US SCADA talk pulled over exploit fears

Powered by SC Magazine
 

A US talk on SCADA holes could have put lives at risk, the researchers say.

A scheduled talk on vulnerabilities in industrial control systems was shelved at a security conference this week after the affected vendor was unable to develop a working fix.

Dillon Beresford, an analyst at security product testing company NSS Labs, and Brian Meixell, an independent researcher, planned to demonstrate at the TakeDownCon in Las Vegas how to build "industrial grade SCADA (supervisory control and data acquisition) malware without access to the target hardware," according to a conference news release.

However, the pair decided to pull the plug just hours before they were to hit the stage due to the potential of real-life harm that the research could have caused.

"Dillon decided to temporarily delay giving the talk due to the human risks and the fact that the mitigation offered by Siemens did not work," Rick Moy, president and CEO of NSS Labs said.

"We are working collaboratively with ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) and the vendor and look forward to their response to the issues."

He said the researchers still plan to release their findings at a later date.

"Due to the serious physical, financial impact these issues could have on a worldwide basis, further details will be made available at the appropriate time," Moy said.

"NSS Labs is working with all parties to validate remediations for the issues."

Vulnerabilities that affected SCADA software and hardware products have been a research hotbed in recent years as these systems become interconnected with corporate data networks and the public internet, making them increasingly open to attack.

Products made by Siemens, a well-known SCADA manufacturer, were targeted by the vicious Stuxnet worm, considered the first malware written to specifically target industrial control systems.

Stuxnet exploits hit Iran's nuclear program, though no major damage occurred.

In March, an Italian researcher warned about 34 flaws in SCADA products that could allow people to monitor and control the various hardware sensors and mechanisms located in industrial environments, enabling attackers to remotely execute code via buffer and heap overflows.

A Siemens spokeswoman could not be immediately reached for comment yesterday.

Wrote Moy in a blog post: "Exploitation of vulnerabilities in systems can always have negative effects, such as loss of availability, productivity, data loss or compromise, and even result in identity theft and financial loss. However, unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems can have devastating physical world implications such as loss of life and environmental impact."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Tags
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1083

Vote