Last week, Pwn2Own Miami 2022 sponsored by the Zero Day Initiative took place. And as always with this event, money was awarded to teams that found the best vulnerabilities. By learning about new vulnerabilities from ethical hackers, or “security researchers” as they are called, vendors gain necessary and crucial insights into how to improve the security of their software. Before I jump into describing the event itself, I think it prudent to define “pwn”, so you can understand the event’s title. “Pwn” is internet/gaming slang meaning to own, defeat, or dominate someone or something especially a game or someone playing a game. Pwn2Own invited world renowned security researchers, or white hat hackers as they are sometimes referred to as. These good software geniuses search for security vulnerabilities in an ethical manner as opposed to black hat hackers who break into systems for malicious reasons. At this event, there were ten teams of white hat hackers that tested the software security of several vendors. This year’s competition featured the following software components and platforms, and ICONICS was honored to be included:

  • Unified Automation C++ Demo Server 
  • OPC Foundation OPC UA .Net Standard 
  • Prosys OPC UA SDK for Java 
  • Softing Secure Integration Server 
  • Triangle Microworks SCADA Data Gateway 
  • Kepware KEPServerEx 
  • AVEVA Edge 
  • Schneider Electric EcoStruxure Operator Terminal Expert 
  • Inductive Automation Ignition 

The researchers knew which vendors would be targeted and were given the software prior to the event. Therefore, many studied and strategically planned their approaches to breaching the software well in advance of the event. After all, there was money to be taken home! As part of the Pwn2Own, the teams were called on stage to demonstrate their attacks for each vendor with event judges watching. Those who were able to successfully demonstrate an exploit received points, and the team with the most points won. The organizers awarded $400,000 for 26 unique 0-days (new security breaches) and a few bug collisions (already reported software bugs). The competition’s winning team with the most points was Computest Sector 7 with Daan Keuper and Thijs Alkemade. ICONICS software was tested, and vulnerabilities were found. So, what does this mean for ICONICS GENESIS64 end users? Should you be concerned? 

ICONICS Reassures Its GENESIS64 End Users 

I believe everyone in our industry has a duty of care to our society regardless of whether they are licensed professional engineers or not. Computer and software engineers are trained to always have the safety of their systems as a top priority, and security is an essential part of that. So, I’ll give my answer in capital bold lettering, “YES”. Yes, our customers should always be concerned about new threats that emerge that could potentially jeopardize the safety of their applications, like those discovered during the Pwn2Own event. At ICONICS, we’re thankful that these items were brought to light. We strive to always be on top of software security by employing the latest techniques in secure development, and we are continuously checking for weaknesses in our software. But, as evidenced by the results of this event, there is more work to be done.

We would like to reassure all our customers, partners, and readers that we take security extremely seriously and attempt to resolve every vulnerability in our software prior to release. We take responsibility for the gaps that the teams at Pwn2Own found and are currently working on fixes for these findings. We began investigating the items brought up during last week’s event as soon as they were disclosed to us, and we will communicate with our customers as soon as possible when those fixes are ready to be deployed in their runtime systems. We will be proactively reaching out to our customers at that time to encourage them to update their installed software to reduce their risks. It’s also worth noting that the issues identified at the event were not disclosed to the public, and all information related to such exploits was shared only with ICONICS in the interest of validating, and subsequently patching, the vulnerabilities as quickly as possible.

We also know that some of our customers have certain environmental restrictions and simplification demands that have led them to deploy their systems in a non-secure way, potentially leaving components exposed to hackers in the event the system is accessed or connected to in an unprotected way. We urge all customers to review their ICONICS configurations on an ongoing basis and to re-examine their entire infrastructure if they wish to connect their systems across networks or to the cloud.

We are thankful for the efforts of all the organizers, researchers, and participants of the Pwn2Own Miami 2022 event and congratulate Keuper and Alkemade for their win. Events like this enable us to learn from experts and the development community. We pride ourselves on providing one of the leading market industrial software platforms for visualization, analytics, and reporting used in a wide variety of global projects. We test for vulnerabilities internally, with customers and with third parties, to document and rapidly fix these issues. Again, we take responsibility for the gaps that the teams at Pwn2Own found, and we are owning these as a company. We are currently working on two fixes for the findings, and we will communicate directly to customers when these fixes are ready to be deployed in their runtime systems.

Below are additional comments about technical software points and suggestions for our customers and system integrators for designing and securing their systems and applications:

Technical Software Points: 

  • Operational runtime systems for most of our customers, especially those in critical infrastructure, are managed as part of an automation system in a highly structured way to minimize the potential for the system to be taken offline intentionally or hacked. This gives us a level of reassurance that a large portion of our customers are not in immediate danger.
  • For projects that are deployed in critical infrastructure, many of these are engineered to be isolated from the outside world and have multiple levels of security, both from third party tools, networking, and software, and within GENESIS64. These security measures help mitigate the potential for an attack using the exploits demonstrated at Pwn2Own.

Suggestions for Our Customers:

  • We strongly encourage all customers to keep their software current and to have update/upgrade strategies in place to adopt the major, minor, and critical fix rollups (CFR) from our team.
  • We encourage our customers to engage with our system integration partners or our professional solution services engineers to review systems to reduce the potential threat vectors that could lead to a compromised deployed runtime system. This is particularly important for systems that are sending/receiving data and alarms across networks, to the cloud, and/or have components of the ICONICS software solution hosted in the cloud.
  • We encourage our customers and system integration partners to design secure systems that take the operating systems, networking, and all third-party software into account as a holistic system.

Lessons Learned from Pwn2Own 2022

My colleague, Richard Henderson, ICONICS US Quality Assurance Manager, attended the event in person and saw firsthand how the competition unfolded. When any exploit was successfully demonstrated within the allotted 20 minutes per attempt, the security researchers would be taken to a private room with ZDI representatives, and the vendor in question would work with them to validate whether it was truly a new finding. If yes, then the vendor could have all the details, so they could then immediately get to work on mitigating it appropriately.

Pwn2Own: Security researchers from the Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) work with ZDI to demonstrate their exploit

There was also the possibility that the security researchers would find something that was already a known issue (known as a bug collision), and in those cases Richard was able to say, "No, that's not a new issue for us. We already knew about this issue. We’ve addressed it, and this is the evidence thereof." When asked about his experience at Pwn2Own, Richard had a great quote that I'd like to share with you:

“Overall Pwn2Own 2022 was extremely valuable to all participants. It was positive, insightful, and unique because it's not something that we can easily do ourselves nor do we have the ability to host a similar event at this scale.”

So, what lessons did we learn from Pwn2Own 2022? In an ideal world, there would be software with no bugs and no vulnerabilities. But that's never going to be the case. Eventually we find them, hackers find them, partners find them, and customers find them – we as ICONICS understand this and will continue to strive to stay one step ahead.

We want to be transparent and to let everyone know we are taking these new security issues seriously. We consider Pwn2Own a significant and useful event for all parties because we learned where new issues are in our platform. Please be reassured that we will be proactively reaching out to our customers as soon as fixes are available to encourage them to update their installed software to reduce their risks. 

Please email me or find me on twitter @Ryzner if you have any questions or concerns.

Kyle Reissner
Director, Product Management