SCADA hack talk canceled after U.S., Siemens request

The researchers were scheduled to give their talk at the TakeDown Conference in Dallas today. The researchers were scheduled to give their talk at the
TakeDown Conference in Dallas today.

Two researchers say they canceled a talk at a security conference today on
how to attack critical infrastructure systems, after U.S. cybersecurity and
Siemens representatives asked them not to discuss their work publicly.

“We were asked very nicely if we could refrain from providing that
information at this time,” Dillon Beresford, an independent security researcher
and a security analyst at NSS Labs, told
CNET today. “I decided on my own that it would be in the best interest of
security…to not release the information.”

Beresford said he and independent researcher Brian Meixell planned on doing a
physical demonstration at the TakeDown
Conference
and shared their slides and other information on vulnerabilities
and exploits with Siemens, ICS-CERT (Industrial Control Systems Cyber Emergency
Response Team), and the Idaho National Lab on Monday.

A DHS official provided this statement: “DHS’ Industrial Control Systems
Cyber Emergency Response Team (ICS-CERT) frequently engages with industry
partners and members of the cybersecurity community to share actionable
vulnerability information and mitigation measures in an effort to better secure
our nation’s critical infrastructure. In this collaboration, DHS always
prioritizes the responsible disclosure of vulnerability information, while
concurrently providing actionable solutions and recommendations to better secure
our nation’s infrastructure. This responsible disclosure process does not
encourage the release of sensitive vulnerability information without also
validating and releasing a solution.”

A U.S.-based representative for Siemens, a German company, did not respond to
a call or e-mail. Siemens was expected to make a statement on Thursday,
according to Beresford.

Earlier in the day, an organizer of the conference said that it was Siemens
and the Department of Homeland Security that had requested that the researchers
hold off on their talk. ICS-CERT is a division of DHS.

The presentation was entitled “Chain Reactions–Hacking SCADA” (supervisory
control and data acquisition), which is technology used in manufacturing and
critical-infrastructure systems. About 300 people were registered to attend the
TakeDown Conference, which is happening today and tomorrow in Dallas.

“Combining traditional exploits with industrial control systems allows
attackers to weaponize malicious code, as demonstrated with Stuxnet. The attacks
against Iran’s nuclear facilities were started by a sequence of events that
delayed the proliferation of nuclear weapons,” a summary of the talk says. “We
will demonstrate how motivated attackers could penetrate even the most heavily
fortified facilities in the world, without the backing of a nation state. We
will also present how to write industrial grade malware without having direct
access to the target hardware. After all, if physical access was required, what
would be the point of hacking into an industrial control system?”

Last year’s Stuxnet was believed to be the first
malware designed specifically to target industrial control systems. Experts say
it was written to seek out particular Siemens software and was likely aimed at
sabotaging Iran’s nuclear program.

News of the cancellation first spread on Twitter, when another presenter at
the conference, Jayson Street, tweeted: “Since DHS just banned next speaker from
giving his talk [on SCADA] I’m up next!”

However, Beresford said they were merely asked to not give the talk.

“Dillon was not threatened or prevented from speaking. Rather, he made the
decision based on the potential negative impact to human life and the fact that
the vendor’s proposed mitigation had failed,” NSS Labs Chief Executive Rick Moy
said in an e-mail. “ICS-CERT has done a great job of assisting us with this
process, and we look forward to Siemens being able to address the issue for
their customers.”

Updated 6:21 p.m. PT with DHS comment and 5:53 p.m. PT
to clarify that U.S. and Siemens merely asked researchers to cancel talk;
specify that ICS-CERT was involved; add more details and comment from
researcher.

Read more: http://news.cnet.com/8301-27080_3-20064112-245.html#ixzz1N8lyekoz

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: