US SCADA talk pulled over exploit fears

By on

A US talk on SCADA holes could have put lives at risk, the researchers say.

A scheduled talk on vulnerabilities in industrial control systems was shelved at a security conference this week after the affected vendor was unable to develop a working fix.

Dillon Beresford, an analyst at security product testing company NSS Labs, and Brian Meixell, an independent researcher, planned to demonstrate at the TakeDownCon in Las Vegas how to build "industrial grade SCADA (supervisory control and data acquisition) malware without access to the target hardware," according to a conference news release.

However, the pair decided to pull the plug just hours before they were to hit the stage due to the potential of real-life harm that the research could have caused.

"Dillon decided to temporarily delay giving the talk due to the human risks and the fact that the mitigation offered by Siemens did not work," Rick Moy, president and CEO of NSS Labs said.

"We are working collaboratively with ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) and the vendor and look forward to their response to the issues."

He said the researchers still plan to release their findings at a later date.

"Due to the serious physical, financial impact these issues could have on a worldwide basis, further details will be made available at the appropriate time," Moy said.

"NSS Labs is working with all parties to validate remediations for the issues."

Vulnerabilities that affected SCADA software and hardware products have been a research hotbed in recent years as these systems become interconnected with corporate data networks and the public internet, making them increasingly open to attack.

Products made by Siemens, a well-known SCADA manufacturer, were targeted by the vicious Stuxnet worm, considered the first malware written to specifically target industrial control systems.

Stuxnet exploits hit Iran's nuclear program, though no major damage occurred.

In March, an Italian researcher warned about 34 flaws in SCADA products that could allow people to monitor and control the various hardware sensors and mechanisms located in industrial environments, enabling attackers to remotely execute code via buffer and heap overflows.

A Siemens spokeswoman could not be immediately reached for comment yesterday.

Wrote Moy in a blog post: "Exploitation of vulnerabilities in systems can always have negative effects, such as loss of availability, productivity, data loss or compromise, and even result in identity theft and financial loss. However, unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems can have devastating physical world implications such as loss of life and environmental impact."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

New Windows 10 users, are you upgrading from...
Windows 8
Windows 7
Windows XP
Another operating system
Windows Vista
How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?