ICS stands for Insecure Control Systems

Thijs Alkemade and Daan Keuper

Playlists: 'MCH2022' videos starting here / audio

Last April we won Pwn2Own Miami by demonstrating five zero-day attacks against software that is commonly used in the ICS world. ICS, or Industrial Control Systems, are systems that are involved with running an industrial process, for example in a factory or power plant. Our targets range from SCADA to HMI systems. During this talk we would like to share details about the competition and the vulnerabilities we found.

ICS is an interesting field for security research. As a successful attack could have devastating results. Luckily the number of successful attacks that truly targeted ICS environments are scarce. At the same time this industry faces some difficult challenges, such as high availability requirements, old technology and a low security maturity.

Pwn2Own Miami is an annual edition of the Pwn2Own competition, that focuses solely on ICS applications. Targets range from OPC UA implementations (on of the main communication protocol in ICS), to data gateways and SCADA systems. They challenge competitors to find zero-days attacks against any of the targets. Participants need to demonstrate their zero-days by compromising a target machine running the latest version of the application.

Last year we participated in the Pwn2Own Austin edition, which focused on Enterprise applications, with a zero-day chain against the Zoom client. This year we decided to participate in the ICS edition. It was a close race, but ultimately we beat the competing teams and won this year's edition. We demonstrated 3 RCE's, one DoS and an interesting certificate verification bypass, which in total was good for 90 points and $90,000.