Pwn2Own Miami – Bringing ICS into the Pwn2Own World

October 28, 2019 | Brian Gorenc

¡Bienvenidos a Miami!

As Pwn2Own has grown over the last 12 years, it has always evolved. The Vancouver-based contest grew from just web browsers to include virtualization software and enterprise applications. In 2012, we added a contest to focus on mobile devices. That contest evolved to focus on multiple types of devices, and in just a couple of weeks, we’ll see if wireless routers, web cameras, and smart TVs will be compromised.

Starting next January, Pwn2Own grows again by adding a third competition at the S4 conference in Miami South Beach on January 21 – 23, 2020. This contest focuses on Industrial Control Systems (ICS) and associated protocols. We’ve had discussions for years about running a Pwn2Own for ICS, but there are many challenges to holding such a contest. To overcome these issues, we worked with multiple people and companies within the ICS industry to ensure we have the right products and categories to create a meaningful test of the security of these products and protocols. Special thanks go out to the folks at Rockwell Automation for providing virtual machines with their products all set for the contest. They have a history of embracing researchers, and we're happy to have them on board. As with our other contests, Pwn2Own Miami seeks to harden these platforms by revealing vulnerabilities and providing that research to the vendors. The goal is always to get these bugs fixed before they’re actively exploited by attackers.

The contest will have five categories, which include:

- Control Server
- OPC Unified Architecture (OPC UA) Server
- DNP3 Gateway
- Human Machine Interface (HMI) / Operator Workstation
- Engineering Workstation Software (EWS)

For this contest, we will be awarding prizes for successful entries multiple times within a given category. For example, the third successful exploit in a category will still be eligible to earn a prize package. We’re hoping this encourages more participation from a diverse set of researchers. And while we won’t be awarding any centrifuges, successful entries will still get a laptop. It wouldn’t be Pwn2Own without “owning” something after successful pwnage. In total, we’ve allocated more than $250,000 in cash and prizes for eight targets across five categories.

Let’s take a closer look at the categories and products, along with their respective payouts.

Control Server Category

The Control Server category covers server solutions that provide connectivity, monitoring and control across disparate Programmable Logic Controller (PLC) and other field systems. These are often used for their lower cost than a DCS and in sites that have a variety of protocols and products. An attacker who took over a control server could alter the process in any way they wanted and would only be limited by their engineering and automation skills. The targets in this category include the control servers from Iconics and Inductive Automation.

An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network.

If a contestant is able to achieve remote code execution, they are eligible for an add-on bonus for Continuation. If the exploit payload allows the targeted network service/process to continue normal operations after successful exploitation and without being respawned, the contestant will receive an additional $5,000 and 5 more Master of Pwn points.

OPC Unified Architecture (OPC UA) Server Category

The OPC Unified Architecture (UA) is a platform independent, service-oriented architecture that integrates all the functionality of the individual OPC Classic specifications into one extensible framework. OPC UA serves as the universal translator protocol in the ICS world. It is used by almost all ICS products to send data between disparate vendor systems. OPC UA was designed to be more secure than the previously used DCOM and is gaining in popularity. This category has two products: the Unified Automation ANSI C Demo Server and the OPC Foundation OPC UA .NET Standard.

An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network.

This category also has the Continuation bonus, where a successful RCE that does not impact normal operations and without being respawned will earn another $5,000 and 5 Master of Pwn points.

DNP3 Gateway Category

DNP3 is a set of communications protocols used between various components in ICS systems. It is a primary protocol in the North American Electric Grid, and it is also used in other sectors. This category features the Triangle Microworks SCADA Data Gateway product. Triangle Microworks makes the most widely used DNP3 protocol stack. If the Data Gateway could be compromised, it could serve as a launching point for other attacks within the ICS, or even blind the energy management system (EMS).

An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network.  The initial vulnerability leveraged in this category must exist in a DNP3 gateway.

This category also has the Continuation add-on bonus for remote code execution of $5,000 and 5 Master of Pwn points.

Human Machine Interface (HMI) / Operator Workstation Category

If you’re familiar with ICS at all, you’ve likely heard of the Human Machine Interface (HMI) system. The HMI connects the operator of an ICS to the various hardware components of the ICS. Attackers that take over the HMI can also prevent the operator from seeing process issues in the ICS until it is too late. Our HMI category consists of the Rockwell Automation FactoryTalk View SE product and the Schneider Electric EcoStruxure Operator Terminal Expert. Rockwell Automation’s HMI has a large deployed base in manufacturing and is seen in most other sectors as well. The Schneider Electric product is also found in multiple sectors.

An attempt against the Rockwell Automation FactoryTalk View SE target must be launched against the target’s exposed network services from the contestant’s laptop within the contest network or against the target by opening a malicious file on the target machine. An attempt against the Schneider Electric EcoStruxure Operator Terminal Expert must be launched against the target by opening a malicious file on the target machine.

For the HMI category, the Rockwell Automation product is eligible for the Continuation bonus of $5,000 and 5 Master of Pwn points, but the Schneider Electric product is not.

Engineering Workstation Software (EWS)

Similar to the HMI, the Engineering Workstation Software (EWS) provides a juicy target to attackers. It directly communicates and can configure primary control equipment such as PLCs, and it can also configure role-based mechanisms. Attacks on the EWS were seen in the Stuxnet malware, and attackers are focusing on EWS given that it allows them to alter the process. For this category, we have selected the well-known Rockwell Automation Studio 5000 as the target product.

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, and Pwn2Own Miami is no exception. Earning the title results in a slick trophy and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2021, which includes a one-time bonus estimated at $25,000).

For those not familiar with how it works, points are accumulated for each successful attempt. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. For example, someone registers for the Triangle Microworks SCADA Data Gateway with the Continuation bonus. During the attempt, the contestant drops the Continuation but successfully completes the remote code execution attempt. The final point total will be 15 Master of Pwn points. The cash award is not affected.

If a contestant decides to withdraw from the registered attempt prior to the actual attempt, the Master of Pwn points for that attempt will be divided by 2 and deducted from the contestant's point total for the contest. Since Pwn2Own is now often a team competition, along with the initial deduction of points, the same number of Master of Pwn points will also be deducted from all contestant teams from the same company.

The Complete Details

The full set of rules for Pwn2Own Miami 2020 are available here. They may be changed at any time without notice. We encourage entrants to read the rules thoroughly and completely should they choose to participate.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at zdi@trendmicro.com to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine contestant order. Again, this random drawing will not impact awards. Contest registration closes at 5:00 p.m. Eastern Standard Time on January 17th, 2020.

The Results

We’ll be live blogging and tweeting results throughout the competition. Be sure to keep an eye on the blog for the latest results. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OMiami hashtag for continuing coverage.

We look forward to seeing everyone in Miami, and we look forward to seeing what new exploits and attack techniques they bring with them.