For years, Pwn2Own, a competition that rewards researchers for finding previously unknown software flaws, has focused on code used in enterprise IT networks rather than programs that support critical infrastructure operations.
That is all going to change in January, when the contest heads to Miami and exposes white-hat hackers to popular software and protocols used in industrial control systems (ICS).
Contestants will have a matter of minutes to demonstrate zero-day exploits that they’ve developed beforehand. Cash and other prizes worth a total of $250,000 will be available to winners, Zero Day Initiative (ZDI), the organization that runs Pwn2Own, said Monday.
For an ICS industry accustomed to non-disclosure agreements related to security testing, the Pwn2Own free-for-all format is a “radical concept,” said Dale Peterson, the founder of the annual S4 security conference, which will host the Pwn2Own competition. The vulnerabilities that Pwn2Own participants discover are revealed to the vendor responsibly so they can be fixed.
“That’s saying, ‘We have some confidence in our equipment. In order to make it better, we need people to test it for us,’” he said.
Organizers say they expect the competition to attract top-tier hacking talent who know the peculiarities of ICS.
“We do anticipate seeing some old and some new faces,” said Brian Gorenc, the director of ZDI, which is backed by cybersecurity company Trend Micro. “There’s not a lot of overlap between security researchers in the ICS sector and other sectors, but those people do exist.”
Some vendors considered offering their systems up for testing at Pwn2Own, but shied away over customer or legal concerns, according to Peterson. One vendor scheduled to be present is Rockwell Automation. The Milwaukee-based industrial software company will provide virtual machines for contestants to pick apart.
Participants will try to demonstrate flaws in protocols that are key to industrial environments, including one that is popular in the electric transmission and distribution sectors. Human machine interface (HMI) software — a dashboard that connects an operator to industrial equipment— will also be available for hacking.
Organizers chose industrial software that has already been security tested and wouldn’t be too easy to hack, according to Peterson.
“We wanted to pick equipment that had a large footprint out there,” he told CyberScoop. “So if they found something it’s not just some trivial HMI that nobody uses.”
This will be the second time in a year that Pwn2Own has broken ground in a new industry or set of industries. Last March, a pair of white-hat hackers demonstrated the first zero-day exploit specific to the car industry in the event’s history.