Wednesday, May 18, 2011

Fearing Destruction, Researcher Cancels Disclosure of New Siemens SCADA Holes

Via (Threat Level) -

A security researcher has discovered multiple security vulnerabilities in Siemens industrial control systems that he says would allow hackers with remote access to the systems cause physical destruction.

Dillon Beresford canceled a planned demonstration of the vulnerabilities on Wednesday at the Takedown security conference in Texas after Siemens and the Department of Homeland Security expressed concern over the phone and at the conference about disclosing information before Siemens could patch the vulnerabilities.

Beresford, a researcher who works for NSS Labs in Austin, Texas, says he decided to cancel the talk — “Chain Reactions–Hacking SCADA” — after realizing the full ramifications of the information he planned to reveal.

“Based on my own understanding of the seriousness behind this, I decided to refrain from disclosing any information due to safety concerns for the consumers that are affected by the vulnerabilities,” Beresford told Threat Level, adding that “DHS in no way tried to censor the presentation.”


The decision to pull the talk at the last minute caused rumors to fly at the conference. Another presenter at Takedown tweeted that DHS had banned Beresford’s talk.

But Beresford disputed this and said he’s been “extremely impressed” with the way ICS-CERT has handled the matter.

“This is different from simply stealing money out of someone’s bank account,” said NSS Labs CEO Rick Moys. “Things could explode. I don’t want to overplay this and sound like it’s a bunch of FUD but physical damage can occur and people can be seriously injured or worse. So we felt … it was best to be prudent and wait a little bit longer until we get more information.”

No comments:

Post a Comment