How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Monday, May 19, 2014

Critical Infrastructure Attack. How to Hack a Whole City

We've heard a lot about industrial control systems that help reduce traffic congestions, save electricity and water, make production processes more efficient.... But what if just one hacker disrupts the whole infrastructure of a city? You think it's just a creepy idea for a sci-fi film? Let's check it!

During the Critical Infrastructure Attack contest participants will be able to analyze the security of ICSs that are commonly used for factories and water power plants, transport infrastructure, illumination systems, oil and gas industry. To win, a participant should detect vulnerabilities and demonstrate their exploitation on the contest city model.

A Bit of History and the Contest Legend

Last year, the Choo Choo Pwn competition took place at PHDays III. The participants were offered to test a transport management system. The contest and the railway model, which was specially developed basing on three SCADA systems, became popular not only with PHDays participants, but also became a hit of other security conferences as well. About 30 information security specialists tried to hack the Choo Choo Pwn railway model during the Power of Community conference in Seoul.

This year, we added new models controlled by SCADA/DCS servers, HMI devices, PLC and OPC systems. 

The contest's participants will have to deal with a thermal power station, transport and city illumination systems and also with cranes and industrial robots. The contest organizers would like to thank the СROС company for providing one of the most up-to-date industrial controllers for the competition.

Ilya Karpov, the ICS mastermind of the contest

Despite the toylike look, the model will be managed by the latest SCADA software used in real life. There won't be any well-known vulnerabilities, common configuration flaws or weak passwords. We will give contestants access to real-life industrial systems and see whether anyone will be able to hack it by discovering and exploiting new vulnerabilities.


CIA participants will have to start from scratch: they will only have a network socket and access to industrial units of various ICSs. If they are lucky enough, they might download the software from vendors' websites (with limited usage rights though).

The winner of the the contest will be the one who gains the highest score for detected vulnerabilities. The vulnerabilities should be presented to the contest's organizers in the advisory format. The format implies a detailed description of vulnerabilities, a proof of conсept, remediation and severity level according to CVSSv2. The number of points to score depends on the order in which participants detect vulnerabilities (the earlier you find a flaw, the more points you get), the fact how common a vulnerability is, and the difficulty of research.

Exploitation of a vulnerability (or several vulnerabilities) to gain control over some part of the model will matter as well: participants will have to demonstrate their ability to control the model’s transport, illumination and robots.

The rights on vulnerabilities belong to those participants who detected them. However, the contest's organizers seek to take a responsible approach to confidentiality preservation. There is an important condition: any participant should notify a corresponding vendor within 6 months starting from the date of vulnerability detection. All contest traffic will be recorded, so if a participant doesn't report a vulnerability to the product vendor, the contest organizers will contact the vendor by themselves.
The responsible approach implies that one should:

  • contact the corresponding vendor and provide descriptions of detected vulnerabilities,
  • provide information about the vulnerabilities to CERT,
  • disclose the information by participating in various bug bounty programs.

The prize for the winner is a Phantom 2 Vision+ flying camera.


  1. Very Interesting and wonderfull information keep sharing
    tutuapp alternatives ios

  2. This is very great and brilliant information.

  3. If Your searching for IPL Tickets in Hyderabad book your seat via online, or offline if you want to book in online than go through the BOOK MY SHOW, TICKETGENIE and you can book your tickets from the official websites also

    SRH Vs MI IPL Tickets

  4. Found Interesting and wonderfull keep sharing

  5. This Walmartone owns and operates one of the largest retail store, departmental discount store and grocery store in the USA not only us it operates all over the world.

  6. You will find some information about the unique schools around the world in this blog post. I think that you should do it sooner or later for your own good

  7. I Think this is great post. Everyone should work for helping others. Thanks Admin

  8. Good Information and is very useful. Tutuapp

  9. Eugene Kaspersky has warned that the potential for major attacks on critical infrastructure is very real. ... However, cyber attacks that target and are able to impact critical infrastructure are very real, and have already been used to effect. Chase Bank Online

  10. This comment has been removed by the author.

  11. really, great article with some valuable information .Here is some more intersting articles you must need to visit
    Bobby Movie
    thanks for sharing

  12. very interesting article dear.
    Titanium is one of the trending streaming app for you.

  13. It was really hard to work.. thanks for sharing your information dear. hope you will do good for more.
    Try download one of the best streaming app here for you CyberFlix TV APK.

  14. GBWhatsapp apk Download Latest Version 2018. Download Latest GB Whatsapp for Use 2 Whatsapp in One Mobile.  GBWhatsApp APK

  15. To recollect with semi-directed hostgator couponstructures is that they don't possess all the necessary qualities for the free site trade advantage open with the lion's share of HostGator's distinctive plans.

  16. Vidmate furthermore consolidates access to downloading applications and redirections on Android perfect from inside the application. If you have to revive them, you'll need to go to various instruments VidmateApp Apk like Google Play or Uptodown to invigorate every one of the applications and find new decisions for Vidmate

  17. The Eruthu T shirts advanced from underpants utilized in the nineteenth century. To begin with, the one-piece association suit clothing was cut into discrete best and base articles of clothing, with the best sufficiently eruthu T shirts

  18. There are numerous other dishonest routes through which you can get to iMessage for Windows yet given us a iMessage on PC Download chance to begin with some veritable ones

  19. Additionally, recollect as freedom is a hac-lord device, from a covert engineer gathering, you may keep running into blunders while running it out of the blue

  20. The Players Klub is an entertainment service with a primary focus on Live TV streaming.

  21. Thank you for the post.
    Live Net TV is one of the most popular Live TV APK for Sports, Movies and TV Show Streaming on Android OS.

  22. IP Admin Login Apr 2019 - Default D-Link and Netgear Router access. 192 168 1 1 IP address is the default gateway of most Routers.

  23. Our community compares 104 PPD (Pay Per Download) sites to find what are the best in 2019. Criteria analyzed for this ranking :
    pay per download
    ppd sites
    upload file

  24. Our company is the best online solution in offering college paper writing service since we hire professional writers who have years of experience in cheap research paper writing service.

  25. Nice post and I would like to say that the Website Motix, we keep our team and clients closely knit to create the most exclusive custom logo design, which varies in style according to each customers preference. We strive to provide digital solutions, quality service and solve every technical barrier our clients face. Logo Design Services In London

  26. There is no doubt in the app you can easily download the app the most exciting features are waiting for you can easily go with,
    so Download TutuApp APK Official App For Android, iOS devices, iPad, iPhone TutuApp Apk.
    There are nothing extra features required in this app because the most important items are already available in his update versions.
    Also, Get TweakBox APK.

  27. This comment has been removed by the author.

  28. thanks for sharing this information, keep sharing such posts.

  29. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

  30. Thank you for sharing this informative is giving dissertation conclusion help to students.we are already trusted by thousands of students who struggle to write their academic papers and also by those students who simply want dissertation conclusion help to save their time and make life easy.

  31. thank you very much for sharing the useful information.