
“Smart city” hacked at PHDays IV
During the Positive Hack Days IV international forum, a critical infrastructure safety analysis competition called Critical Infrastructure Attack was held . Competitors had to detect and exploit vulnerabilities to gain control over industrial automation systems.
For the first time, a competition under the name Choo Choo Pwn took place at PHDays III - then for the competition a model of the transport system was created, controlled by a real ACS system.
This year, the competitive infrastructure was radically updated, which opened up opportunities for detecting zero-day vulnerabilities. The stand was supplemented by a large number of new SCADA systems (for example, Siemens TIA Portal 13 Pro and

Schneider Electric ClearSCADA 2014 ) and various OPC servers ( Kepware KepServerEX , Honeywell Matrikon OPC ). Among the replenishment were also new HMI devices and a Siemens KTP 600 panel , a PLC ( Siemens Simatic S7-300 and S7-1500 ), as well as remote control devices (for example, ICP DAS PET-7067 ); one of the PLCs ( Schneider Electric MiCOM C264 ) was provided by CROC . A complete list of elements of the competition stand is presented in the text on the blog PHDays .
The stand was created by Positive Technologies information security expert Ilya Karpov and his colleagues from the ACS TP security researchers group .
The competitors had to detect and exploit the vulnerabilities of SCADA systems and industrial protocols in order to seize control of the robotic arm, cargo crane, transport control systems and urban energy supply (in particular, street lighting). In addition, the layout provided the ability to remotely control other objects - robots, individual plant capacities, a railway crossing, cooling towers.

We emphasize that all competitive SCADA systems and controllers are actually used at a variety of critical facilities in various industries - factories and hydroelectric power plants, in urban transport management, in the oil and gas industry.
The competition took place over two days. The winner was Alisa Shevchenko , who discovered several zero-day vulnerabilities in the popular industrial automation system I ndusoft Web Studio 7.1 from Schneider Electric. Nikita Maksimov and Pavel Markov, who shared the second place, managed to disable ICP DAS RTU PET-7000 and select a password for the web interface of the Allen-Bradley MicroLogix 1400 controllerRockwell Automation company, and the third was Dmitry Kazakov, who discovered XSS vulnerabilities (already known) in the web interfaces of Siemens Simatic S7-1200 controllers .
Contestants were able to actively control robots and cranes using the Modbus TCP protocol. Over the course of two days, many critical vulnerabilities were found, most of all - in the Simatic S7-1200 controllers. In addition, at the end of the first day, one of the participants repeatedly denied the MiniWeb web server in WinCC Flexible 2008 SP3 Update4 .
In a real urban environment, the operation of most of the errors detected can lead to the most devastating consequences - a denial of service and a malfunction in the management of vital facilities. This in turn can lead to disruption of the city and collapse.
Following the principles of responsible disclosure of information about vulnerabilities, competitors who discover new security errors will report them to system manufacturers, and only after eliminating the found problems will detailed information about them be published.
The winners of the competition received memorable gifts, and the winner Alice Shevchenko (who is one of the co-founders of the Moscow hackspace Neuron) was awarded a special prize - the flying camera Phantom 2 Vision + .

Photo: Alisa Shevchenko
Recall that last year , students of the North Caucasus Federal University Mikhail Elizarov and a student from Minsk Arseniy Levshin were the winners of the Choo Choo Pwn competition .
The critical infrastructure security competition has been the highlight of the PHDays program for the second year in a row. In addition, Positive Technologies experts presented the Choo Choo Pwn booth at the Power of Community conference and at the Chaos CommunicationCongress 30C3 Anniversary Congress in Hamburg.

Schneider Electric ClearSCADA 2014 ) and various OPC servers ( Kepware KepServerEX , Honeywell Matrikon OPC ). Among the replenishment were also new HMI devices and a Siemens KTP 600 panel , a PLC ( Siemens Simatic S7-300 and S7-1500 ), as well as remote control devices (for example, ICP DAS PET-7067 ); one of the PLCs ( Schneider Electric MiCOM C264 ) was provided by CROC . A complete list of elements of the competition stand is presented in the text on the blog PHDays .
The stand was created by Positive Technologies information security expert Ilya Karpov and his colleagues from the ACS TP security researchers group .
The competitors had to detect and exploit the vulnerabilities of SCADA systems and industrial protocols in order to seize control of the robotic arm, cargo crane, transport control systems and urban energy supply (in particular, street lighting). In addition, the layout provided the ability to remotely control other objects - robots, individual plant capacities, a railway crossing, cooling towers.

We emphasize that all competitive SCADA systems and controllers are actually used at a variety of critical facilities in various industries - factories and hydroelectric power plants, in urban transport management, in the oil and gas industry.
The competition took place over two days. The winner was Alisa Shevchenko , who discovered several zero-day vulnerabilities in the popular industrial automation system I ndusoft Web Studio 7.1 from Schneider Electric. Nikita Maksimov and Pavel Markov, who shared the second place, managed to disable ICP DAS RTU PET-7000 and select a password for the web interface of the Allen-Bradley MicroLogix 1400 controllerRockwell Automation company, and the third was Dmitry Kazakov, who discovered XSS vulnerabilities (already known) in the web interfaces of Siemens Simatic S7-1200 controllers .
Contestants were able to actively control robots and cranes using the Modbus TCP protocol. Over the course of two days, many critical vulnerabilities were found, most of all - in the Simatic S7-1200 controllers. In addition, at the end of the first day, one of the participants repeatedly denied the MiniWeb web server in WinCC Flexible 2008 SP3 Update4 .
In a real urban environment, the operation of most of the errors detected can lead to the most devastating consequences - a denial of service and a malfunction in the management of vital facilities. This in turn can lead to disruption of the city and collapse.
Following the principles of responsible disclosure of information about vulnerabilities, competitors who discover new security errors will report them to system manufacturers, and only after eliminating the found problems will detailed information about them be published.
The winners of the competition received memorable gifts, and the winner Alice Shevchenko (who is one of the co-founders of the Moscow hackspace Neuron) was awarded a special prize - the flying camera Phantom 2 Vision + .

Photo: Alisa Shevchenko
Recall that last year , students of the North Caucasus Federal University Mikhail Elizarov and a student from Minsk Arseniy Levshin were the winners of the Choo Choo Pwn competition .
The critical infrastructure security competition has been the highlight of the PHDays program for the second year in a row. In addition, Positive Technologies experts presented the Choo Choo Pwn booth at the Power of Community conference and at the Chaos CommunicationCongress 30C3 Anniversary Congress in Hamburg.