Abstract

In the past five years we've researched & hacked ICS/IoT products in five different Pwn2Own events. In these specialized versions of the Pwn2Own hacking competition we had to find 0-days and exploit them live on stage. This included anything from HMI software to Engineering Workstations and even ICS protocols like OPC-UA.

In this talk, we will share the bugs and exploits we found, but also the insights and lessons we gained from preparing for these events. We'll discuss how these experiences improved our approach to ICS security and helped shape the future of the field, highlighting the importance of continuous learning and adaptation in building a more secure industrial environment.