During the Critical Infrastructure Attack contest participants will be able to analyze the security of ICSs that are commonly used for factories and water power plants, transport infrastructure, illumination systems, oil and gas industry. To win, a participant should detect vulnerabilities and demonstrate their exploitation on the contest city model.
A Bit of History and the Contest Legend
Last year, the Choo Choo Pwn competition took place at PHDays III. The participants were offered to test a transport management system. The contest and the railway model, which was specially developed basing on three SCADA systems, became popular not only with PHDays participants, but also became a hit of other security conferences as well. About 30 information security specialists tried to hack the Choo Choo Pwn railway model during the Power of Community conference in Seoul.
The contest's participants will have to deal with a thermal power station, transport and city illumination systems and also with cranes and industrial robots. The contest organizers would like to thank the СROС company for providing one of the most up-to-date industrial controllers for the competition.
Despite the toylike look, the model will be managed by the latest SCADA software used in real life. There won't be any well-known vulnerabilities, common configuration flaws or weak passwords. We will give contestants access to real-life industrial systems and see whether anyone will be able to hack it by discovering and exploiting new vulnerabilities.
CIA participants will have to start from scratch: they will only have a network socket and access to industrial units of various ICSs. If they are lucky enough, they might download the software from vendors' websites (with limited usage rights though).
The winner of the the contest will be the one who gains the highest score for detected vulnerabilities. The vulnerabilities should be presented to the contest's organizers in the advisory format. The format implies a detailed description of vulnerabilities, a proof of conсept, remediation and severity level according to CVSSv2. The number of points to score depends on the order in which participants detect vulnerabilities (the earlier you find a flaw, the more points you get), the fact how common a vulnerability is, and the difficulty of research.
Exploitation of a vulnerability (or several vulnerabilities) to gain control over some part of the model will matter as well: participants will have to demonstrate their ability to control the model’s transport, illumination and robots.
The rights on vulnerabilities belong to those participants who detected them. However, the contest's organizers seek to take a responsible approach to confidentiality preservation. There is an important condition: any participant should notify a corresponding vendor within 6 months starting from the date of vulnerability detection. All contest traffic will be recorded, so if a participant doesn't report a vulnerability to the product vendor, the contest organizers will contact the vendor by themselves.
The responsible approach implies that one should:
- contact the corresponding vendor and provide descriptions of detected vulnerabilities,
- provide information about the vulnerabilities to CERT,
- disclose the information by participating in various bug bounty programs.