Siemens SCADA hacking talk pulled over security concerns

Siemens was unable to fix the issue in time for the TakeDownCon security conference

A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released.

Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC (programmable logic controller) systems. These are the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships.

But the researchers decided to pull the talk at the last minute after Siemens and the U.S. Department of Homeland Security pointed out the possible scope of the problem, said Rick Moy, CEO of NSS Labs. His company had been working with DHS's ICS CERT (Industrial Control Systems Cyber Emergency Response) group for the past week-and-a-half trying to get the issues resolved. "The vendor had proposed a fix that turned out not to work, and we felt it would be potentially very negative to the public if information was put out without mitigation being available," he said.

It is common for security researchers to talk about security bugs once the software in question has been patched. But if the vendor can't get the issue fixed in time, that can create problems for security researchers, who may be expecting to talk about the issue at a hacker conference.

That's what happened at the TakeDownCon conference, where the security researchers had been set to talk.

In the past, technology companies have threatened legal action against researchers, but Moy said that in this case the lawyers were not involved. "It's a temporary hold on the information; it's not that it's being buried," he said. "We just don't want to release it without mitigation being out there for the owners and operators of the SCADA [supervisory control and data acquisition] equipment."

Siemens and DHS did not force them to pull the talk. "They said, 'It's up to you. Here's some more information about the number of devices and where they're deployed,'" he said.

Moy declined to say much about the actual Siemens PLC flaw that Beresford and Meixell discovered for fear that it would disclose aspects of the bugs.

SCADA security has been a hot topic in the research community following last year's discovery of the Stuxnet worm, thought to have been designed to disrupt Iran's nuclear program.

In a description of their talk, Meixell and Beresford said they would show how to write "industrial-grade" malware. "We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state," they wrote in an abstract describing their presentation.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the PC World newsletter!

Error: Please check your email address.

Tags siemensNSS Labssecurityenergyindustry verticalsExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?