Two researchers say they canceled a talk at a security conference today on
how to attack critical infrastructure systems, after U.S. cybersecurity and
Siemens representatives asked them not to discuss their work publicly.
“We were asked very nicely if we could refrain from providing that
information at this time,” Dillon Beresford, an independent security researcher
and a security analyst at NSS Labs, told
CNET today. “I decided on my own that it would be in the best interest of
security…to not release the information.”
Beresford said he and independent researcher Brian Meixell planned on doing a
physical demonstration at the TakeDown
Conference and shared their slides and other information on vulnerabilities
and exploits with Siemens, ICS-CERT (Industrial Control Systems Cyber Emergency
Response Team), and the Idaho National Lab on Monday.
A DHS official provided this statement: “DHS’ Industrial Control Systems
Cyber Emergency Response Team (ICS-CERT) frequently engages with industry
partners and members of the cybersecurity community to share actionable
vulnerability information and mitigation measures in an effort to better secure
our nation’s critical infrastructure. In this collaboration, DHS always
prioritizes the responsible disclosure of vulnerability information, while
concurrently providing actionable solutions and recommendations to better secure
our nation’s infrastructure. This responsible disclosure process does not
encourage the release of sensitive vulnerability information without also
validating and releasing a solution.”
A U.S.-based representative for Siemens, a German company, did not respond to
a call or e-mail. Siemens was expected to make a statement on Thursday,
according to Beresford.
Earlier in the day, an organizer of the conference said that it was Siemens
and the Department of Homeland Security that had requested that the researchers
hold off on their talk. ICS-CERT is a division of DHS.
The presentation was entitled “Chain Reactions–Hacking SCADA” (supervisory
control and data acquisition), which is technology used in manufacturing and
critical-infrastructure systems. About 300 people were registered to attend the
TakeDown Conference, which is happening today and tomorrow in Dallas.
“Combining traditional exploits with industrial control systems allows
attackers to weaponize malicious code, as demonstrated with Stuxnet. The attacks
against Iran’s nuclear facilities were started by a sequence of events that
delayed the proliferation of nuclear weapons,” a summary of the talk says. “We
will demonstrate how motivated attackers could penetrate even the most heavily
fortified facilities in the world, without the backing of a nation state. We
will also present how to write industrial grade malware without having direct
access to the target hardware. After all, if physical access was required, what
would be the point of hacking into an industrial control system?”
Last year’s Stuxnet was believed to be the first
malware designed specifically to target industrial control systems. Experts say
it was written to seek out particular Siemens software and was likely aimed at
sabotaging Iran’s nuclear program.
News of the cancellation first spread on Twitter, when another presenter at
the conference, Jayson Street, tweeted: “Since DHS just banned next speaker from
giving his talk [on SCADA] I’m up next!”
However, Beresford said they were merely asked to not give the talk.
“Dillon was not threatened or prevented from speaking. Rather, he made the
decision based on the potential negative impact to human life and the fact that
the vendor’s proposed mitigation had failed,” NSS Labs Chief Executive Rick Moy
said in an e-mail. “ICS-CERT has done a great job of assisting us with this
process, and we look forward to Siemens being able to address the issue for
Updated 6:21 p.m. PT with DHS comment and 5:53 p.m. PT
to clarify that U.S. and Siemens merely asked researchers to cancel talk;
specify that ICS-CERT was involved; add more details and comment from