US SCADA talk pulled over exploit fears

Powered by SC Magazine
 

A US talk on SCADA holes could have put lives at risk, the researchers say.

A scheduled talk on vulnerabilities in industrial control systems was shelved at a security conference this week after the affected vendor was unable to develop a working fix.

Dillon Beresford, an analyst at security product testing company NSS Labs, and Brian Meixell, an independent researcher, planned to demonstrate at the TakeDownCon in Las Vegas how to build "industrial grade SCADA (supervisory control and data acquisition) malware without access to the target hardware," according to a conference news release.

However, the pair decided to pull the plug just hours before they were to hit the stage due to the potential of real-life harm that the research could have caused.

"Dillon decided to temporarily delay giving the talk due to the human risks and the fact that the mitigation offered by Siemens did not work," Rick Moy, president and CEO of NSS Labs said.

"We are working collaboratively with ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) and the vendor and look forward to their response to the issues."

He said the researchers still plan to release their findings at a later date.

"Due to the serious physical, financial impact these issues could have on a worldwide basis, further details will be made available at the appropriate time," Moy said.

"NSS Labs is working with all parties to validate remediations for the issues."

Vulnerabilities that affected SCADA software and hardware products have been a research hotbed in recent years as these systems become interconnected with corporate data networks and the public internet, making them increasingly open to attack.

Products made by Siemens, a well-known SCADA manufacturer, were targeted by the vicious Stuxnet worm, considered the first malware written to specifically target industrial control systems.

Stuxnet exploits hit Iran's nuclear program, though no major damage occurred.

In March, an Italian researcher warned about 34 flaws in SCADA products that could allow people to monitor and control the various hardware sensors and mechanisms located in industrial environments, enabling attackers to remotely execute code via buffer and heap overflows.

A Siemens spokeswoman could not be immediately reached for comment yesterday.

Wrote Moy in a blog post: "Exploitation of vulnerabilities in systems can always have negative effects, such as loss of availability, productivity, data loss or compromise, and even result in identity theft and financial loss. However, unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems can have devastating physical world implications such as loss of life and environmental impact."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Tags
 
 
 
Top Stories
Making a case for collaboration
[Blog post] Tap into your company’s people power.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
Tracking the year of CIO churn
[Blog post] Who shone through in 12 months of disruption?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  4%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1052

Vote