. Points earned during the confrontation between states phase will not count: all teams will start with an equal score. The play-in will last from 10:00 a.m. to 4:00 p.m. and there will be no penalty phase.

The teams must execute tasks prepared by Innostage regarding a digital twin of its structures.
How points are awarded

The calculation of points is dynamic, with points decreasing by 15% for each subsequent event caused. For a detailed description, see How to earn points.

How the winner is determined

The team with the most points wins. If the teams cause an equal number of non-tolerable events, the winner will be determined by which one submitted the earliest event.
Cyberbattle results
The final ranking for the cyberbattle will be determined as follows:
● 1st to 4th place—the top 4 teams
● 5th to 8th place—the top 4 teams in the play-in
● The 9th-placed team will be the 5th-placed team from the winning state
● The 10thth-placed team is the 5th-placed team from the runner-up state.

The 6th through 13th teams will be ranked by their contribution to causing state-level critical events and normal critical events.
Rules for defenders
The defending teams will be assigned to their respective industries through the course of the cyberbattle.
How will the cyberbattle go down?

For the defenders, the cyberbattle will not be divided into phases. Rather, throughout the cyber exercise, their main task will be to identify and investigate the attacks caused by the red teams.

For the defenders, the cyberbattle will adhere to the following schedule:
—May 22 from 10:00 a.m. to 8:00 p.m.
—May 23 from 10:00 a.m. to 8:00 p.m.
—May 24 from 10:00 a.m. to 8:00 p.m.
—May 25 from 10:00 a.m. to 8:00 p.m.

From May 22 to May 24, the defenders should identify and investigate red team attacks and submit reports. Teams participating in response mode should also try to stop the attackers.

On the last day of the cyberbattle, May 25—during the playoffs and play-in period for the red teams—the defenders will be have the chance to finish filling out their reports for the previous three days.
Results of the cyberbattle
The defenders' results will be posted on the Standoff 13 landing page with:
—the number of incidents detected
—the number of attacks detected

The two teams participating in response mode will also be informed of the number of incidents prevented.