There is still a lot of low-hanging fruit in industrial control systems.
This is definitely an easier environment to operate in.
At the same time that I was watching the pair on stage in Miami targeting a small arsenal of critical industrial software, the United States and its allies issued a warning about the elevated threat of Russian hackers going after infrastructure such as the electric grid, nuclear reactor, water systems. Last week, one group of Russian hackers was caught trying to bring down the Ukrainian power grid, and another hacking group was caught trying to disrupt industrial systems.
The systems are the same at Pwn2Own as they are in the real world. Industrial control systems that run critical facilities were the targets this week in Miami. As a target, nearly every piece of software that was offered fell to the hackers. hackers who succeed will share all the details so the flaw can be fixed. Critical-infrastructure security has a long way to go.
A lot of the bugs we are seeing in the industrial control systems world are similar to bugs we saw in the enterprise software world a long time ago, according toDustin Childs, who ran the show this year.
The Iconics Genesis64, a human-machine interface tool that can be used to bring down critical targets while fooling the human operators into thinking nothing is wrong, was one of the targets at this year's show.
A decade ago, a hacking campaign called Stuxnet targeted the Iranian nuclear program. The machines that separate nuclear materials were sabotaged by hackers believed to be working for the United States and Israel, but they also told the Iranians that everything was going well. The success of the operation was increased by that clever extra bit of sabotage.