Smart City Hacked at PHDays IV

The Critical Infrastructure Attack (CIA) contest at Positive Hack Days IV has shown for the second time how weak critical infrastructure systems can be in terms of security. The participants successfully compromised various ICS systems during this two-day contest.

Last year at PHDays III, the contest was held with different name – Choo Choo Pwn. Organizers designed a transportation system controlled by real ICS hardware and software.

The contest's infrastructure was massively updated.. Organizers added new SCADA systems (such as Siemens TIA Portal 13 Pro and Schneider Electric ClearSCADA 2014) and various OPC servers (Kepware KepServerEX, Honeywell Matrikon OPC). New HMI devices, the operator panel Siemens KTP 600, PLC (Siemens Simatic S7-300 and S7-1500)and remote control devices (ICP DAS PET-7067) were presented as well. Schneider Electric MiCOM C264 was provided by CROC.

The contest's stand was created by Ilya Karpov, ICS security expert at Positive Technologies, and his colleagues from the group of SCADA security researchers.

Contestants needed to discover and exploit vulnerabilities in SCADA systems and industrial protocols in order to gain control over robotic arm, cranes, heating plants, transport management and illumination systems. Moreover, there was an opportunity of remote control over certain elements: robots, plant facilities, a railroad crossing, and cooling towers.

Similar SCADA systems and controllers are commonly used in a number of critical objects of various industries: factories and water power plants, transport infrastructure, oil and gas.

Alisa Shevchenko became the winner of the two-day competition – she detected several zero-day vulnerabilities in Indusoft Web Studio 7.1 by Schneider Electric. Nikita Maksimov shared second place with Pavel Markov. They managed to disrupt RTU PET-7000, provided by ICP DAS, and guess the password of the web interface for the controller Allen-Bradley MicroLogix 1400 by Rockwell Automation. Dmitry Kazakov took third place. He discovered XSS vulnerabilities (published) in the web interfaces of the Simatic S7-1200 controllers by Siemens.

"Contestants managed to gain control over robots and cranes via Modbus TCP. During the two days, they detected many critical vulnerabilities, most of them being in Simatic S7-1200 controllers. What's more, during the second day, one of the participants caused several operation failures of MiniWeb’s web server WinCC Flexible 2008 SP3 Update4," — said Ilya Karpov.

If exploited in real life, discovered vulnerabilities could cause harmful consequences, such as denial of service, functional failure of critical infrastructure management systems, which in its turn may disrupt normal life of an entire city'.

According to the responsible disclosure policy, contestants notify respective vendors about vulnerabilities they detected. Details about the vulnerabilities will be available after the vendors address the vulnerabilities.

As a winner Alisa Shevchenko received a special prize – the quadrocopter Phantom 2 Vision+.

Pictured: Alisa Shevchenko

The winners of the last year's Choo Choo Pwn were Mikhail Elizarov, a student from the North Caucasian Federal University (Stavropol Krai, Russia) and Arseny Levshin, a university student from Minsk.

Contest on critical infrastructure security is one of the main attractions of PHDays. Positive Technologies experts also presented the contest’s stand and workshops at Power of Community and at the 30th Chaos Communication Congress in Hamburg.