Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:44 PM
Connect Directly

Pwn2Own Adds Industrial Control Systems to Hacking Contest

The Zero Day Initiative will bring its first ICS Pwn2Own competition to the S4x20 conference in January.

Vulnerability research competition Pwn2Own is expanding to include industrial control system (ICS), giving researchers an opportunity to hunt for bugs in popular ICS software and protocols.

This is the first time Trend Micro's Pwn2Own, now in its twelfth year, has added ICS tech to its lineup. The Vancouver-based contest started out challenging ethical hackers to find flaws in Web browsers; since then, it has expanded to include virtualization software and enterprise applications. This past March, PWn2Own participants hacked into a Tesla Model 3's infotainment system.

Its first ICS security competition will take place at the January S4 conference in Miami Beach. The decision to have ICS Pwn2Own at S4 was mutual, says Dale Petersen, founder of S4 Events and Digital Bond. When he approached Trend Micro's Zero-Day Initiative (ZDI) back in the spring to propose bringing ICS Pwn2Own to S4x20, they had already been thinking about it. In 2018, ZDI purchased 224% more zero-day vulnerabilities in ICS software compared with the previous year, demonstrating a growing need to research bugs in industrial control software.

One challenge has been finding the right time to introduce a hacking contest for ICS technology, which as Peterson points out, has long lagged behind in terms of security. "The industry wasn't ready for it," he says. Pwn2Own could have held an offensive security contest, but it would have been relatively easy for researchers to break into systems. Now, systems' protections are stronger, he explains. Today's ICS technology, while not perfect, gives researchers a challenge.

Brian Gorenc, director of Zero-Day Initiative, says S4 is the "perfect location" to launch an ICS-focused Pwn2Own. "Those products control many pieces of critical infrastructure but are often overlooked by researchers," he explains. The goal of Pwn2Own Miami is to build on the security of existing ICS technology by discovering vulnerabilities and providing the research to vendors.

This kind of competition presents a host of logistical challenges, he continues. Are products easily available for organizers and researchers? How are they configured? Can all the necessary equipment be shipped to the conference location?

"With ICS, we obviously can't ship a centrifuge to a hotel, and researchers are unlikely to have pump controllers sitting around for them to test," Gorenc adds. "However, we were able to work with our industry contacts to find readily available, software-based ICS products that make sense to include in the contest."

Organizers reached out to several people and firms in the ICS sector, says Peterson, and technologies were considered with two key factors in mind. First was the footprint, or how widely used the system is. Second was its relevance to researchers and the ICS community. Rockwell Automation, for one, is providing virtual machines with their products for the contest.

ICS Pwn2Own will be broken down into five categories: Control Server, OPC Unified Architecture (OPC UA) Server, DNP3 Gateway, Human Machine Interface (HMI)/Operator Workstation, and Engineering Workstation Software (EWS).

"We chose these categories based on the conversations we had with those in the ICS sector and based on what we could logistically accomplish," he continues. "These five categories provide a broad look at different aspects of ICS and provide a wide set of targets for researchers.

EWS is a hot target for attackers as it directly communicates and can configure primary control equipment like PLCs, Gorenc says. The HMI category is similar: attackers target the HMI as it often has Web server components and can definitely be affected by Web-based exploits. "Highly deployed ICS software is often locked behind a paywall and not easily accessible to researchers," he says. Pwn2Own aims to remove these barriers to let researchers evaluate security.

The Contest

How it works: targets will be announced three months before the competition, giving Pwn2Own contestants a window of time to develop an exploit, Peterson explains. At the show, they have three five-minute attempts to exploit the target. If a denial of service, information disclosure, or remote code execution exploit works, the successful researcher, Pwn2Own team, and ICS vendor (if they choose to participate) will meet to discuss the details. The vendor will verify if it's a true zero-day; if so, it follows ZDI's disclosure policy allowing the vendor 120 days to fix it.

Pwn2Own has allocated more than $250,000 in cash and prizes for eight targets across these five categories, Gorenc writes in a blog post on the news. The contest will usually buy many successful exploits for a target, a tactic meant to encourage participation from more researchers.

Is the ICS community ready for a competition like this? There will be people who don't like it, Peterson says, though he believes it's a positive step forward for the industry. In his view, the organizations that don't update their systems put the industry at greater risk than researchers looking for vulnerabilities in them. Gorenc notes the overall reaction has been positive.

"There is definitely some trepidation, but Pwn2Own has a history of working with vendors to get bugs fixed before they are used in active attacks," he says.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...