The Critical Infrastructure Attack (CIA) contest at Positive Hack Days IV has shown for the second time how weak critical infrastructure systems can be in terms of security. The participants successfully compromised various ICS systems during this two-day contest.
Last year at PHDays III, the contest was held with different name – Choo Choo Pwn. Organizers designed a transportation system controlled by real ICS hardware and software.
The contest's infrastructure was massively updated.. Organizers added new SCADA systems (such as Siemens TIA Portal 13 Pro and Schneider Electric ClearSCADA 2014) and various OPC servers (Kepware KepServerEX, Honeywell Matrikon OPC). New HMI devices, the operator panel Siemens KTP 600, PLC (Siemens Simatic S7-300 and S7-1500)and remote control devices (ICP DAS PET-7067) were presented as well. Schneider Electric MiCOM C264 was provided by CROC.
The contest's stand was created by Ilya Karpov, ICS security expert at Positive Technologies, and his colleagues from the group of SCADA security researchers.
Contestants needed to discover and exploit vulnerabilities in SCADA systems and industrial protocols in order to gain control over robotic arm, cranes, heating plants, transport management and illumination systems. Moreover, there was an opportunity of remote control over certain elements: robots, plant facilities, a railroad crossing, and cooling towers.
Similar SCADA systems and controllers are commonly used in a number of critical objects of various industries: factories and water power plants, transport infrastructure, oil and gas.
Alisa Shevchenko became the winner of the two-day competition – she detected several zero-day vulnerabilities in Indusoft Web Studio 7.1 by Schneider Electric. Nikita Maksimov shared second place with Pavel Markov. They managed to disrupt RTU PET-7000, provided by ICP DAS, and guess the password of the web interface for the controller Allen-Bradley MicroLogix 1400 by Rockwell Automation. Dmitry Kazakov took third place. He discovered XSS vulnerabilities (published) in the web interfaces of the Simatic S7-1200 controllers by Siemens.
"Contestants managed to gain control over robots and cranes via Modbus TCP. During the two days, they detected many critical vulnerabilities, most of them being in Simatic S7-1200 controllers. What's more, during the second day, one of the participants caused several operation failures of MiniWeb’s web server WinCC Flexible 2008 SP3 Update4," — said Ilya Karpov.
If exploited in real life, discovered vulnerabilities could cause harmful consequences, such as denial of service, functional failure of critical infrastructure management systems, which in its turn may disrupt normal life of an entire city'.
According to the responsible disclosure policy, contestants notify respective vendors about vulnerabilities they detected. Details about the vulnerabilities will be available after the vendors address the vulnerabilities.
As a winner Alisa Shevchenko received a special prize – the quadrocopter Phantom 2 Vision+.
The winners of the last year's Choo Choo Pwn were Mikhail Elizarov, a student from the North Caucasian Federal University (Stavropol Krai, Russia) and Arseny Levshin, a university student from Minsk.
Contest on critical infrastructure security is one of the main attractions of PHDays. Positive Technologies experts also presented the contest’s stand and workshops at Power of Community and at the 30th Chaos Communication Congress in Hamburg.
Last year at PHDays III, the contest was held with different name – Choo Choo Pwn. Organizers designed a transportation system controlled by real ICS hardware and software.
The contest's infrastructure was massively updated.. Organizers added new SCADA systems (such as Siemens TIA Portal 13 Pro and Schneider Electric ClearSCADA 2014) and various OPC servers (Kepware KepServerEX, Honeywell Matrikon OPC). New HMI devices, the operator panel Siemens KTP 600, PLC (Siemens Simatic S7-300 and S7-1500)and remote control devices (ICP DAS PET-7067) were presented as well. Schneider Electric MiCOM C264 was provided by CROC.
The contest's stand was created by Ilya Karpov, ICS security expert at Positive Technologies, and his colleagues from the group of SCADA security researchers.
Contestants needed to discover and exploit vulnerabilities in SCADA systems and industrial protocols in order to gain control over robotic arm, cranes, heating plants, transport management and illumination systems. Moreover, there was an opportunity of remote control over certain elements: robots, plant facilities, a railroad crossing, and cooling towers.
Similar SCADA systems and controllers are commonly used in a number of critical objects of various industries: factories and water power plants, transport infrastructure, oil and gas.
Alisa Shevchenko became the winner of the two-day competition – she detected several zero-day vulnerabilities in Indusoft Web Studio 7.1 by Schneider Electric. Nikita Maksimov shared second place with Pavel Markov. They managed to disrupt RTU PET-7000, provided by ICP DAS, and guess the password of the web interface for the controller Allen-Bradley MicroLogix 1400 by Rockwell Automation. Dmitry Kazakov took third place. He discovered XSS vulnerabilities (published) in the web interfaces of the Simatic S7-1200 controllers by Siemens.
"Contestants managed to gain control over robots and cranes via Modbus TCP. During the two days, they detected many critical vulnerabilities, most of them being in Simatic S7-1200 controllers. What's more, during the second day, one of the participants caused several operation failures of MiniWeb’s web server WinCC Flexible 2008 SP3 Update4," — said Ilya Karpov.
If exploited in real life, discovered vulnerabilities could cause harmful consequences, such as denial of service, functional failure of critical infrastructure management systems, which in its turn may disrupt normal life of an entire city'.
According to the responsible disclosure policy, contestants notify respective vendors about vulnerabilities they detected. Details about the vulnerabilities will be available after the vendors address the vulnerabilities.
As a winner Alisa Shevchenko received a special prize – the quadrocopter Phantom 2 Vision+.
Pictured: Alisa Shevchenko
The winners of the last year's Choo Choo Pwn were Mikhail Elizarov, a student from the North Caucasian Federal University (Stavropol Krai, Russia) and Arseny Levshin, a university student from Minsk.
Contest on critical infrastructure security is one of the main attractions of PHDays. Positive Technologies experts also presented the contest’s stand and workshops at Power of Community and at the 30th Chaos Communication Congress in Hamburg.
Just a regular old guy from America who read the guardian article and was interested in learning more about what you do. No intentions, just curious. Looks like you're very talented. Sorry for your inclusion on the sanctions list. The US government is largely a bunch of assholes. Good luck with future endeavors.
ReplyDeleteTyler
I want to thank you for writing this article.This is great Article for me. It also more very informative & awesome.
ReplyDeleteOnline lead genaration
Congrats to the winners! This year we are having a harsh rivalry between a student from Clearview Regional High School and Deptford Township High School. Both have showed the results shared on essayforcollege essay help org constructor's page.
ReplyDeleteShowBox
ReplyDeleteVidMate
Mobdro
cartoon hd ios
ReplyDeleteShowbox users all over spread content through facebook and youtube directly from the software. showbox apk
ReplyDeletehttps://gateanswerkey2018.com
ReplyDeleteIt is not difficult to guess that he|she will be having WhatsApp installed in it and more this website
ReplyDeleteUkTVNow for PC
ReplyDeletehttps://musicparadisedownload.com
PPSSPP Gold APK Download
nice post Our Asus Routers Customer Service team has encountered problems where the router is working but no wifi signal is available. Such things are possible and are tricky to fix. You can just reach out to us and we will take it from there. Call us to get easy and fast fixes for your Asus routers. The Asus Routers Customer Service is always available for resolving your problems. Asus Customer Support
ReplyDeleteYou have the nice information thanks for sharing . If you need Apple AirPort Help Use Our Service.
ReplyDeleteNice post.showbox for pc
ReplyDeleteyou have shared the nice and informative post thanks for sharing.
ReplyDeleted link router customer support
Useful Information You have the nice information thanks for sharing. If you need Cisco Customer Support Number
ReplyDeleteHelp Use Our Service.
Thanks for sharing this kind of amazing post. It is a great experience to read all about.
ReplyDeleteLinksys customer support
Download Live NetTV Apk or Showbox Apk on your Android, iOS, Tablets, Amazon, Android Box device to watch Movies, TV Shows and 1000+ live TV channels in 27 categories.
ReplyDeleteKineMaster Pro is the only full-featured professional video editor for Android, supporting multiple layers of video, images, and text, as well as precise cutting and trimming, multi-track audio, precise volume envelope control, color LUT filters, 3D transitions, and much more.
ReplyDeleteSpotify APK is a digital music service that gives you access to millions of songs.
ReplyDeleteThe Ultimate Entertainment is back with the RedBox TV APK with hundreds of Live TV Channels available for streaming at your proposal.
The Deep Websites, Dark web, Hidden Wiki is accessed using Tor that contains .onion websites and provided Deep Web Links 2018 with more of deep web news.
ReplyDeleteYou're searching for the Best Gaming Chair. We know that and don't worry - we got you completely covered with our updated guide on gaming and office chairs.
ReplyDeleteimo for pc
ReplyDeleteIf you are looking for the SSLC Result Karnataka, you can go through the official website of Karnataka board; here we are providing the details of the official sites of the Karnataka SSLC board
ReplyDeletekarresults.nic.in
www.karresults.nic.in
karresults.nic.in 2018
well done usefull content Vidmate
ReplyDeleteVidmate
Vidmate
Vidmate
Vidmate
Vidmate
Vidmate
Vidmate
Vidmate
Vidmate
keep sharing such beqautifull informatin about hacking and all Snaptube app
ReplyDeleteSnaptube app
Snaptube app
Snaptube app
Snaptube app
Snaptube app
Snaptube app
Snaptube app
Snaptube app
Snaptube app
hope for good9apps install
ReplyDelete9apps install
9apps install
9apps install
9apps install
9apps install
9apps install
9apps install
9apps install
good job 9apps fast download
ReplyDelete9apps fast download
9apps fast download
9apps fast download
9apps fast download
9apps fast download
9apps fast download
9appsfast download
9apps fast download
This comment has been removed by the author.
ReplyDeleteThanks for the unique post about Smart City Hacked at PHDays IV. If you would add a video tutorial with it. That will be more good. However, i will come next day to ready more about the next post. Thanks from Lucky Patcher
ReplyDeleteHope you will get the letest news about all android game, and download all kind of mod games, free apk for your android mobile. Here is the largest collection of android games and tools only for you, which are free of cost. from APKJA
ReplyDeleteBuy High Quality Replica Watches in India. Best Quality First Copy Watches. First Copy Watches For Men and Women.
ReplyDelete