We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

A botched fix, not legal demands, nixed SCADA security talk

After a presentation on SCADA (supervisory control and data acquisition) system exploits was pulled at the last minute from the TakeDownCon conference, accusations began to swirl that NSS Labs, the company that helped to fund the research, had been told by the Department of Homeland Security (DHS) to pull the talk that would had of exposed existing flaws in certain Siemens systems used to control critical infrastructure.

The talk abstract certainly wasn't understated: "We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state. We will also present how to write industrial grade malware without having direct access to the target hardware."

Also see: Why SCADA Security Must Be Addressed

Unexpectedly, the day of the talk, the presentation was pulled without much of an explanation, only Brian Meixell, one of the researchers telling conference goers that parts of the talk would not be given. "The said they were not allowed to give the talk, or explain why they weren't," says Jayson E. Street, a security researcher and CIO at Stratagem 1 Solutions, who also presented at TakeDownCon.

For the next two days speculation swirled as to whether DHS weighed in with a heavy hand to pull the talk, or if Siemens threatened legal action against the security firm. "That's not what happened here," says Vik Phatak, chief technology officer at NSS Labs. "Siemens found out, near the last minute, that the mitigation they had planned didn't work. It could be bypassed," Phatak says.

According to Phatak, DHS pointed to a broad context of risks should the talk go forward without proper mitigation. Following that, NSS Labs independently chose to postpone the talk. "We have been working with DHS's ICS CERT (Industrial Control Systems Cyber Emergency Response) group for nearly two weeks, trying to get the issue solved," he explains.

Phatak would not describe the nature of the actual Siemens PLC flaws, but did reveal that should the vulnerabilities be exploited, an attacker could take over physical control of the at-risk devices. "These vulnerabilities are quite serious," he says.

Siemens and DHS ICS CERT are expected to release advisories and fixes for the vulnerabilities within the week, Phatak said.

While SCADA security has been of interest in some circles for years, it wasn't until the discovery of the Stuxnet worm that has been claimed to target the SCADA and PLC systems within the infrastructure used by Iran to enrich uranium. Since then, as we covered in the story SCADA security arms race underway, security researchers have been taking a closer look at these systems.

Surprisingly, says Phatak, that despite much of the speculation around a Stuxnet having required significant resources to develop after having witnessed their current research unfold -- he's not convinced that is an accurate assessment. "Our researchers have shown what can be done with about $2,500 in equipment, time, and skill," he says.

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme.

Read more about network security in CSOonline's Network Security section.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model