Researchers cancel SCADA hack talk

Discussion in 'The Water Cooler' started by reghakr, May 19, 2011.

  1. reghakr

    reghakr Excellent Member

    Joined:
    Jan 26, 2009
    Messages:
    14,220
    Likes Received:
    180
    Dillon Beresford and Brian Meixell were planning to perform a demonstration of how to attack critical infrastructure at the TakeDown Conference but cancelled after they were "asked very nicely" to refrain from providing that information. Beresford, a security analyst at NSS Labs, told CNET that he then decided that it would be "in the best interest of security" to comply with that request.

    A conference organiser said that it was Siemens and the Department of Homeland Security's ICS-CERT division which made the request. The presentation, "Chain Reactions – Hacking SCADA", was due to demonstrate how traditional exploits could be harnessed to carry weaponised malicious code and how that code could be developed without direct access to the target hardware. The Stuxnet breakout last year appears to have been the first of this kind of attack, but Beresgord and Meixell were planning to show how it could be performed without the backing of a nation state.

    In particular, they were going to show vulnerabilities in Siemens Programmable Logic Controllers. say that ICS-CERT had been notified, given exploits and confirmed that they worked. According to Beresford, ICS-CERT said they were "far-reaching and more serious than anything they’ve ever dealt with". Siemens were notified by ICS-CERT and was working on patches but upon seeing the researchers' presentation Siemens realised that their mitigation would not work and requested the talk not go ahead.

    Beresford's boss, NSS Labs Chief Executive Rick Moy, said that Bereford was not prevented from presenting but decided to not speak as the "vendor's proposed mitigation had failed". He added that ICS-CERT had done a "great job assisting us" and that they looked forward to Siemens addressing the issue for their customers. In a posting on NSS Labs blog Moy invited legitimate owners and operators of SCADA PLCs to contact the company for further information.

    See also:

    SCADA system vulnerable to ActiveX control attack, a report from The H.
    Another zero-day exploit for SCADA systems, a report from The H.
    Industrial Control Systems: security holes galore, a report from The H.

    Source:Researchers cancel SCADA hack talk - The H Security: News and Features
     
  2. reghakr

    reghakr Excellent Member

    Joined:
    Jan 26, 2009
    Messages:
    14,220
    Likes Received:
    180
    Since the advent of the Stuxnet worm, SCADA industrial control systems have been receiving a lot of attention. You would expect that since these systems are those that control many critical infrastructure systems and are used in big manufacturing facilities, security would be the first thing on the minds of their developers.

    But, it turns out that it's not so. In March, Italian researcher Luigi Auriemma revealed 34 vulnerabilities on various server-side SCADA software, along with a proof-of-concept for each of them.

    According to him, most of them can be leveraged to execute a remote code execution on SCADA software-run machines with an Internet connection. Others allow attackers access to stored data, and in one case, to even interfere with the hardware that uses the software in question.

    34 is a huge number, when you consider what these systems control. And now, news that another researcher has discovered a number of security flaw in Siemens SCADA systems, wanted to present his discovery at a security conference and in the end through better of it and cancelled his talk has hit the Internet.

    According to Wired, NSS Labs researcher Dillon Beresford was scheduled to demonstrate the vulnerabilities he found after researching various Siemens SCADA systems for only two and a half months, but changed his mind after talking to the DHS and Siemens.

    Instead, he shared some of the flaws with Siemens and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Siemens apparently managed to work out a remediation for one of the vulnerabilities, but it turns out that it is easily circumvented.

    That must have been a final wake up call for the German company, and hopefully taught them that securing a system is not easy, and is a process that will require much more attention and effort that they are used to give it.

    Rick Moy, NSS Labs CEO, supported Beresford's decision. "This is different from simply stealing money out of someone’s bank account. Things could explode. I don’t want to overplay this and sound like it’s a bunch of FUD but physical damage can occur and people can be seriously injured or worse. So we felt … it was best to be prudent and wait a little bit longer until we get more information,” he explained.

    Source:SCADA flaws talk cancelled due to security fears
     
  3. reghakr

    reghakr Excellent Member

    Joined:
    Jan 26, 2009
    Messages:
    14,220
    Likes Received:
    180
    A scheduled presentation about vulnerabilities in certain supervisory control and data acquisition (SCADA) products has been cancelled.

    The presentation on flaws in the programmable logic controllers in certain Siemens products was to have been made on Wednesday, May 18 at the Takedown Security conference in Texas.

    However, Siemens and the US Department of Homeland Security (DHS) contacted the presenters and asked them to postpone presenting the information until Siemens has time to issue a fix.

    Sources:
    Fearing Industrial Destruction, Researcher Delays Disclosure of New Siemens SCADA Holes | Threat Level | Wired.com
    Siemens says it will fix SCADA bugs - Computerworld
    Stuxnet-style SCADA attack kept quiet after US gov tests ? The Register
    SCADA hack talk canceled after U.S., Siemens request | InSecurity Complex - CNET News
     

Share This Page

Loading...