Researchers cancel SCADA hack talk

reghakr

Essential Member
Dillon Beresford and Brian Meixell were planning to perform a demonstration of how to attack critical infrastructure at the TakeDown Conference but cancelled after they were "asked very nicely" to refrain from providing that information. Beresford, a security analyst at NSS Labs, told CNET that he then decided that it would be "in the best interest of security" to comply with that request.

A conference organiser said that it was Siemens and the Department of Homeland Security's Link Removed - Invalid URL division which made the request. The presentation, "Chain Reactions – Hacking SCADA", was due to demonstrate how traditional exploits could be harnessed to carry weaponised malicious code and how that code could be developed without direct access to the target hardware. The Stuxnet breakout last year appears to have been the first of this kind of attack, but Beresgord and Meixell were planning to show how it could be performed without the backing of a nation state.

In particular, they were going to show vulnerabilities in Siemens Programmable Logic Controllers. Link Removed due to 404 Error that ICS-CERT had been notified, given exploits and confirmed that they worked. According to Beresford, ICS-CERT said they were "far-reaching and more serious than anything they’ve ever dealt with". Siemens were notified by ICS-CERT and was working on patches but upon seeing the researchers' presentation Siemens realised that their mitigation would not work and requested the talk not go ahead.

Beresford's boss, NSS Labs Chief Executive Rick Moy, said that Bereford was not prevented from presenting but decided to not speak as the "vendor's proposed mitigation had failed". He added that ICS-CERT had done a "great job assisting us" and that they looked forward to Siemens addressing the issue for their customers. In a posting on Link Removed due to 404 Error Moy invited legitimate owners and operators of SCADA PLCs to contact the company for further information.

See also:

Link Removed due to 404 Error, a report from The H.
Link Removed due to 404 Error, a report from The H.
Link Removed due to 404 Error, a report from The H.

Source:Researchers cancel SCADA hack talk - The H Security: News and Features
 
Since the advent of the Link Removed - Invalid URL, SCADA industrial control systems have been receiving a lot of attention. You would expect that since these systems are those that control many critical infrastructure systems and are used in big manufacturing facilities, security would be the first thing on the minds of their developers.

But, it turns out that it's not so. In March, Italian researcher Luigi Auriemma Link Removed - Invalid URL 34 vulnerabilities on various server-side SCADA software, along with a proof-of-concept for each of them.

According to him, most of them can be leveraged to execute a remote code execution on SCADA software-run machines with an Internet connection. Others allow attackers access to stored data, and in one case, to even interfere with the hardware that uses the software in question.

34 is a huge number, when you consider what these systems control. And now, news that another researcher has discovered a number of security flaw in Siemens SCADA systems, wanted to present his discovery at a security conference and in the end through better of it and cancelled his talk has hit the Internet.

According to Link Removed - Invalid URL NSS Labs researcher Dillon Beresford was scheduled to demonstrate the vulnerabilities he found after researching various Siemens SCADA systems for only two and a half months, but changed his mind after talking to the DHS and Siemens.

Instead, he shared some of the flaws with Siemens and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Siemens apparently managed to work out a remediation for one of the vulnerabilities, but it turns out that it is easily circumvented.

That must have been a final wake up call for the German company, and hopefully taught them that securing a system is not easy, and is a process that will require much more attention and effort that they are used to give it.

Rick Moy, NSS Labs CEO, supported Beresford's decision. "This is different from simply stealing money out of someone’s bank account. Things could explode. I don’t want to overplay this and sound like it’s a bunch of FUD but physical damage can occur and people can be seriously injured or worse. So we felt … it was best to be prudent and wait a little bit longer until we get more information,” he explained.

Source:Link Removed - Invalid URL
 
A scheduled presentation about vulnerabilities in certain supervisory control and data acquisition (SCADA) products has been cancelled.

The presentation on flaws in the programmable logic controllers in certain Siemens products was to have been made on Wednesday, May 18 at the Takedown Security conference in Texas.

However, Siemens and the US Department of Homeland Security (DHS) contacted the presenters and asked them to postpone presenting the information until Siemens has time to issue a fix.

Sources:
Link Removed - Invalid URL
Siemens says it will fix SCADA bugs - Computerworld
Stuxnet-style SCADA attack kept quiet after US gov tests ? The Register
SCADA hack talk canceled after U.S., Siemens request | InSecurity Complex - CNET News
 
Back
Top