Siemens SCADA Hacking Talk Pulled From TakeDownCon

alphadogg writes "A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released. Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC systems, the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships. But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."

Re:Security through obscurity

[jd]

That's not the bit that scares me the most. The bit that scares me the most is that anyone with an ounce of skill in reverse engineering can identify the security flaws used, and anyone with an ounce of skill in assembly can disassemble Stuxnet, alter what it targets, and launch the new variant.

By banning the talk, the DHS is preventing US industries from protecting themselves against economic warfare. Plenty of nations (China and Russia especially) are investing in cyber-warfare. There's plenty of amateurs out there with axes (albeit often as delusionary as the DHS') to grind. It is simply not excusable for the US to be placed in this kind of danger.

For what purpose? Siemans can't get a worse rep than to be accused of having worked with virus writers. The consumers can't exactly switch from SCADA to Infiniband or other rival networking technologies. The exploit is public knowledge.

Who, then, is going to be protected?

Re:In other words

[Charliemopps]

I used to work in provisioning in a telco and it entirely depends on who's managing the plant. We'd install circuits in some power plants that were so strict that they insisted on fiber use only. We'd run copper to an access point outside their security perimeter then have a mux convert it to fiber to run across the perimeter into the facility where it would terminate in an outer building. Their security plan did not allow ANY outside network connections to the plant itself. They had networked equipment but it was all housed in an outer building with no connection to the main plant or control systems. They refused to allow copper on the premises because it's relatively easy to splice into and carry elsewhere. Fiber would be much more difficult to splice and bring in.

Other facilities were less secure. I remember getting a panicked call from someone shouting "The Damns gonna bust!!!" They had a single "Circuit" they paid about $20 a month for that was nothing more that a single copper that ran from some building to the local damn. They'd apply +5 volts to the line to open the damn, and -5volts and it would close. They'd reacted too slowly to rising waters and it had flooded the copper pair they used to control the damn. They wanted us to send a phone tech into their overflowing damn to repair the circuit so they could open it from the safety of their administrative building. They had a hard time understanding my near hysterical laughter.