A botched fix, not legal demands, nixed SCADA security talk

After a presentation on SCADA (supervisory control and data acquisition) system exploits was pulled at the last minute from the TakeDownCon conference, accusations began to swirl that NSS Labs, the company that helped fund the research, had been told by the Department of Homeland Security (DHS) to pull the talk that would have exposed existing flaws in certain Siemens systems used to control critical infrastructure.

The talk abstract certainly wasn’t understated: “We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state. We will also present how to write industrial grade malware without having direct access to the target hardware.”

Also see: Why SCADA Security Must Be Addressed

Unexpectedly, the day of the talk, the presentation was pulled without much of an explanation, only Brian Meixell, one of the researchers, telling conference goers that parts of the talk would not be given. “They said they were not allowed to give the talk, or explain why they weren’t,” says Jayson E. Street, a security researcher and CIO at Stratagem 1 Solutions, who also presented at TakeDownCon.

For the next two days speculation swirled as to whether DHS weighed in with a heavy hand to pull the talk, or if Siemens threatened legal action against the security firm. “That’s not what happened here,” says Vik Phatak, chief technology officer at NSS Labs. “Siemens found out, near the last minute, that the mitigation they had planned didn’t work. It could be bypassed,” Phatak says.

According to Phatak, DHS pointed to a broad context of risks should the talk go forward without proper mitigation. Following that, NSS Labs independently chose to postpone the talk. “We have been working with DHS’s ICS CERT (Industrial Control Systems Cyber Emergency Response) group for nearly two weeks, trying to get the issue solved,” he explains.

Phatak would not describe the nature of the actual Siemens PLC flaws, but did reveal that should the vulnerabilities be exploited, an attacker could take over physical control of the at-risk devices. “These vulnerabilities are quite serious,” he says.

Siemens and DHS ICS CERT are expected to release advisories and fixes for the vulnerabilities within the week, Phatak said.

While SCADA security has been of interest in some circles for years, it wasn’t until the discovery of the Stuxnet worm that has been claimed to target the SCADA and PLC systems within the infrastructure used by Iran to enrich uranium. Since then, as we covered in the story SCADA security arms race underway, security researchers have been taking a closer look at these systems.

Surprisingly, says Phatak, despite much of the speculation around a Stuxnet having required significant resources to develop — after having witnessed their current research unfold — he’s not convinced that is an accurate assessment. “Our researchers have shown what can be done with about $2,500 in equipment, time, and skill,” he says.

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme.