This has been a hard secret to keep. When I asked the team at Trend Micro’s ZDI in late spring if they would be interested in having an ICS Pwn2Own to be held at S4x20, they had already been considering this for years. To ZDI, it was just a question when the ICS community and the ICS products were ready for this. That time is now, or actually next January 21-23 at S4x20 in Miami South Beach.
Trend Micro / ZDI announced Pwn2Own Miami to, in their words, bring ICS into the Pwn2Own World. And they have come big with over $250K allocated to buy 0day exploits on specified important ICS targets. This is quite a change over free ICS vulnerabilities.
How Will Pwn2Own Miami Work? This is a ZDI event being held at S4x20. The ZDI Pwn2Own Miami team makes the rules and all decisions. As I learned more about the contest there were a few important points that I’m guessing many in the ICS security community don’t know about Pwn2Own.
Pwn2Own gets an incredible amount of offensive security talent to give an important target a hard test by rewarding that talent with money when they succeed. The vendors learn first about these problems and can fix them, which benefits all in the community.
In the enterprise and mobile environment, Pwn2Own was originally viewed negatively by the vendors who had targeted products. It took over 5 years before Microsoft supported the Pwn2Own effort. Now it is seen by companies very serious about security, such as Microsoft, VMware and Tesla, as an opportunity for a great penetration test. As an opportunity to find and fix vulnerabilities. So much so that they are now funding some of prizes to exploit their own products.
We are not there yet in ICS, although it is noteworthy and impressive that Rockwell Automation is making their products available to Pwn2Own contestants. Pwn2Own Miami is the first try at anything like a significant prize or bug bounty for an ICS exploit, and Trend Micro / ZDI is providing all of the prize money.
Dale worked closely with the Pwn2Own Miami team to provide some advice on selecting targets and introduce them to the people in the community that could help ensure the targets are highly realistic. There are three main criteria that makes a great ICS Pwn2Own target in 2019/2020, in our opinion:
1. The target has a large market share.
2. The vendor has made an effort to develop a secure product.
3. Compromise of the target would allow an attacker to pivot and access an otherwise inaccessible ICS zone.
A fourth criteria, the target was available for the competitors to research and develop exploits against, was of course critical. This criteria ruled out a lot of possible interesting targets. We did reach out to a handful of companies that met the three criteria but didn’t have a freely downloadable product, to see if they would make their products available for the contest.
The reaction was better than we expected with all interested in participating. It is a tough internal sell to get all departments to sign off, and in the end only one company is making their walled off product available: Rockwell Automation. A huge thanks to Rockwell Automation for participating.
It took Microsoft five years to see the value of participating in Pwn2Own, so getting even one ICS vendor to participate in year one is big. It does not mean that Rockwell Automation believes their products will survive the offensive talent. It does mean they feel their SDL is in a place where this is appropriate, and they want to find and fix identified vulnerabilities that lead to exploits. Maturity. Now to the targets:
OPC is a protocol that is widely used to move data between systems, the universal translator, and sometimes between security zones. Given all the known security issues in OPC, it failed to meet criterion #2. OPC UA was designed to address the security issues in the future. While it has a much lower market share than OPC, it is the better target. Two popular OPC UA server stacks were selected as targets. It also would be nice to find and fix serious vulnerabilities sooner in this new, in ICS timelines, protocol stack
Another target that meet the criteria is Triangle Microworks’ (TMW) DNP3 Gateway. The TMW DNP3 protocol stack is in most implementations of DNP3. It has a massive market share. Adam Crain and Chris Sistrunk gave it a serious response fuzz testing as part of their Project Robus, so it has had some level of testing. And while compromise of the DNP3 Gateway doesn’t provide access to an ICS zone from the Enterprise zone, it could allow an attacker in an unmanned substation or field site access to the Control Center.
An ICS Pwn2Own would seem incomplete without an HMI and Engineering Workstation (EWS) in the mix. The problem is a large percentage of these are still designed and released with minimal concern for security. There has been some improvement since Billy Rios & Terry McCorkle found 665 bugs quickly in downloadable HMI, but it still is likely that most HMI would fall over quickly in Pwn2Own. Without considering this an endorsement, I recommended we try to get the HMI and EWS from Rockwell Automation into Pwn2Own. These products have a large footprint in manufacturing, water, balance of plant in electric and other sectors. It is important.
Schneider Electric’s EcoStruxure Operator Terminal was also added in the HMI category. The main reason is this a freely downloadable HMI from a big name vendor.
Finally, the Pwn2Own Miami team wanted some backup targets in case the vendors we were pursuing couldn’t get internal approval to participate. And this happened. This led to the Control Server category, in want of a better term. We see Inductive Automation Ignition and Iconics Genesis64 in a variety of ICS. Most often it is with a cost-conscious asset owner who doesn’t feel they need a full feature DCS. Sometimes they use these types of products for diverse Level 1 environments. I’ve also seen them used to provide an updated operator/engineer interface for legacy ICS. I’m very curious to see how this category fairs, my guess is not well and I’m hoping to be pleasantly surprised.
You can see a detailed description of the targets on the Pwn2Own Miami blog. The prizes are relatively consistant and simply stated as:
– $5,000 for Unauthenticated Crash / Denial of Service (this used to be any easy prize, is it still?)
– $10,000 for Information Disclosure
– $20,000 for Remote Code Execution
– $5,000 Continuation Bonus if Remote Code Execution does not affect operations
So up to $25,000 for a single exploit. And Pwn2Own Miami has allocated over $250,000 to buy exploits at the event.
ZDI brings more than the awareness, disclosure process, contest and prize money to the ICS community. They bring a set of offensive talent that has not seriously looked at the ICS space. The Pwn2Own Miami team will reach out to those who have successfully competed at past events and let them know of the opportunity to win more prize money in the ICS area.
I’m also hopeful that we see a good representation and prize winners from the ICS security community. We have a lot of talent in the community. And a lot of the work that has been done was purely out of curiosity. Now that curiosity can payoff. It is even possible that some in the community have 0day exploits in their kit they have chosen to keep to themselves. Certainly many in the ICS security community will have a head start with knowledge of the protocols and application software that are the targets.
It will be interesting to see who is the premier OPC UA researcher or who is the premier Rockwell Automation researcher. We chose to retire, at least temporarily, the S4 ICS CTF for S4x20.I’ve written on the reasons why. My hope is that some of those amazing teams put their skills and attention to the Pwn2Own Miami contest.
In a way this converts the CTF game to a more real world competition. The flags that Reid created for the CTF had a known solution. Where there wasn’t a vulnerability, Reid intentionally added one or made an intentional mistake that allowed the flag to be captured. The targets in Pwn2Own Miami will be actual ICS components configured in a manner that has eliminated known vulnerabilities. In fact, anything that is known by the vendor doesn’t qualify as an 0day.