Last week the latest edition of the Pwn2Own hacking competition was held during the S4 security conference in Miami. The Zero Day Initiative, which hosts the competitions, aims to increase security awareness by promoting the ethical disclosure of software security vulnerabilities. By hosting exciting events with large cash prizes, the ZDI attracts some of the best security researchers and white-hat hackers in the world to participate.
This year, the organizing committee decided to target industrial control software during the competition. It is widely known that industrial systems are among the highest-value targets for malicious hackers, and unfortunately also among the most vulnerable. There is significant difficulty and danger in performing maintenance updates to software systems, as unexpected side effects can lead to costly downtime, or worse. Combined with the perception that “perimeter security” (firewalls, network segmentation, or even physical separation) provides sufficient protection, the industry has been too relaxed about true software security for far too long.
Leading the Way in Security
At Inductive Automation, we made a conscious decision several years ago to hold ourselves to a high standard, and to lead the industry in security practices. Despite the misinformation that our competitors like to spread, we believe that building our software on Java has given us an advantage. As a modern, managed runtime, it offers protection against many classic attack vectors, and as the world's most popular language, it benefits from the highest level of attention, research, and scrutiny. We’ve never regretted choosing Java as our foundation.
Above that, we’ve worked to develop, define, and use a Secure Software Development Lifecycle as well as many structural best practices to mitigate the risk of many common attack vectors. Our dedication to agile software development practices and the high level of competence in our development team gives us the ability to respond quickly to any serious issue that comes to our attention, and organizationally, we’ve created multiple layers of process and expertise to ensure that serious issues are identified and handled correctly. This structure also works to ensure that we are always progressing in our goal to be leaders in the area of Industrial Software security.
Ethical Hackers Tested Ignition
The organizers of the competition did not consult vendors before choosing the list of targets, so everyone was equally surprised when the list was announced. After an initial sense of flattery passed, we were understandably nervous — nobody likes to be deliberately targeted, of course. However, this sentiment quickly gave way to an appreciation of this opportunity. We have invested a great amount of time and money into testing tools and independent outside security testing. We routinely work with customers who hire their own firms, at great expense, to test and validate our software. Every test reveals some small issues, but we have enjoyed an excellent track record of never having a serious vulnerability discovered, nor any issue that couldn’t be resolved quickly. To have an outside agency provide both the money and mechanisms to attract highly talented teams to attack our software was certainly intimidating, but we saw considerable value in it, and had high confidence we would do well.
Although we had no say in participating as a target, the organizers encouraged us to be present at the event in order to effectively respond to any claimed discoveries. The competition, in fact, relies on the ability of the organizers to effectively determine what is truly a new discovery, versus something that is either previously disclosed, or that the vendor is aware of. We already had plans for our in-house security experts to be at the conference, and we added one of our top software engineers as well. As far as vendor teams go, we can safely say we were represented extremely well.
To cut to the chase, we got hacked. Two different vulnerabilities were discovered by several teams. We must be perfectly clear on this: these are very serious vulnerabilities that were discovered, that demand both immediate action and a significant outreach to ensure that our customers are aware that they need to update. We’ll get back to that shortly, however.
IA’s Rapid Response
In real time, as these vulnerabilities were demonstrated during the competition, our team back at the office was analyzing the excellent reports provided by the competitors. Remember that the very charter of the Zero Day Initiative is to promote “ethical hacking” and responsible disclosures of vulnerabilities. In the competition, any new vulnerabilities are demonstrated, but specific details are withheld from the public and provided to the vendor, giving them 120 days to respond before public disclosure. Therefore, while the presentation of the vulnerability may have made it look like it only took seconds to break the system, these teams had been working for weeks to find, describe, and package the vulnerabilities.
For each vulnerability found, our team was able to identify, analyze, and respond within hours. By the end of the day on Thursday, we were able to deliver an early-access build of Ignition to the organizers and teams at the competition so that they were able to verify that our fixes solved the issues. This was the very same build that was available that morning publicly on our website.
In the end, serious vulnerabilities were found in every vendor’s software. That does not make us feel better; quite the opposite, it shows exactly why we need more initiatives like ZDI and Pwn2Own. What does make us feel better is to know that we were the only vendor that was able to respond and address the discovered issues within the week. Over the last few years we have made a significant effort to get ahead of this type of scenario — but in this highly complex world, nothing can be perfect. Having the mechanisms and infrastructure to effectively respond is the other half of the equation in leading the way in the industry.
We would be lying to say that this wasn’t a serious wake-up call for us, however. It truly is a splash of cold water to the face, reminding us that vigilance is crucial, and we can never become complacent in our efforts to improve our security stance. The vulnerabilities discovered are truly serious, and it’s imperative that all affected Ignition systems are patched as soon as possible after 8.0.8 is released. We will soon issue a technical advisory through our Support portal describing in detail which systems are affected and how to update. Quickly, however, we want to point out that the vulnerabilities found only apply to Ignition 8.0 and above.
Increased Awareness Helps Strengthen Security
In conclusion, we believe that the ZDI and Pwn2Own were extremely successful in achieving their goal of increasing awareness about industrial control system security. In a matter of days, multiple teams uncovered serious vulnerabilities across a multitude of very widely used products, from vendors that have undoubtedly spent millions of dollars on security research, and whose customers have likely spent an order of magnitude more. The industry needs to be cognizant of the risks that are out there, and the value of events such as this one that create the excitement, incentive, and, ultimately, motivation for the world's best security experts to find and disclose defects in a responsible way.
We have been in close contact with the event organizers and teams involved, and will be working with them over the next few months to identify ways that we can both support their cause, and improve our position as a leader in security going forward.
If you have any questions or concerns about this competition or security in general, please reach out to us at firstname.lastname@example.org, or feel free to call your account representative.