Aperture Podcast: ZDI’s Dustin Childs on Pwn2Own Miami
By Michael Mimoso | Nov. 17, 2021
Like many other security events, Pwn2Own Miami, the industry’s first ICS- and OT-focused hacking contest, was postponed this year because of the COVID-19 pandemic.
After a successful 2020 event where more than a quarter-million dollars was awarded for uncovering two dozen zero-day vulnerabilities in targeted software and firmware, the event went dark this year. Albeit as it turned out, a temporary cancellation, the first event demonstrated a commitment not only from hosts, the Zero Day Initiative (ZDI), but also from participating vendors that industrial cybersecurity was a maturing discipline that deserved attention from the research and vendor communities.
Pwn2Own Miami has been renewed for 2022 and will take place alongside the upcoming S4 Conference in January. Researchers will have the opportunity to compete either in person on South Beach, or virtually. Four categories of targets are in scope this year: control servers, OPC UA servers, data gateways, and HMIs, spanning across four critical technologies that underpin industrial processes and how they communicate.
In this episode of Claroty’s Aperture podcast, Dustin Childs of ZDI returns to discuss how and why the Pwn2Own Miami ICS hacking contest was brought back, the format for this year’s event, who the participating vendors are, and why this is such a crucial time for ICS and OT vulnerability research.
Throughout this conversation, you’ll hear more about:
- The maturing discipline of ICS vulnerability research
- Why a hybrid approach to Pwn2Own Miami made the most sense
- Expectations around participants and prize money for the 2022 contest
- How Pwn2Own works, and how zero-days are disclosed to affected vendors
- How high-profile ransomware attacks have shone a spotlight on industrial cybersecurity