From enterprise applications and web browsers to mobile and IoT devices, hacking competition Pwn2Own has added another focus: industrial control system (ICS) and its associated protocols. Trend Micro’s Zero Day Initiative (ZDI), the bug bounty program behind Pwn2Own, has long been known to reward researchers for finding previously unknown software flaws.
Set to happen in Miami come January 2020, the competition will welcome ethical hackers looking to hack their way into different ICS-related software and protocols. ICS is a crucial addition to the competition as critical infrastructures rely on such systems to manage and/or automate industrial processes in sectors such as energy, manufacturing, and transportation.
White hat hackers will get the chance to break ICS security in five categories, including:
A pool of more than $250,000 in prizes has been allocated for eight targets across the aforementioned five categories. To provide a broad look at the different aspects of ICSs, the categories were determined based on how widely used the system is and the relevance to researchers and the ICS community. Hackers will have the opportunity to look into specific equipment for various vulnerabilities, including those that lead to unauthenticated crash or denial of service (DoS), remote code execution, and information disclosure.
The move to ICS may come as no surprise considering that ZDI purchased 224% more zero-day ICS software vulnerabilities in 2018, compared to the previous year. Moreover, a Trend Micro report found that the majority of the vulnerabilities disclosed in the first half-year of 2019 were related to software used in ICSs, including HMIs in supervisory control and data acquisition (SCADA) environments. HMIs are prime targets for threat actors looking to disrupt business operations as these are used as hubs for managing critical infrastructures and monitoring different control systems.
Hacking competitions like Pwn2Own seek to provide research to vendors and help harden their platforms by discovering the vulnerabilities before active attacks take advantage of them. ZDI will responsibly disclose all found security issues to ICS vendors for proper addressing.
As Industry 4.0 is being ushered in, more information technology (IT) and operational technology (OT) assets are converging and more security gaps are expected to be potentially exploited. We have outlined defensive strategies that organizations should follow to secure their ICS environments, such as:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.