Siemens SCADA Hacking Talk Pulled From TakeDownCon

alphadogg writes "A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released. Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC systems, the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships. But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."

Security through obscurity

[Anonymous Coward]

Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.

Secrecy

[grcumb]

The argument that some knowledge is too dangerous to know is specious and flawed. But I can't tell you how or why for fear of undermining our existing regime of ignorance and ineptitude.

Ummmm....

[jd]

...doesn't the existance of a virus that can attack such devices make this a zero-day flaw? The hack is public, since anyone can disassemble the virus that's in the wild and see how it works.

And, frankly, I don't see it being awfully difficult for any Black Hat with a mind to to rip out the prior payload and install one that can attack a wider range of devices. Surely it is in the interests of security for corporations to understand what they can do to mitigate the risk of this.

The DHS, IMHO, is acting in a manner that directly threatens US interests and US corporations by preventing those at risk from knowing as much as those who pose a risk. This argument has been had out before, with regards to CERT and when it should post alerts. It was accepted that there would be a reasonable pause to allow a fix. The virus was first discovered in July 15 2010. So the vulnerabilities have been zero-day for 10 months now.

Re:Secrecy

[chemicaldave]

Did you RTFA? They're waiting for Siemens to fix the issues first, a common practice in security research. Siemens and DHS didn't force them to pull the talk and didn't even get lawyers involved. So please stop with your accusations. You clearly lack an understanding of the situation at hand.

Reponsible Disclosure

[betterunixthanunix]

There is a notion in security engineering of responsible disclosure, which is letting a company know about a vulnerability long enough before you present it so as to allow the company to fix it and deploy the fix. I believe that what happened here was that the company complained that they did not have enough time to fix the problem and deploy the fix, and that DHS and the researcher agreed with that conclusion. I do not think this is terribly far fetched, and I doubt that there is a conspiracy to leave vulnerabilities in industrial equipment used here in America, not when the Iranians want to get back at the US and Israel for Stuxnet.