A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled at the last minute because the information was deemed too dangerous.
Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been scheduled to discuss problems in Siemens programmable logic controller systems at the TakeDownCon in Dallas on May 18. The Siemens PLC are widely used in automation tasks such opening and shutting valves on factory floors and power plants, control centrifuges and operate systems on warships. The Stuxnet malware last year infected Siemens PLCs that controlled the centrifuges in Iran’s uranium enrichment facilities.
Meixell and Beresford planned to show how to write “industrial-grade” malware during their talk, according to an abstract describing their presentation. “We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state,” the abstract said.
The Chain Reactions-Hacking SCADA talk was cancelled after Siemens and the United States Department of Homeland Security pointed out the possible scope of the problem, Rick Moy, CEO of NSS Labs, told eWEEK in an e-mail. NSS Labs had been working with DHS’s Industrial Control Systems Cyber-Emergency Response (ICS-CERT) group for a week and a half to resolve “significant, additional vulnerabilities in industrial control systems” that Beresford had discovered. Beresford had “responsibly” disclosed the problems to both the vendor and DHS, along with exploit proofs-of-concept that he had developed.
Beresford told Wired ThreatLevel that at least one of the vulnerabilities affected multiple vendors, not just Siemens.
“Due to the serious physical, financial impact these issues could have on a worldwide basis, further details will be made available at the appropriate time,” Moy wrote in an e-mail to eWEEK.
Moy denied that Siemens threatened NSS Labs and said the security flaws were being withheld temporarily, not being buried, Network World reported. Beresford told Threatpost that the DHS had not tried to censor the presentation.
The vendor had proposed a fix that didn’t adequately patch the issues, according to Moy. “We just don’t want to release it without mitigation being out there for the owners and operators of the SCADA [supervisory control and data acquisition] equipment,” Moy said.
“Vulnerabilities in Industrial Control Systems (ICS) are an emerging threat to national cyber security of immense importance, and research into this area is just beginning,” Moy said in his e-mail. Outlining the problems without a fix in place was too dangerous, especially considering how dangerous Stuxnet turned out to be.
It appears that Beresford made the decision on his own to cancel the talk because he was worried about the impact on industrial operators who have these SCADA systems in their plants. Seems like a fairly decent thing to do.