Software for industrial equipment will be the primary focus of the next edition of Pwn2Own, the world's largest and most well-known hacking contest.
This is the first time that security researchers will be allowed to hack ICS (industrial control systems) software and protocols at Pwn2Own.
For most of its 12-year history, the contest has featured browsers and operating systems as the primary targets for white-hat hackers looking to make a name for themselves and earn huge cash rewards.
Now, the organizers, Trend Micro's Zero-Day Initiative (ZDI) project, say the next Pwn2Own contest will be solely focused on ICS devices and their respective software.
The next Pwn2Own contest is set to take place at the S4 ICS security conference that will be held in Miami South Beach on January 21-23, 2020.
According to ZDI, the contest will have five ICS categories, which include:
- Control Server
- OPC Unified Architecture (OPC UA) Server
- DNP3 Gateway
- Human Machine Interface (HMI) / Operator Workstation
- Engineering Workstation Software (EWS)
Participants will be free to choose what ICS software they want to hack from the list above. Depending on the types of vulnerabilities they use to break into a device, they can earn points. The vulnerabilities must be new, and not seen before.
At the end of the contest, the security researcher who hacked the most ICS devices with the most complex vulnerabilities, wins the contest, a trophy, cash rewards, and all the reputational klout he'd ever need.
All ICS bugs found at the upcoming Pwn2Own contest will be immediately disclosed to their respective vendors, ZDI said, some of which will be attending the competition just to pick up reports first-hand.
Below are the cash rewards that security researchers can earn by hacking ICS devices. Researchers stand to make up more than $250,000 in cash and prizes for eight vulnerability types spread across five ICS device categories.
ZDI, the Pwn2Own contest organizer, is also known for running a zero-day acquisition program, through which they buy vulnerabilities from security researchers, and then privately disclose to companies.
The company said that the decision to include industrial equipment on this year's list of hackable devices came after the organization saw a spike in submissions for ICS bugs.
"In 2018, the ZDI purchased 224% more zero-day vulnerabilities in ICS software compared to the previous year," ZDI said. "This growth is sustaining in 2019 so far, which proves the increasing need to identify vulnerabilities and harden these systems before they are exploited."
However, fixing vulnerabilities in ICS software is only one step in improving the ICS security for many of today's vendors. A CyberX report published earlier this year found many other security issues that had nothing to do with faulty ICS software. Per example:
- 40% of industrial sites have at least one direct connection to the internet and are not properly air-gapped, exposing ICS systems directly online
- 53% of industrial sites have outdated Windows systems like XP
- 69% of orgs have plain-text passwords traversing their network, unencrypted
- 57% of ICS sites are still not running anti-virus protections that update signatures automatically
- 84% of sites have at least one remotely accessible device
The findings are similar to a Kaspersky report on ICS security published last year, in 2018, showing that there's an endemic lack of awareness towards proper cyber-security practices among companies that run ICS equipment.