Siemens SCADA hacking talk pulled over security concerns
IDG News Service - A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released.
Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC (programmable logic controller) systems. These are the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships.
But the researchers decided to pull the talk at the last minute after Siemens and the U.S. Department of Homeland Security pointed out the possible scope of the problem, said Rick Moy, CEO of NSS Labs. His company had been working with DHS's ICS CERT (Industrial Control Systems Cyber Emergency Response) group for the past week-and-a-half trying to get the issues resolved. "The vendor had proposed a fix that turned out not to work, and we felt it would be potentially very negative to the public if information was put out without mitigation being available," he said.
It is common for security researchers to talk about security bugs once the software in question has been patched. But if the vendor can't get the issue fixed in time, that can create problems for security researchers, who may be expecting to talk about the issue at a hacker conference.
That's what happened at the TakeDownCon conference, where the security researchers had been set to talk.
In the past, technology companies have threatened legal action against researchers, but Moy said that in this case the lawyers were not involved. "It's a temporary hold on the information; it's not that it's being buried," he said. "We just don't want to release it without mitigation being out there for the owners and operators of the SCADA [supervisory control and data acquisition] equipment."
Siemens and DHS did not force them to pull the talk. "They said, 'It's up to you. Here's some more information about the number of devices and where they're deployed,'" he said.
Moy declined to say much about the actual Siemens PLC flaw that Beresford and Meixell discovered for fear that it would disclose aspects of the bugs.
SCADA security has been a hot topic in the research community following last year's discovery of the Stuxnet worm, thought to have been designed to disrupt Iran's nuclear program.
In a description of their talk, Meixell and Beresford said they would show how to write "industrial-grade" malware. "We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state," they wrote in an abstract describing their presentation.
- Manufacturing Outlook: Improving time to market, operational effectiveness and innovation in a highly competitive environment An enterprise project portfolio management solution can help manufacturers position themselves in the new competitive landscape.
- Time-to-Market: The Need for Speed in the Automotive Industry Bringing new vehicles to market quickly has never been more challenging. To bring new models to market on-time and on budget, automakers need...
- Patient Portals: A Platform for Connecting Communities of Care Connecting patient health data across the care continuum is essential to achieve improved care, increased access to personal health records and lowered costs.
- 3 Ways Clinicians Can Leverage a Patient Portal to Craft a Healthcare Community With a bevy of vendors offering patient portal solutions, it can be challenging for a hospital to know where to start. Fortunately, YourCareCommunity...
- Make or Break: New Auto Products Must Go To Market On Time This Webcast quantifies the value of time to market for the auto industry and highlights how Primavera Enterprise Portfolio Management can help organizations.
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Government/Industries White Papers | Webcasts