From enterprise applications and web browsers to mobile and IoT devices, hacking competition Pwn2Own has added another focus: industrial control system (ICS) and its associated protocols. Trend Micro’s Zero Day Initiative (ZDI), the bug bounty program behind Pwn2Own, has long been known to reward researchers for finding previously unknown software flaws.
Set to happen in Miami come January 2020, the competition will welcome ethical hackers looking to hack their way into different ICS-related software and protocols. ICS is a crucial addition to the competition as critical infrastructures rely on such systems to manage and/or automate industrial processes in sectors such as energy, manufacturing, and transportation.
White hat hackers will get the chance to break ICS security in five categories, including:
Control Server – covers server solutions that provide connectivity, control, and monitoring across programmable logic controllers (PLCs) and other field systems
DNP3 Gateway – covers the set of communications protocols used between ICS components
Engineering Workstation Software (EWS) – covers primary control equipment like PLCs, and role-based mechanisms
Human Machine Interface (HMI)/Operator Workstation – covers the dashboard that connects an operator to industrial equipment and web server components that can also be affected by web-based exploits
OPC United Architecture (OPC UA) Server – covers the “universal translator protocol in the ICS world” used by almost all ICS products for sending data between vendor systems
A pool of more than $250,000 in prizes has been allocated for eight targets across the aforementioned five categories. To provide a broad look at the different aspects of ICSs, the categories were determined based on how widely used the system is and the relevance to researchers and the ICS community. Hackers will have the opportunity to look into specific equipment for various vulnerabilities, including those that lead to unauthenticated crash or denial of service (DoS), remote code execution, and information disclosure.
A complete discussion of the different vulnerability categories, including case studies of vulnerable SCADA HMIs, can be found in our paper, “Hacker Machine Interface: The State of SCADA HMI Vulnerabilities.” We also provide some guidance for vulnerability researchers, including vendors who are auditing their own solutions, regarding discovering bugs quickly and efficiently.
The move to ICS may come as no surprise considering that ZDI purchased 224% more zero-day ICS software vulnerabilities in 2018, compared to the previous year. Moreover, a Trend Micro report found that the majority of the vulnerabilities disclosed in the first half-year of 2019 were related to software used in ICSs, including HMIs in supervisory control and data acquisition (SCADA) environments. HMIs are prime targets for threat actors looking to disrupt business operations as these are used as hubs for managing critical infrastructures and monitoring different control systems.
Defensive Strategies for ICS Environments
Hacking competitions like Pwn2Own seek to provide research to vendors and help harden their platforms by discovering the vulnerabilities before active attacks take advantage of them. ZDI will responsibly disclose all found security issues to ICS vendors for proper addressing.
In our research paper, “Securing Smart Factories: Threats to Manufacturing Environments in the Era of Industry 4.0,” we discuss the most noteworthy threats to the manufacturing industry, identify the weak points that attackers may take advantage of, and provide relevant security recommendations.
As Industry 4.0 is being ushered in, more information technology (IT) and operational technology (OT) assets are converging and more security gaps are expected to be potentially exploited. We have outlined defensive strategies that organizations should follow to secure their ICS environments, such as:
Network Segmentation. Isolate critical parts of the system by dividing the system into distinct security zones and implementing layers of protection.
Access Policies and Control. Control access to a network, device, or service by defining security roles and responsibilities (i.e., establishing authentication policies and procedures).
Change Control and Configuration Management. Employ modification limits to hardware, firmware, software, and documentation to ensure protection against improper changes to infrastructure.
Intrusion Detection. Establish methods for monitoring system activity and identifying potentially malicious network events.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).