Down they dropped like frozen iguanas: SCADA gateways, control servers, human-machine interfaces (HMIs), an engineering workstation, and other industrial control system (ICS) software on stage in the first-ever ICS Pwn2Own contest last week in Miami.
The three-day contest held during the S4x20 ICS conference placed ICS products in the hacker hot seat in South Beach, where on day one a sudden cold front blew into the city and led to a National Weather Service warning that the city's cold-blooded iguana population might fall from the trees as the chilly temperatures could temporarily paralyze the reptiles clinging to branches.
That there were mostly successful hacks in the 25 entries by eight teams of hackers in the contest should come as no surprise given the still-nascent state of security in ICS systems. Trend Micro's Zero Day Initiative (ZDI), which sponsors the renowned Pwn2Own contests, shelled out $280,000 in total in prize money to the successful hacking teams.
ICS vendors overall remain in catch-up mode when it comes to security, ICS security experts say. And in that vein, not many are ready to launch a bug bounty program nor likely to enthusiastically embrace participating in hacking contests like Pwn2Own. "A lot of codebases aren't ready for it," notes Dale Peterson, CEO of Digital Bond, founder and sponsor of S4x20. "But there also are some with serious SDLs [secure development life cycles] and that have worked on it really hard and hired third-party offensive teams with great talent to bang on their systems. They're ready for bug bounties."
Peterson says the engineering teams of at least three ICS vendors tried to participate in the ICS Pwn2Own contest, where ZDI pays bounties to the researchers for the bugs but were thwarted by their own internal legal departments. As a matter of fact, only one ICS vendor, Rockwell Automation, voluntarily participated in the first-ever ICS contest in Miami last week, providing software licenses to its products for contestants for its FactoryTalk View SE HMI and Automation Studio 5000 engineering workstation.
The remaining vendor products had publicly available software that the contestants were able to download and test: Triangle MicroWorks' SCADA Data Gateway; Iconics' Genesis64 control server; Inductive Automation Ignition's control server; and Schneider Electric's EcoStruxure Operator Terminal Expert HMI. The contest also featured the OPC (Open Platform Communications) Foundation's UA.NET standard for its UA server.
"A lot of [ICS vendors] have customers who will say 'Why is your product in Pwn2Own? This is a bad thing.' That's probably going to happen," Peterson notes. It's only a matter of time, though, before the vendors start opening up and offering their own vulnerability award programs. "But I'm hopeful in the next year we'll see one or more companies put out a bug bounty" program, he says.
Brian Gorenc, director of vulnerability research and head of Trend Micro's ZDI program, says Pwn2Own’s first-ever ICS contest drew new researchers who hadn't before participated in previous Pwn2Owns. "A lot of them don't focus on ICS on a day-to-day basis," he notes. "We worked on picking targets that would make the technology accessible. Rockwell preconfigured their VMs [virtual machines] and simulated PLCs [programmable logic controllers] to show the type of traffic a normal user with experience would have using those tools."
That kind of access helps foster strong research into the security of these systems, he says.
Same Bugs, Different Platforms
Many of the vulnerabilities that were used in the working exploits were the same found in any software program, such as memory corruption and deserialization. As with other Pwn2Own contests, the contestants had a few months with the targets before the actual event to find the flaws and create the attack exploits they launched during the live contest.
The flaws they found are reported to the vendors, which were on-site and had to qualify them. They get 120 days to patch the bugs, Gorenc notes. "We expect to see formal patches shortly," however, he says.
"There was definitely a mix of some software that didn't have all of the modern exploit mitigations in them," he says, although some had Microsoft's Address Space Layout Randomization (ASLR), a Windows feature that prevents the exploitation of memory corruption vulnerabilities.
Gorenc says the bigger picture of the security of critical infrastructure likely will be the impetus that drives more-secure ICS products. "We need to protect our critical infrastructure," he says. "This is the right time now for a contest like this to come out and put the software under test with new eyes and bring out new research to develop stronger critical infrastructure and strong" defense to attacks, he says.
The big difference between Pwn2Own and regular vulnerability awards or bug bounties, he says, is that this goes a step beyond bug hunting, with bounties on the exploits themselves. "That's going to bring a different quality of work to the vendors. For the first time for us to come into this space and to have as many researchers come out shows a lot of people want to secure the software. Given a vehicle and platform like Pwn2Own is going to help step up" security work in ICS products, he says.
Renowned ICS security expert Jason Larson, ICS principal at IOActive, thinks events like Pwn2Own could help move the needle toward more-secure ICS software and products. "It's long overdue in this space," Larson says. "I've been working in ICS for 18 years and we're still finding trivial exploits."
Even so, the Pwn2Own bug bounty payouts in the contest are minuscule compared with underground markets, he says. "$20,000 is laughably low here," he notes, citing one of the average payouts for a successful exploit in the contest. "There already are established markets" for ICS bugs that pay much more, he says.
Zero-Day Market Today?
Just how deep the third-party broker market is for ICS zero-days, however, is not quite clear. That's a question that Sarah Freeman, of the Idaho National Laboratory, has been studying. Freeman tracks the activity of zero-day brokers such as Crowdfense and Zerodium, to try to determine whether those types of bugs are being purchased and sold. Bug brokers traditionally sell to high-dollar customers such as nation-states, in payouts to the tune of millions of dollars.
"There have conversations in whispers of private transactions of ICS" bugs, Freeman says. "But by and large if you look at the publicly available information, it doesn't appear at first blush to be ICS" bugs that the brokers are purchasing, she notes.
Even so, a zero-day for a router that gets sold in that market could have security implications for an OT network, she says. Freeman predicts the market for ICS bugs to be at about $50 million in 2019 based on the data and trends she was able to uncover online for the period of 2015–2019.
Some 55% of bounties went to desktop, servers, and routers; 45% to mobile. Among operating systems — Android, Linux, Windows, iOS, and macOS — the bounties were fairly evenly spread, with around 21% to 22% apiece.
ICS products could fall into some of those categories, of course, so it was hard to suss out the full picture of that sector of bugs. Freeman says that SCADA vulnerabilities represented about 30% of bugs purchased by the brokers in 2018.
But given that most ICS systems are relatively easy to exploit, attackers are less likely to bother burning a zero-day when they can just exploit a Windows vulnerability, for instance. "You don't necessarily need a zero-day to attack anything," she notes.