Governance & Risk Management , IT Risk Management , Patch Management
Pwn2Own Contest to Focus on Industrial Control Systems2020 Competition Will Focus on Hacking Critical Infrastructure Systems
The popular Pwn2Own contest will focus on hacking industrial control systems and protocols when the event is held in Miami next year, according to the Zero Day Initiative, the organization that oversees the competition.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The competition, which started 2012, invites white hat hackers to discover vulnerabilities in software and devices and then develop exploits that are demonstrated at the contest. During the 2020 show, hackers are eligible for up to $250,000 in cash and other prizes.
Previous Pwn2Own contests have primarily focused on IT issues. Next year’s focus on industrial control systems is a result of the growing concern that cybersecurity professionals have about the safety and viability of systems used to run electrical systems, power grids, water treatment plants and other critical infrastructure.
"ICS and SCDA [Supervisory Control and Data Acquisition] products are behind much of the critical infrastructure we depend on, but the security of these systems has not been subjected to much public scrutiny," Brian Gorenc, director of the Zero Day Initiative, tells Information Security Media Group. "Pwn2Own Miami affords us the opportunity to bring together independent researchers and our industry partners to help find vulnerabilities and get them fixed before attackers can exploit them."
As part of the competition, white hat hackers will demonstrate exploits in industrial control systems, which are generally defined as systems used to control industrial processes such as manufacturing, product handling, production and distribution controls, according to the National Institute of Standards and Technology.
Announcing Pwn2Own Miami. We’re bringing #Pwn2Own to the #S4 conference in January to put #ICS products to the test. Get the details at https://t.co/NpRerbkT3c #P2OMiami #P2O— Zero Day Initiative (@thezdi) October 28, 2019
To be considered for the contest, exploits of these industrial controls systems must be new and not previously seen in the wild. Once the exploits are demonstrated, the contest organizers will immediately contact the vendors whose technology is vulnerable so that patches can be developed, Zero Day Initiative notes.
Hackers will focus on five specific types of industrial control systems and protocols:
- Control server;
- OPC Unified Architecture (OPC UA) server;
- DNP3 gateway;
- Human Machine Interface (HMI) / Operator Workstation;
- Engineering Workstation Software (EWS)/
While some industrial control systems are "air-gapped" - meaning that they are not connected to the internet - others are not. Gorenc notes that Human Machine Interfaces, a type of dashboard that connects an operator to equipment in a facility, now come with web interfaces and browsers that allow them to connect to the wider internet.
"We know some of the control servers and HMI [Human Machine Interface] have web server components, so they definitely can be affected by web-based exploits," Gorenc says. "This contest will help determine what else researchers can find. As with our other contests, Pwn2Own Miami seeks to harden these platforms by revealing vulnerabilities and providing that research to the vendors. The goal is always to get these bugs fixed before they're actively exploited by attackers."
Last March, the competition focused on the automobile industry for the first time, and a team of security researchers managed to hack a Tesla Model 3.
Mounting Security Challenges
Over the last several years, more security researchers have warned that industrial control systems are exposed to vulnerabilities that stem from the use of older software and hardware.
"Most of these controllers do not require authentication from those attempting to access them and alter their state. Most do not support encrypted communication," Mille Gandelsman, CTO of Indegy, notes in a blog post. "This means that anyone who has network access - a hacker, a malicious insider or even a careless employee - has unfettered access to the industrial process and can become a threat to the business."
Attackers have started to take notice of these flaws in industrial control systems.
For example, in June, Xenotime, a threat group that had previously targeted the oil and gas industry, shifted its focus to industrial control systems of power plants and utilities in the U.S., according to a report by security firm Dragos reports (see: Xenotime Group Sets Sights on Electrical Power Plants ).