Selecting The ICS Pwn2Own Targets

I worked closely with the Pwn2Own Miami team to provide some advice on selecting targets and introduce them to the people in the community that could help ensure the targets are highly realistic. There are three main criteria that makes a great ICS Pwn2Own target in 2019/2020, in our opinion:

1. The target has a large market share.

2. The vendor has made an effort to develop a secure product.

3. Compromise of the target would allow an attacker to pivot and access an otherwise inaccessible ICS zone.

A fourth criteria, the target was available for the competitors to research and develop exploits against, was of course critical. This criteria ruled out a lot of possible interesting targets. We did reach out to a handful of companies that met the three criteria but didn’t have a freely downloadable product, to see if they would make their products available for the contest.

The reaction was better than we expected with all interested in participating. It is a tough internal sell to get all departments to sign off, and in the end only one company is making their walled off product available: Rockwell Automation. A huge thanks to Rockwell Automation for participating.

It took Microsoft five years to see the value of participating in Pwn2Own, so getting even one ICS vendor to participate in year one is big. It does not mean that Rockwell Automation believes their products will survive the offensive talent. It does mean they feel their SDL is in a place where this is appropriate, and they want to find and fix identified vulnerabilities that lead to exploits. Maturity. Now to the targets:

OPC UA Server Category: Unified Automation ANSI C Demo Server and OPC Foundation OPC UA .NET Standard

OPC is a protocol that is widely used to move data between systems, the universal translator, and sometimes between security zones. Given all the known security issues in OPC, it failed to meet criterion #2. OPC UA was designed to address the security issues in the future. While it has a much lower market share than OPC, it is the better target. Two popular OPC UA server stacks were selected as targets. It also would be nice to find and fix serious vulnerabilities sooner in this new, in ICS timelines, protocol stack

DNP3 Gateway Category: Triangle Microworks SCADA Data Gateway

Another target that meet the criteria is Triangle Microworks’ (TMW) DNP3 Gateway. The TMW DNP3 protocol stack is in most implementations of DNP3. It has a massive market share. Adam Crain and Chris Sistrunk gave it a serious response fuzz testing as part of their Project Robus, so it has had some level of testing. And while compromise of the DNP3 Gateway doesn’t provide access to an ICS zone from the Enterprise zone, it could allow an attacker in an unmanned substation or field site access to the Control Center.

HMI Category: Rockwell Automation FactoryTalk View SE and Schneider Electric EcoStruxure Operator Terminal Expert
EWS Category: Rockwell Automation Studio 5000

An ICS Pwn2Own would seem incomplete without an HMI and Engineering Workstation (EWS) in the mix. The problem is a large percentage of these are still designed and released with minimal concern for security. There has been some improvement since Billy Rios & Terry McCorkle found 665 bugs quickly in downloadable HMI, but it still is likely that most HMI would fall over quickly in Pwn2Own. Without considering this an endorsement, I recommended we try to get the HMI and EWS from Rockwell Automation into Pwn2Own. These products have a large footprint in manufacturing, water, balance of plant in electric and other sectors. It is important.

Schneider Electric’s EcoStruxure Operator Terminal was also added in the HMI category. The main reason is this a freely downloadable HMI from a big name vendor.

Control Server Category: Inductive Automation Ignition and Iconics Genesis64

Finally, the Pwn2Own Miami team wanted some backup targets in case the vendors we were pursuing couldn’t get internal approval to participate. And this happened. This led to the Control Server category, in want of a better term. We see Inductive Automation Ignition and Iconics Genesis64 in a variety of ICS. Most often it is with a cost-conscious asset owner who doesn’t feel they need a full feature DCS. Sometimes they use these types of products for diverse Level 1 environments. I’ve also seen them used to provide an updated operator/engineer interface for legacy ICS. I’m very curious to see how this category fairs, my guess is not well and I’m hoping to be pleasantly surprised.

You can see a detailed description of the targets on the Pwn2Own Miami blog. The prizes are relatively consistant and simply stated as:

– $5,000 for Unauthenticated Crash / Denial of Service (this used to be any easy prize, is it still?)

– $10,000 for Information Disclosure

– $20,000 for Remote Code Execution

– $5,000 Continuation Bonus if Remote Code Execution does not affect operations

So up to $25,000 for a single exploit. And Pwn2Own Miami has allocated over $250,000 to buy exploits at the event.

Tomorrow: Pwn2Own Miami Contestants