The ZDI-run competition has been laying the ICS groundwork for years

The organizers of the Pwn2Own hacking contest have unveiled a new event that places industrial control systems (ICS) in the bug bounty firing line for the first time.

Starting next January, Pwn2Own grows again by adding a third competition at the S4 industrial security conference in Miami South Beach.

Speaking to The Daily Swig, Brian Gorenc, director of Trend Micro’s Zero Day Initiative (ZDI), which organizes Pwn2Own, said: “Some of the control servers and HMIs have web server components, so they definitely can be affected by web-based exploits.”

He said there would likely be “some crossover” between ICS targets and the other, longstanding categories.

“But we expect new participants as well,” he said, adding that ZDI has been working closely with the ICS industry in order to create the new category for the contest, now in its 12th year.

ZDI had been purchasing ICS-related bugs and courting ICS vendors for many years – most notably Rockwell Automation, Gorenc said.

ICS vendors are providing virtual machine images for the competition. ZDI has allocated more than $250,000 in cash and prizes for eight targets across five categories.

The overall winner – or ‘Master of Pwn’ – will win an extra 65,000 ZDI reward points, catapulting them to Platinum status in the ZDI rewards program.

The five categories will include:

  • Control Server targets include Iconics and Inductive Automation servers, with a successful remote code execution (RCE) yielding an add-on bonus for continuation
  • An effective RCE on an OPC Unified Architecture (OPC UA) Server – which integrates OPC Classic specs functionality into one extensible framework –will earn a $5,000 and 5 Master of Pwn points top-up – providing it isn’t respawned and doesn’t disrupt normal operations
  • The primary protocol in the North American Electric Grid, the DNP3 Gateway category features the Triangle Microworks SCADA Data Gateway. Continuation add-on bonus for remote code execution of $5,000 and 5 Master of Pwn points
  • Human Machine Interface (HMI)/Operator Workstation targets are Rockwell Automation FactoryTalk View SE (potential Continuation bonus of $5,000 and 5 Master of Pwn points) and Schneider Electric EcoStruxure Operator Terminal Expert
  • Once targeted with Stuxnet, Engineering Workstation Software (EWS) can configure primary control equipment like PLCs and role-based mechanisms. Breach Rockwell Automation Studio 5000 with RCE for $5,000 continuation bonus and 5 Master of Pwn points

The announcement is the latest in a string of developments for Pwn2Own, which continues to expand its live hacking program around the world.

Earlier this year, ZDI upped payouts for mobile vulnerabilities and added a new automotive category to its flagship event in Canada.

Team Fluoroacetate – Richard Zhu and Amat Cama – once again dominated the event this year, earning a total of $375,000 and being crowned ‘Masters of Pwn’.

The upcoming Tokyo event (November 6-7) will see contestants endeavour to find vulnerabilities in wireless routers, web cameras, and smart TVs.

The other two 2020 competitions will include a March event in Vancouver – where Pwn2Own first began in 2007 – focusing on web browsers, enterprise applications, and virtual computing.


YOU MIGHT ALSO LIKE Rodolphe Harand of YesWeHack explains how the French bug bounty platform is set to disrupt the marketplace