Siemens SCADA Hacking Talk Pulled From TakeDownCon

← Back to Stories (view on slashdot.org)

Siemens SCADA Hacking Talk Pulled From TakeDownCon

Posted by timothy on Thursday May 19, 2011 @07:59AM from the but-motel-6-keeps-the-lights-on dept.

alphadogg writes "A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released. Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC systems, the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships. But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."

104 comments

Min score:

Reason:

Sort:

Security through obscurity by Anonymous Coward · 2011-05-19 08:00 · Score: 4, Insightful

Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.
1. Re:Security through obscurity by Anonymous Coward · 2011-05-19 08:09 · Score: 0
  
  What is truly mindblowing is the fact how US is going around yelling how vulnerable they are to such sabotage and how cyberwar is going on, and then they're themself caught sabotaging Iran power plants. Hypocrisy at its best.
2. Re:Security through obscurity by coolgeek · 2011-05-19 08:09 · Score: 1
  
  Perhaps the intent is insecurity through obscurity. Can't sabotage your enemy's systems if you tell them where all the holes are.
  
  --
  
  cat /dev/null >sig
3. Re:Security through obscurity by Sinthet · 2011-05-19 08:09 · Score: 1
  
  Which is exactly why I really hope these researchers will present their findings to Siemens engineers so that the problems can be patched, and then give a talk about it. The stakes are pretty high with these systems, so hopefully a real fix will augment security via obscurity in this case.
4. Re:Security through obscurity by Hatta · 2011-05-19 08:17 · Score: 2
  
  Why would Siemens bother fixing holes nobody knows about?
  
  --
  Give me Classic Slashdot or give me death!
5. Re:Security through obscurity by chemicaldave · 2011-05-19 08:19 · Score: 1
  
  If they don't, their competitors will.
6. Re:Security through obscurity by LunaticTippy · 2011-05-19 08:24 · Score: 3, Informative
  
  At my workplace, all our PLCs are on a process control network. It is isolated from the business network and internet completely. We assume that the PLCs are not secure and they are business critical. We can't take any chance a malware outbreak or hacker causes actual physical things to happen.
  
  It makes doing work more difficult, and there are still some attack vectors.
  
  --
  Man, you really need that seminar!
7. Re:Security through obscurity by ThunderBird89 · 2011-05-19 08:25 · Score: 2
  
  To the best of my knowledge, they never did prove that the US created Stuxnet. In fact, I've seen Israel blamed far more, based on vague references in the code.
  
  --
  Hyperbole: I use it liberally!
8. Re:Security through obscurity by chemicaldave · 2011-05-19 08:26 · Score: 5, Informative
  
  Did you RTFA? That's exactly why they decided not to give the talk, because Siemens hasn't fixed the problems. As NSS Ceo Rick Moy points out:
  
  "The vendor had proposed a fix that turned out not to work, and we felt it would be potentially very negative to the public if information was put out without mitigation being available." ... In the past, technology companies have threatened legal action against researchers, but Moy said that in this case the lawyers were not involved. "It's a temporary hold on the information; it's not that it's being buried," he said. "We just don't want to release it without mitigation being out there for the owners and operators of the SCADA equipment."
9. Re:Security through obscurity by whathappenedtomonday · 2011-05-19 08:29 · Score: 0
  
  Yes, we can always hope that flaws of critical systems will be treated responsibly. Kinda off topic, I know.
  
  --
  I hope I didn't brain my damage.
10. Re:Security through obscurity by Anonymous Coward · 2011-05-19 08:29 · Score: 1
  
  Fuck you.
  --skynet
11. Re:Security through obscurity by Anonymous Coward · 2011-05-19 08:32 · Score: 0
  
  Here's the thing though, _not_ providing this information to the public didn't _increase_ their adversaries. Had they given out the vulnerabilities to the public before a good fix had been issued, their number of adversaries would grow exponentially as they sit by and watch their worlds crumble without a fix in sight. Yes, security through obscurity is bad practice; however, giving out your weaknesses to every hacker on Earth when there isn't a fix available is suicide.
12. Re:Security through obscurity by gnick · 2011-05-19 08:33 · Score: 1
  
  Iran was just a test case so that we could demonstrate just how vulnerable these things are and secure proper funding to lock ours down.
  Security dude: "Some hostile country could sneak somebody in and sabotage our power plants with nothing more than malicious software!"
  Congress critter: "OK, I don't really get what you're saying, but let's assume that you're right in theory. We've never seen an attack like that any where in the world - Why worry? Besides I want to put in a giant duck pond and name it after myself - There isn't money for both."
  A couple of months later with Security dude working furiously...
  Security dude: "See what happened in Iran!?! It could happen here too! And if it does, the terrorists win!"
  Congress critter: "ZOMG! Then my duck pond wouldn't be lit! I'll sponsor a bill to fix this tomorrow!"
  
  --
  He's getting rather old, but he's a good mouse.
13. Re:Security through obscurity by poity · 2011-05-19 08:33 · Score: 1
  
  Now that people know the holes exist, the race is on. They can't afford not to.
  
  --
  your thin skin doesn't make me a troll
14. Re:Security through obscurity by jd · 2011-05-19 08:35 · Score: 1, Interesting
  
  That's not the bit that scares me the most. The bit that scares me the most is that anyone with an ounce of skill in reverse engineering can identify the security flaws used, and anyone with an ounce of skill in assembly can disassemble Stuxnet, alter what it targets, and launch the new variant.
  By banning the talk, the DHS is preventing US industries from protecting themselves against economic warfare. Plenty of nations (China and Russia especially) are investing in cyber-warfare. There's plenty of amateurs out there with axes (albeit often as delusionary as the DHS') to grind. It is simply not excusable for the US to be placed in this kind of danger.
  For what purpose? Siemans can't get a worse rep than to be accused of having worked with virus writers. The consumers can't exactly switch from SCADA to Infiniband or other rival networking technologies. The exploit is public knowledge.
  Who, then, is going to be protected?
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
15. Re:Security through obscurity by SilentStaid · 2011-05-19 08:38 · Score: 1
  
  That's a surprisingly refreshing course of action isn't it? To me, that's how things should work. As long as Siemens follows through, and the talk is allowed to proceed I'd be happy.
16. Re:Security through obscurity by Anonymous Coward · 2011-05-19 08:40 · Score: 0
  
  It only takes on(c)e.
17. Re:Security through obscurity by MobileTatsu-NJG · 2011-05-19 08:48 · Score: 1
  
  Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.
  I'll be at work for a few more hours. In my living room at home there is a suitcase with a lot of cash in it. I didn't lock my front door, I didn't even close it. I won't tell you where I live. Security through obscurity.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
18. Re:Security through obscurity by Hatta · 2011-05-19 08:52 · Score: 1
  
  Everyone knows holes exist. Every non-trivial piece of software has holes in it.
  
  --
  Give me Classic Slashdot or give me death!
19. Re:Security through obscurity by Anonymous Coward · 2011-05-19 09:06 · Score: 0
  
  The Iranian controllers were also isolated from the outside networks. It just made the intrusion a little slower.
20. Re:Security through obscurity by Sulphur · 2011-05-19 09:19 · Score: 1
  
  That's not the bit that scares me the most. The bit that scares me the most is that anyone with an ounce of skill in reverse engineering can identify the security flaws used, and anyone with an ounce of skill in assembly can disassemble Stuxnet, alter what it targets, and launch the new variant.
  By banning the talk, the DHS is preventing US industries from protecting themselves against economic warfare. Plenty of nations (China and Russia especially) are investing in cyber-warfare. There's plenty of amateurs out there with axes (albeit often as delusionary as the DHS') to grind. It is simply not excusable for the US to be placed in this kind of danger.
  That is why Stuxnet needs to be classified.
21. Re:Security through obscurity by Manfred+Maccx · 2011-05-19 09:27 · Score: 1
  
  This was perfectly viable 10-15 years ago. Nowaday, the requirement for data archiving, process data historian, plant floor management, etc... make it almost impossible to have a true, complete isolated process network. You always end up having a dual-homing computer or firewall somewhere on that network. Therefore, a potential hole.
22. Re:Security through obscurity by glenn.ramsey · 2011-05-19 09:28 · Score: 0
  
  You live in LA. Took me all of five minutes to figure that out. As soon as hackers know there's an attack vector and there's something worthwhile to obtain, you can be sure they'll figure it out pretty quickly.
23. Re:Security through obscurity by MobileTatsu-NJG · 2011-05-19 09:36 · Score: 1
  
  You live in LA. Took me all of five minutes to figure that out.
  As soon as hackers know there's an attack vector and there's something worthwhile to obtain, you can be sure they'll figure it out pretty quickly.
  You're looking in a ginormously huge, and wrong, city.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
24. Re:Security through obscurity by Svartalf · 2011-05-19 09:42 · Score: 2
  
  Heh... If they think that those patches will get deployed in a timeframe measured in anything other than months or years, they're kidding themselves...
  SCADA systems typically don't get patched- and when they do or get upgraded, it's a "big thing".
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
25. Re:Security through obscurity by Svartalf · 2011-05-19 09:44 · Score: 1
  
  Do you audit it often to make sure it's still air-gapped like you think it is? Many of the audits at power utilities where they had the same thinking had pro-sumer routers or switches tying the networks together that were done in a pinch for some ease of deployment thing or ease of use thing and then got forgotten.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
26. Re:Security through obscurity by Anonymous Coward · 2011-05-19 09:46 · Score: 0
  
  VRFs with IPSEC, 802.1x and all ports in shutdown until new addition comes online.
  You look at the potential damage, and if it's great enough you can justify the cost and PITA factor...
  just my .02
27. Re:Security through obscurity by Svartalf · 2011-05-19 09:46 · Score: 1
  
  Depends on the design. Properly designed setups will have an air-gap and only data transfer via sneakernet in the form of a hard-disk or similar coming from the SCADA to the corporate systems. Real-time's desirable- but for some networks, having the hole's too much of a risk- especially if you've got a Windows based HMI system or similar in the mix. Seriously.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
28. Re:Security through obscurity by Sinthet · 2011-05-19 09:49 · Score: 1
  
  Because if these researchers acting in a more or less intellectual manner found them, it is safe to assume that individuals without such a noble goal in mind will find and possibly exploit them. Releasing the information to Siemens first would hopefully prolong the search for the "bad guys", by getting rid of some potential vulnerabilities.
29. Re:Security through obscurity by Anonymous Coward · 2011-05-19 10:27 · Score: 0
  
  Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.
  I'll be at work for a few more hours. In my living room at home there is a suitcase with a lot of cash in it. I didn't lock my front door, I didn't even close it. I won't tell you where I live. Security through obscurity.
  Admins at /. have your IP address, they may try to bribe the admins at your ISP to get your street address. How much cash is in the suitcase?
30. Re:Security through obscurity by MobileTatsu-NJG · 2011-05-19 10:36 · Score: 1
  
  Admins at /. have your IP address, they may try to bribe the admins at your ISP to get your street address. How much cash is in the suitcase?
  I said I'm at work. I also said you only have hours to get it. What you don't know is still preventing you from getting the cash.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
31. Re:Security through obscurity by imsabbel · 2011-05-19 10:39 · Score: 3, Informative
  
  And stuxnet was transmitted via USB sticks doing the sneakernet stuff...
  
  --
  HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
32. Re:Security through obscurity by martin-boundary · 2011-05-19 10:58 · Score: 1
  
  That's still a bad analogy.
  1) it doesn't matter what secret *I* don't know about the location of the suitcase, what matters is whether *you've* been under surveillance for the last couple of weeks. If so, your suitcase is already gone by the time you go back home.
  Not everybody gets hacked, but if it's a juicy target the attack is going to be properly organized and when a vulnerability window appears for a few hours, it will get used.
  2) even if I don't know the location of your suitcase full of money, I can break into all my neighbours' places and steal their suitcases full of money.
  If a vulnerability exists on one person's computer, then that vulnerability exists on all the computers throughout the world which use the same OS and relevant settings. The bad guys don't need to hack *your* computer, they only need to hack *some* computer.
  In the real world, security through obscurity is no security.
33. Re:Security through obscurity by thegarbz · 2011-05-19 11:08 · Score: 1
  
  As it should be. But isolation does not require a complete elimination of remote monitoring. Our Process Control Network has a Server on it, which via a hardware firewall pumps data one way to another machine outside which emulates the view of the process network. This basically gives us complete remote monitoring without the ability to send data back to the network.
  It makes it easy and there are few if any attack vectors, and when malware spreads around the business network (frequent) it so far has never managed to breach to the PCN. Mind you a few good physical practices such as no USB sticks and more importantly no USB ports help too, but a oneway network design is a great start.
  Unfortunately this is expensive.
34. Re:Security through obscurity by MobileTatsu-NJG · 2011-05-19 11:20 · Score: 1
  
  1) it doesn't matter what secret *I* don't know about the location of the suitcase...
  Yes it does. You need information in order to actually pull it off.
  
  Not everybody gets hacked, but if it's a juicy target the attack is going to be properly organized and when a vulnerability window appears for a few hours, it will get used.
  All you are really saying here is that there is no such thing as security because nothing can be protected against an attack by an entity with infinite energy and resources.
  
  2) even if I don't know the location of your suitcase full of money, I can break into all my neighbours' places and steal their suitcases full of money
  Right, my obscured info is protecting me.
  
  If a vulnerability exists on one person's computer, then that vulnerability exists on all the computers throughout the world which use the same OS and relevant settings. The bad guys don't need to hack *your* computer, they only need to hack *some* computer.
  Sure. However, here's another way of saying it: If they know you have a vulnerability, they can get in. You are right, though, in that they are saved the trip over there to find out about it.
  
  In the real world, security through obscurity is no security.
  No, it's a Slashdot meme that puts the word "Insightful" next to people's posts. In the examples you just gave, it's actually helping out nicely. Here's something you should consider: Every day new vulnerabilities are found in virtually any browser or OS or whatever we use on a daily basis. The thing is, that vulnerability didn't just appear, it was there the whole time. The only reason it hasn't been exploited is that it hasn't been discovered.
  Security through obscurity is still security. What you really mean to say is: "Once they overcome an obstacle, you have nothing left to protect you." And you know what? That's a perfectly reasonable thing to say. It's weaker than say putting it in a bank vault. But right now what you're saying is: "Your money is already gone."
  The phrase 'security through obscurity' has been parroted so many times here that the meaning has been skewed.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
35. Re:Security through obscurity by Anonymous Coward · 2011-05-19 12:56 · Score: 0
  
  In that case the attack vector is the Windows PC running the SCADA system. That would most likely be Wonderwear.
  If you run standard ordinary intrusion testing tools on a Wonderwear PC I won't be responsible for your coronary.
36. Re:Security through obscurity by martin-boundary · 2011-05-19 15:09 · Score: 1
  
  All you are really saying here is that there is no such thing as security because nothing can be protected against an attack by an entity with infinite energy and resources.
  
  Correct in a sense. The analogy I'd use is the lottery: Pick any one person you like, and their chance of winning is zero. But the chance that someone will win is close to 1. It's correct for a single person to assume they will not win, but it's incorrect for the lottery organisers to assume that they will not have to pay out the jackpot.
  When we're arguing about vulnerabilities in code, we're in the position of the lottery organisers. You're arguing from the position of one lottery player.
  
  Security through obscurity is still security. What you really mean to say is: "Once they overcome an obstacle, you have nothing left to protect you." And you know what? That's a perfectly reasonable thing to say. It's weaker than say putting it in a bank vault. But right now what you're saying is: "Your money is already gone."
  
  Right now what I'm saying is "somebody's money is already gone", but what I'm arguing is that your (particular) security isn't due primarily to the difficulty of exploiting a flaw, it's due to the statistical likelihood that you (in particular) aren't targeted.
  You're safe because you're obscure: not clearly seen or easily distinguished for attack. That's what security through obscurity implies. But in the typical slashdot discussion of software houses and their responsibility to the users, it's the wrong thing to focus on, because someone still gets hacked. That's the meaning of the phrase security through obscurity is no security (ie for the population as a whole).
37. Re:Security through obscurity by Puff_Of_Hot_Air · 2011-05-19 15:10 · Score: 1
  
  ...Properly designed setups will have an air-gap...
  Very very few industrial site have the "air-gap" any more. I suppose all the rest are improperly designed?
  
  Real-time's desirable- but for some networks, having the hole's too much of a risk- .
  For whom is it too much of a risk? Power stations? Mines? Water Treatment? None of the sites I work with have an air-gap any more.
  
  especially if you've got a Windows based HMI system or similar in the mix. Seriously.
  I'd say that the vast majority of SCADA/HMI systems run on Windows. In critical infrastructure. Without an air gap.
  I sure as hell hope there are other ways of securing a network
38. Re:Security through obscurity by inasity_rules · 2011-05-19 19:41 · Score: 1
  
  The whole industry is riddled with massive holes because we're all tied to legacy OPC which relies on that massive dogs breakfast called DCOM. The slow adoption of OPC UA and even OPC WCF keeps the whole industry in a situation where it is easier to disable all security than deal with DCOM. Which makes the siemens issue too easy to exploit. Every single bloody version of windows has a different way of being configured, so no one bothers to do it right...
  Siemens needs to fix their issues. So does everyone else. The siemens issues are however bigger than most. This is not one obscure little hole, this is a bloody great big massive one with more huge holes next to it that anybody who has worked 5 minutes in the industrial automation industry is constantly and painfully aware of.
  
  --
  I have determined that my sig is indeterminate.
39. Re:Security through obscurity by inasity_rules · 2011-05-19 19:45 · Score: 1
  
  Mod parent up. Mostly when you patch or upgrade your scada everything breaks causing a massive headache. So most people would really rather not.
  
  --
  I have determined that my sig is indeterminate.
40. Re:Security through obscurity by Anonymous Coward · 2011-05-19 23:44 · Score: 0
  
  In my work I provide the higher level control systems that communicate with and control the PLCs. On almost all systems, the PLCs control conveyors and cranes etc. on a dedicated network for performance reasons - but the network is not really isolated. Our system tells the PLCs where to send stuff, and has to report back inventory levels etc. and receive orders from even higher level systems. And for us to sort out issues remotely, we have VPN access over the internet to our system.
  So the PLCs are accessible over the internet to at least a limited degree. And I don't think we're an unusual case.
41. Re:Security through obscurity by ColaMan · 2011-05-20 00:17 · Score: 1
  
  I work on a PLC system that has a single ethernet TX pair to the rest of our network. It transmits stats blindly (with the help of a static entry in its ARP table) to a PC on the outside where a small program listens and collates data. I've heard of similar things with serial, fiber and radio modems,etc.
  
  --
  
  You are in a twisty maze of processor lines, all alike.
  There is a lot of hype here.
42. Re:Security through obscurity by Anonymous Coward · 2011-05-20 01:51 · Score: 0
  
  Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.
  I'll be at work for a few more hours. In my living room at home there is a suitcase with a lot of cash in it. I didn't lock my front door, I didn't even close it. I won't tell you where I live. Security through obscurity.
  Exactly the Mantra of "don't rely on security through obscurity" is a mis-conception. The proper phrase is do not rely only on obscurity. The danger is that someone who does manage to stumble upon it can wreak havoc. But in many common situations obscurity is a very beneficial layer to a security model.
43. Re:Security through obscurity by 0xG · 2011-05-20 03:19 · Score: 1
  
  At my workplace, all our PLCs are on a process control network. It is isolated from the business network and internet completely.
  You are utterly kidding yourself if you think that your PLC network is "isolated". Does anyone ever request data from it? How do you transfer the data...with a USB key maybe? How are the controllers programmed? With a workstation that is plugged into which network...and never the internet? I would strongly suggest that you read up a bit on stuxnet. The details may blow your mind...
  
  --
  A pox on web designers who feel that window.innerWidth == screen.availWidth
44. Re:Security through obscurity by LunaticTippy · 2011-05-20 03:36 · Score: 1
  
  That is a good idea. I don't see why it has to be expensive, though.
  
  --
  Man, you really need that seminar!
45. Re:Security through obscurity by camperslo · 2011-05-20 05:50 · Score: 1
  
  Certainly audits are a good thing, but we mustn't forget that we're talking about something that gets in and hides itself well, even deleting itself from some hardware along the way. An audit of hardware still only gives a snapshot in time. That laptop that was briefly plugged in, or machine that briefly had a USB key plugged in, may be long gone. Intrusion detection can help, but with things like traffic to a PLC using the normal ports, it may take deep inspection of every packet to see what's going on, and by the time something is seen, you've already been hit.
  Mitigating this is tough. Corporate types are so easily led to believe that their firewalls, VPNs, anti-virus packages, intrusion detection.... will keep them secure. But if human or entity lives depend on security, for it is a fallacy to expect to achieve zero vulnerability networks. Telling upper managers that their only access will be through video cameras pointed at displays, and fax machines, won't go over well. But if it keeps something from going boom, can anything else be trusted? And what of systems that don't really have a full "off" state. Even when not fully functioning, there may be considerable complexity and some danger in pulling the plug on all vulnerable technology at once (pieces may talk to each other).
  There are some huge hardware issues that are routinely ignored in not only PLCs, but in nearly every system we use. It's not just insane that a PLC make lack a physical hardware write-disable switch to prevent rogue code from being loaded, but what about all of our PCs? Is there anyone here that has an installation with no writable BIOS/EFI on motherboards, no flash upgradable optical or hard drives? Every damn thing like that should have a physical write-disable switch that is normally off. If we haven't even dealt with those things we're not even trying.
  And what of the behavior of governments? Like some insane variation of the arms races, we can bet that every one of them has stockpiled collections of vulnerabilities and tools to exploit them, so they can DEFEAT security. From the massive unsolved problems that consumers, businesses, and institutions/infrastructure are facing, it would appear as if some those responsible for our security have actually put more resources into defeating it. I mean... how far have we really gotten? How many businesses and consumers are actually secure? The answer shows the massive fail.
  I believe that all of the governments and larger entities that we have reason to fear already know enough to be a threat. Less information would likely slow some down, but I think that even for this, there are different classes of potential attackers. Let's pray that whatever it takes to secure things that go boom has been done. Restricting information at this point probably does more to sidestep the same segment of people that would extort money from banks.
  Looking at a NTSB copy of control operator transcripts at one utility company and seeing talk of a bonkers PLC, every valve wide open, SCADA displays that didn't match what was going on, and people saying "we're screwed, we're screwed" in the hour before a pipeline blew doesn't instill much confidence in the utility's ability to manage their other much bigger impact operation. In the region of potential impact, where the power plant repeatedly has hired reporters from the only full power tv station as spokespeople, those hearings got a 20 second mention while Charlie Sheen got 3 minutes. I haven't been aware of any media that paid attention and saw there was much more to the pipeline story than crappy welds. Although not reported along with a governors latest mistress, it doesn't take that much observation and digging for those here to realize the impact of the control system threat has been more than a theoretical one for several years.
46. Re:Security through obscurity by camperslo · 2011-05-20 06:54 · Score: 1
  
  At this point it doesn't really matter so much who developed it. Regardless, we're still potentially collateral damage or potential targets of a fully disassembled/reverse-engineered/built-fresh-with-a new-twist version as well as whatever the original authors might unleash. Whoever made it was shortsighted if they felt that even versions attempting to be very specific wouldn't be analyzed and modified or cause some collateral damage as-is. Pruning target-filtering code seems it would be a relatively trivial task.
  Some say Israel had people bragging about it.
  http://www.net-security.org/secworld.php?id=10596
  Collateral damage adding to some other bad event? You decide.
  I don't think the victims had a clue.
  http://www.publicradio.org/columns/kpcc/kpccnewsinbrief/2008/11/officials-unveil-why-yorba-lin.html
  http://articles.latimes.com/keyword/yorba-linda-ca
  http://www.ylwd.com/fireupdate/pdf/Freeway%20Complex%20Fire%20Report.pdf
47. Re:Security through obscurity by thegarbz · 2011-05-20 12:30 · Score: 1
  
  Ture, not necessarily expensive in absolutes. Just more expensive than the alternative. You'd be amazed at what some people come up with when "value engineering".
48. Re:Security through obscurity by RockDoctor · 2011-05-20 13:24 · Score: 1
  
  At my workplace, all our PLCs are on a process control network. It is isolated from the business network and internet completely.
  You are utterly kidding yourself if you think that your PLC network is "isolated".
  
  It's not difficult.
  1. decide what parameters are going to be reported from the secure system to the outside world and how frequently. Say "widget-count" and "sprocket-temperature", three sprocket temperatures per widget count.
  2. code your PLC network to count widgets, measure sprocket temperatures, and transmit into a serial port "widget-count, sprocket-temperature, sprocket-temperature, sprocket-temperature [newline]". Burn it onto a ROM, and put through your QA/QC process.
  3. connect the serial port of your PLC to the serial line out to the rest of the system after cutting the pin off the RX line of the connector (or cut 6m out of the cable ; whatever) ; plug in your ROM ; weld the cabinet shut.
  And when someone comes back and tells you that the plan is now to have alternating temperatures and counts ... go to stage 1.
  It's perfectly possible to render a system invulnerable to malicious inputs - by disconnecting the inputs. Usability may be affected, but that can be designed around. (Notice - at no point do I imply that such design is easy.)
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
49. Re:Security through obscurity by Anonymous Coward · 2011-05-20 22:03 · Score: 0
  
  If your remote monitoring server is also connected to the internet then you fail. Not to mention that anyone from any location can put in an admin password for the monitoring server, change things remotely, and access your process server.
  Look it's fucking simple. Any computer that isn't connected to the internet can only be messed with by physically typing at the computer. Any computer that's connected to the internet WILL BE vulnerable, it's the nature of the beast.
  You can't remove an airgap and claim that adding a few extra steps for an intrepid hacker to go through is actual security.
Secrecy by grcumb · 2011-05-19 08:07 · Score: 1, Insightful

The argument that some knowledge is too dangerous to know is specious and flawed. But I can't tell you how or why for fear of undermining our existing regime of ignorance and ineptitude.

--
Crumb's Corollary: Never bring a knife to a bun fight.
1. Re:Secrecy by chemicaldave · 2011-05-19 08:28 · Score: 5, Insightful
  
  Did you RTFA? They're waiting for Siemens to fix the issues first, a common practice in security research. Siemens and DHS didn't force them to pull the talk and didn't even get lawyers involved. So please stop with your accusations. You clearly lack an understanding of the situation at hand.
2. Re:Secrecy by Anonymous Coward · 2011-05-19 08:38 · Score: 1
  
  How many times in this topic are you going to ask people if they RTFA?
  This is /., we already know they didn't.
3. Re:Secrecy by Jack9 · 2011-05-19 12:25 · Score: 1
  
  > The argument that some knowledge is too dangerous to know is specious and flawed.
  That's not the reasoning given. The knowledge IS known. Some knowledge is dangerous to disseminate. This is a sad fact of humanity, but a fact. Given opportunity and knowledge of vulnerability, you will get attempts to use and abuse knowledge with similar results. People are eager to exercise their imagination and reluctant to exercise restraint or critical thought. I can understand their position.
  
  --
  
  Often wrong but never in doubt.
  I am Jack9.
  Everyone knows me.
4. Re:Secrecy by grcumb · 2011-05-19 15:49 · Score: 1
  
  > The argument that some knowledge is too dangerous to know is specious and flawed.
  That's not the reasoning given. The knowledge IS known. Some knowledge is dangerous to disseminate. This is a sad fact of humanity, but a fact. Given opportunity and knowledge of vulnerability, you will get attempts to use and abuse knowledge with similar results. People are eager to exercise their imagination and reluctant to exercise restraint or critical thought. I can understand their position.
  Thank you for replying instead of simply down-modding an argument you don't agree with. Others seem to prefer retaliation to debate.
  Let's look at this from another perspective. Everyone knows there are problems with Siemens' PLCs. That's been known since Stuxnet got reverse engineered. While there's no problem whatsoever with sharing the information about specific vulnerabilities with Siemens - indeed, making sure they're the among the first to know - what additional danger would be presented by sharing that knowledge with the people tasked with protecting entire systems of which Siemens PLCs are a small but crucial part? (Bear in mind, this isn't in the scope of script kiddy/phishing activity. In other words, we're not talking about a generalised threat.)
  This sort of openness doesn't do Siemens any favours; I'll grant you that. (Unless you count the added pressure to fix their equipment as being cruel to be kind.) But it does render a service to the community, who can now refactor their overall systems to compensate for the weakness of this component. I mean seriously, Even if it's just putting a guard at the door to the controller room for the time being, there are measures that site security staff could be taking if they were properly informed of the scope and nature of the threat.
  Conversely, if people are not made aware of the nature of the threat, how can they know whether their short-term mitigation strategies are correct and sufficient?
  So my point stands: The system is flawed (i.e. based on fundamentally invalid premises) if we're not considering what's best for the overall system. Rather than focusing on limiting the liability of a single actor, we should in this case be willing to accept that sharing the details will help the community of affected organisations protect itself better.
  
  --
  Crumb's Corollary: Never bring a knife to a bun fight.
As the Iranians found out the hard way... by Lead+Butthead · 2011-05-19 08:07 · Score: 1

As the Iranians found out the hard way, it's difficult to keep an intruder out despite the obscure nature of PLC (most people probably don't even know what that is.)

--
ELOI, ELOI, LAMA SABACHTHANI!?
1. Re:As the Iranians found out the hard way... by gellenburg · 2011-05-19 08:26 · Score: 2
  
  As the Iranians found out the hard way, it's difficult to keep an intruder out despite the obscure nature of PLC (most people probably don't even know what that is.)
  Programmable Logic Controllers.
  I prefer Allen-Bradley PLCs myself.
2. Re:As the Iranians found out the hard way... by ilikejam · 2011-05-19 09:39 · Score: 1
  
  They still making PCLs? I thought they ran out of prefamulated amulite years ago.
  
  --
  C-x C-s C-x k
3. Re:As the Iranians found out the hard way... by Svartalf · 2011-05-19 09:41 · Score: 2
  
  Yeah, they're a bit cleaner. The big problem is that it's not just a Siemens problem. It's endemic throughout the industry in varying ways.
  Networks that're claimed to be air-gapped- but aren't because of "ease of use" concerns.
  Networks that shouldn't have a single Windows box because of that risk that do.
  And, so on and so forth.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
4. Re:As the Iranians found out the hard way... by datapharmer · 2011-05-19 10:03 · Score: 2
  
  The Iranians didn't find out about the obscure nature of PLC, they found out it isn't a good idea to buy your infrastructure from foreign countries... See in the U.S. we are careful to only use... oh nevermind.
  
  --
  Get a web developer
5. Re:As the Iranians found out the hard way... by inasity_rules · 2011-05-19 19:34 · Score: 1
  
  For those who missed this one, look up the Turbo Encabulator on youtube. Too many to link to any specific one. A very long running and hilarious joke..
  
  --
  I have determined that my sig is indeterminate.
6. Re:As the Iranians found out the hard way... by camperslo · 2011-05-20 06:27 · Score: 1
  
  The high ticket projects all attract multinational corporations. Those corporations aren't shy about buying smaller-scale operations with technology they want. Even if you do use technology developed only in your own country, it is not sold elsewhere? Are there vulnerable systems anywhere within the local technology entity? Even if they've got 10 vulnerabilities instead of 100,000+ they're still vulnerable.
  I've seen one region that didn't have any kind of electronic or software vulnerability whatsoever. Unfortunately the island people there will be driven off by rising oceans.
7. Re:As the Iranians found out the hard way... by sjames · 2011-05-20 19:47 · Score: 1
  
  Part of the problem is that they're not actually THAT obscure. The documentation exists and can be had if you're a paying customer.
Ostriches by deweyhewson · 2011-05-19 08:08 · Score: 0

And then they all stuck their heads back safely in the sand and slept soundly that night.
In other words by Attila+Dimedici · 2011-05-19 08:08 · Score: 2

In other words, if your systems rely on PLC systems from Siemens, you had better hope that no attacker can get through your firewall.

--
The truth is that all men having power ought to be mistrusted. James Madison
1. Re:In other words by Charliemopps · 2011-05-19 08:36 · Score: 4, Interesting
  
  I used to work in provisioning in a telco and it entirely depends on who's managing the plant. We'd install circuits in some power plants that were so strict that they insisted on fiber use only. We'd run copper to an access point outside their security perimeter then have a mux convert it to fiber to run across the perimeter into the facility where it would terminate in an outer building. Their security plan did not allow ANY outside network connections to the plant itself. They had networked equipment but it was all housed in an outer building with no connection to the main plant or control systems. They refused to allow copper on the premises because it's relatively easy to splice into and carry elsewhere. Fiber would be much more difficult to splice and bring in.
  
  Other facilities were less secure. I remember getting a panicked call from someone shouting "The Damns gonna bust!!!" They had a single "Circuit" they paid about $20 a month for that was nothing more that a single copper that ran from some building to the local damn. They'd apply +5 volts to the line to open the damn, and -5volts and it would close. They'd reacted too slowly to rising waters and it had flooded the copper pair they used to control the damn. They wanted us to send a phone tech into their overflowing damn to repair the circuit so they could open it from the safety of their administrative building. They had a hard time understanding my near hysterical laughter.
2. Re:In other words by Anonymous Coward · 2011-05-19 08:41 · Score: 0
  
  I remember getting a panicked call from someone shouting "The Damns gonna bust!!!" They had a single "Circuit" they paid about $20 a month for that was nothing more that a single copper that ran from some building to the local damn. They'd apply +5 volts to the line to open the damn, and -5volts and it would close. They'd reacted too slowly to rising waters and it had flooded the copper pair they used to control the damn. They wanted us to send a phone tech into their overflowing damn to repair the circuit so they could open it from the safety of their administrative building. They had a hard time understanding my near hysterical laughter.
  Well... I'll be damn'd :)
3. Re:In other words by Anonymous Coward · 2011-05-19 08:45 · Score: 1
  
  It's not fair to pick on Siemens, there isn't a secure PLC out there.
4. Re:In other words by alittle158 · 2011-05-19 08:54 · Score: 1
  
  It's not fair to pick on Siemens, there isn't a secure PLC out there.
  That's correct. PLCs do exactly what they're told...no matter who is telling them
  
  --
  If it's not on fire, it's a software problem
5. Re:In other words by demonbug · 2011-05-19 08:58 · Score: 1
  
  We usually use dams to hold back water, not damns. Sure, sometimes the damn dam breaks, but that's no reason to damn it from the beginning.
6. Re:In other words by Svartalf · 2011-05-19 09:50 · Score: 1
  
  Fiber would be much more difficult to splice and bring in.
  Heh... All it takes is a bit more effort- but it'd be a bit more obvious to pop a passive tap in a fiber run since they're not small. Sadly, it's not sound thinking all the same. The attackers are as likely to attack the end-nodes of the system where the security is much, much weaker and there's copper to be compromised before it gets to the fiber loops. You can do as much or more damage by dinking with a substation's setup as with the generation plants themselves. :-D
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
7. Re:In other words by Anonymous Coward · 2011-05-19 10:45 · Score: 0
  
  Who is to say that the substations don't have the same level of security? Also, I highly doubt that a plant so concerned with security that they mandate fiber over copper would neglect all security as soon as the signal leaves the premises. I find it likely that any important data being sent over the line would be encrypted.
  Also, when a copper line leaves a building it's either 20 feet in the air or 6 feet underground. That's a lot harder to splice into without being noticed than it is inside a building where the line is run through various closets and open conduits within easy reach.
8. Re:In other words by thegarbz · 2011-05-19 11:11 · Score: 1
  
  No in other words you better hope you have good network design.
  At our workplace an attacker would need to get through a firewall, ... another firewall, ... and another firewall as they work their way through the business network, the information network, down to the process control network. That last firewall is a doozy too, one way communication between 2 computers only.
9. Re:In other words by Charliemopps · 2011-05-19 16:38 · Score: 1
  
  You guys are way over thinking this. There is no connection to the outside world by the control equipment. The fiber that came in terminated in buildings outside what would be considered the power plant. I'm not sure what they used it for... likely they could measure data there or something. What the fiber was supposed to prevent was local staff getting bored and running their own bootleg connection into the building so they could watch porn on their critical workstations inside. Anyone on slashdot could pick up a pool of wire at the hardware store and drag that connection anywhere we wanted inside the facility with nothing more than a pocketknife. Fiber on the other hand, would take a whole new level of sophistication. Just getting the cable would require a specialty dealer, and the equipment used to splice it is prohibitively expensive.
So human... by Anonymous Coward · 2011-05-19 08:14 · Score: 0

And then they all stuck their heads back safely in the sand and slept soundly that night.
Actually, they stuck their heads back up their asses. Only Ostriches stuck their head in the sand.
"pointed out the possible scope of the problem" by crow_t_robot · 2011-05-19 08:20 · Score: 0

But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."
Don't you mean the DHS told them not to do it or they would get a thorough anal probing in the airport security check on their way out of town. I'm pretty sure they understood the "scope of the problem" before they started doing the research (which was also probably the motivation for the research).
1. Re:"pointed out the possible scope of the problem" by ArcCoyote · 2011-05-19 08:54 · Score: 2, Informative
  
  Idiot.
  First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic? Same thing with prison-rape jokes. I'm about as much a fan of those jokes as I am of the acts.
  Didn't you read the part where the DHS CERT (a part of US-CERT, which falls under DHS but has nothing to do with the TSA...) told NSS something like, "Um, guys, the patch Siemens released doesn't work, and there are thousands of these devices deployed all over the place, including the power plants in this here city.."
  NSS decided to play it safe, they weren't forced to do anything. It's called responsible disclosure, and when Siemens gets their products fixed, it will be released.
  But I know your type. You, my familial-basement-dwelling troll, assume coercion and conspiracy is how everything gets done by three-letter agencies. Ironic, considering you love to rant about how those same agencies assume everyone brown is a terrorist.
  Bar none, the libertarian, open-source evangelizing, Apple/Microsoft bashing, EFF supporting types are some of the most bigoted, narrow-minded, reactionary, paranoid individuals I've ever met.
2. Re:"pointed out the possible scope of the problem" by Anonymous Coward · 2011-05-19 09:37 · Score: 0
  
  Idiot.
  I'm about as much a fan of those jokes as I am of the acts.
  Which is to say, he LOVES the jokes.
3. Re:"pointed out the possible scope of the problem" by Anonymous Coward · 2011-05-19 11:49 · Score: 0
  
  Im sorry sir, you appear to be hypersensitive, unfortunately I will need to give you an anal probe to find out the extent of your condition.
4. Re:"pointed out the possible scope of the problem" by russotto · 2011-05-19 12:05 · Score: 2
  
  First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic?
  Nonsense; it's a reference to bodily violation which works no matter what your gender and orientation. Just because a man is gay doesn't mean he wants the TSA up his ass.
  
  NSS decided to play it safe, they weren't forced to do anything. It's called responsible disclosure, and when Siemens gets their products fixed, it will be released.
  Disclosure delayed is disclosure which doesn't happen.
  
  You, my familial-basement-dwelling troll, assume coercion and conspiracy is how everything gets done by three-letter agencies.
  When you have the kind of power they have, coercion IS how everything gets done. When they "ask", refusal always has serious negative consequences whether express or implied.
5. Re:"pointed out the possible scope of the problem" by Anonymous Coward · 2011-05-20 00:23 · Score: 0
  Do you use a scoring system, or is your list an all-or-none prospect? I just ask because I'm:
  
  not libertarian
  
  an open-source geek
  
  like Apple, dislike Microsoft
  
  a huge fan of EFF
  
  agree that GP's post had homophobic tones.
  
  am posting anonymously... how trollish is *THAT*?!
  
  For QA, I:
  
  am bigoted (against dumbasses, conspiracy theorists and the religious right)
  
  am generally not narrow-minded
  
  am definitely not a reactionary
  
  am only posting anonymously because slashcode, passpack and Firefox NoScript seem to have conspired to ignore a perfectly-good UID/PWD (and a few once-allowed HTML formatting tags) despite about 20 'preview' attempts,
  
  and don't live too paranoidly because I've seen corporate and governmental bureaucracy at their best.
  
  I've decided that if THEY ever come to get me, it'll be because of some Python-esque screwup, not Kafka-esque cruelty. Assange needs to worry. But me? Evil just can't find sufficient competent henchmen to bother with li'l ol' me, or these SCADA researchers and my war-protesting friends and that black-helicopter dude that writes in to my newspaper, too.
6. Re:"pointed out the possible scope of the problem" by crow_t_robot · 2011-05-20 00:35 · Score: 1
  
  You, my familial-basement-dwelling troll, assume coercion and conspiracy is how everything gets done by three-letter agencies.
  I didn't assume it. I learned it by reading the memos from the U.S. government that were leaked.
  
  First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic?
  Why do you assume that every gay likes a government agent to stick his gloved hand up his ass? Way to stereotype......
Ummmm.... by jd · 2011-05-19 08:23 · Score: 1, Insightful

...doesn't the existance of a virus that can attack such devices make this a zero-day flaw? The hack is public, since anyone can disassemble the virus that's in the wild and see how it works.
And, frankly, I don't see it being awfully difficult for any Black Hat with a mind to to rip out the prior payload and install one that can attack a wider range of devices. Surely it is in the interests of security for corporations to understand what they can do to mitigate the risk of this.
The DHS, IMHO, is acting in a manner that directly threatens US interests and US corporations by preventing those at risk from knowing as much as those who pose a risk. This argument has been had out before, with regards to CERT and when it should post alerts. It was accepted that there would be a reasonable pause to allow a fix. The virus was first discovered in July 15 2010. So the vulnerabilities have been zero-day for 10 months now.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Ok, bad guys... by Kamiza+Ikioi · 2011-05-19 08:23 · Score: 1

... stick your fingers in your ears and repeat after me, "La-la-la-la-la-la-la..."
Asking people not to listen (such as the US government telling college students, of all people, not to read ANYTHING about Wikileaks) makes as much sense as telling the speakers not to speak.

--
I8-D
Reponsible Disclosure by betterunixthanunix · 2011-05-19 08:29 · Score: 4, Insightful

There is a notion in security engineering of responsible disclosure, which is letting a company know about a vulnerability long enough before you present it so as to allow the company to fix it and deploy the fix. I believe that what happened here was that the company complained that they did not have enough time to fix the problem and deploy the fix, and that DHS and the researcher agreed with that conclusion. I do not think this is terribly far fetched, and I doubt that there is a conspiracy to leave vulnerabilities in industrial equipment used here in America, not when the Iranians want to get back at the US and Israel for Stuxnet.

--
Palm trees and 8
1. Re:Reponsible Disclosure by Anonymous Coward · 2011-05-19 15:52 · Score: 0
  
  You touch on a point that I think a lot of people seem to miss.
  People, and their actions, make the world. We all know this. The above given situation, is a perfect example of where the people directly involved, shape the very security that so many people strive to maintain. We joke here about security through obscurity, and how closed systems can be a dangerous venture when the customer is out of the loop, but this situation highlights the fact that there is a balance that can be met between industry manufacturers, government agencies, and the researchers who highlight such vulnerabilities.
  I don't think the 'security' for their systems, and security at a global totality measure w/ regard to these systems, would be increased by the release of this information. It would inherently make life slightly less secure. Yes the information would be out, but then what? The article highlights the fact that Siemens can't implement a fix in a timely manner that would negate the sudden release of this information.
  Like I said, there's a balance that can be met. Closed source systems will always exist, and with high profile systems such as this, the intersection of government, industry, and researchers should do what's best for all involved, including the general populace. As we're seeing here, it's not always about protecting the bottom line. Some times, it's about protecting everything else and the bottom line.
2. Re:Reponsible Disclosure by Anonymous Coward · 2011-05-19 20:51 · Score: 0
  
  Even if Siemens fixed the issues on the spot, the millions of deployed vulnerable systems cannot be upgraded any time soon, if ever - sometimes the cost of the upgrade including the risk to production would be higher than replacing the machine entirely.
  Ain't going to happen, unfortunately. On the other hand, people who have these things on regular networks with everything else - office PCs, internet access, etc. should be tarred, feathered and ideally shot. That is a catastrophe waiting to happen :(
3. Re:Reponsible Disclosure by Anonymous Coward · 2011-05-19 21:15 · Score: 0
  
  Assuming that the developers at Siemens have the needed expertise to fix the issue... *Looks around office. Shrugs. Goes back to work and TIA Portal Component...*
"shh, don't tell" is pointless by bl8n8r · 2011-05-19 08:33 · Score: 1

The people you don't want to know about this stuff, already know. The only reason Siemens or others don't want the info made public is to save face.

--
boycott slashdot February 10th - 17th check out: altSlashdot.org
Not what is being argued by betterunixthanunix · 2011-05-19 08:36 · Score: 1

What is being argued is that Siemens did not have enough time to patch this vulnerability and deploy that patch in major installations of these systems. I do not doubt it; the real question is whether or not they are busy deploying a fix, and I would not doubt that they are. Stuxnet is out there being studied by people who would use it to attack US factories, if they could, and I would bet that the US government is putting pressure on Siemens to fix the problem. If within a year, the talk is still being suppressed, we can start talking about conspiracies to control knowledge, but for now I would say it is more an issue of responsible disclosure.

--
Palm trees and 8
National Security Through Obscurity by Anonymous Coward · 2011-05-19 08:41 · Score: 0

somebody make a WWII style propaganda poster with that, plz.
Hallelujah, Siemens gets it by Hierarch · 2011-05-19 08:42 · Score: 5, Informative

A lot of people seem to want to scream about censorship, but they're missing the point. This is one of the best case scenarios I've seen in relations between companies and security researchers.
For those who can't be bothered to RTFA, here's a summary.
Researchers found a serious flaw. The company developed a fix. It turned out that the fix was flawed. The company told the researchers about the potential impact of giving the talk before the flaw was fixed, and the researchers voluntarily postponed the talk while a better fix is built.
That's it, and it looks like everybody did the best thing they could. Isn't this what we'd want Siemens to do? "You've got a right to give your talk, but we'd like you to postpone it. Here's why. Your call."

--
--Somebody infect me with a .sig virus, I'm too lazy to write my own!
1. Re:Hallelujah, Siemens gets it by Anonymous Coward · 2011-05-19 09:54 · Score: 0
  
  Your logic has the flaw, that you assume those researchers were the only one with access to that information, and nobody else could find it out by himself or acquire it otherwise.
  Just so you know: It's already out there anyway. Just that now, only if you obey Siemens' totalitarian information control, will you know how to do anything about that.
  Good luck dying out with your blind belief, sheeple.
2. Re:Hallelujah, Siemens gets it by Opportunist · 2011-05-19 10:45 · Score: 1
  
  The info exists. The info is valuable to people who want to do something bad. Valuable information will find a supplyer, provided the demand (and pay) is high enough.
  People who want information for nefarious reasons don't care about legal troubles connected with the acquisition of said information. People who want information to prevent said nefarious actions usually cannot ignore the law when trying to get it.
  Question for 100: Who will now that this talk is not being held have the information, and who will not have it?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:Hallelujah, Siemens gets it by Mr.+Freeman · 2011-05-19 10:53 · Score: 2
  
  I have a hard time believing that it took siemens this long to develop a fix. The fact that stuxnet was designed to compromise siemens PLCs and how it accomplished this has been known for several months now. There's no excuse not to push out a (working) patch within a few months of a huge 0-day being discovered. To have not fixed this by now, especially given the critical applications some PLCs are used in, suggests negligence.
  
  Responsible disclosure says that you should give the responsible party a reasonable amount of time to fix the problem before disclosing it. Responsible disclosure is NOT keeping your mouth shut indefinitely so as to allow the responsible party to ignore the problem for as long as possible.
  
  --
  -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
4. Re:Hallelujah, Siemens gets it by Sepodati · 2011-05-19 11:10 · Score: 1
  
  Question for 100: Who will now that this talk is not being held have the information, and who will not have it?
  The same (good and bad) people have it without the talk, but the rest of the world does not. Although the risk level is still there, it's not increased. If TFA is correct and Siemens is working on a fix, then what's wrong with giving them the time they need and/or working with them?
5. Re:Hallelujah, Siemens gets it by Anonymous Coward · 2011-05-22 13:39 · Score: 0
  
  There's no excuse not to push out a (working) patch within a few months of a huge 0-day being discovered.
  I do agree that Siemens needs to do better in this area., but this is an over simplification of the problem. You fail to acknowledge how risk adverse Siemens & it's customers are and how hard it is for a company like Siemens to push out patches for critical infrastructure projects and then get the customers to apply those patches to production systems in a timely manner.
Siemens by Anonymous Coward · 2011-05-19 08:58 · Score: 0

Stuxnet virus developed by Musad/CIA attacks Siemens controllers. Uploaded via jump drive during regular maintenance cycles. Fukushima. Nuff said.
Just so I get that straight by Opportunist · 2011-05-19 10:43 · Score: 1

So it would decrease security to give that information to people who pay for a sec talk, people who are most likely sent there by companies, companies possibly that use the technology in question?
Let's think for a while: Someone who wants to blow up a dam or nuke a power plant probably doesn't really care too much about "virtual trespassing", aka hacking and the legal implications thereof, and neither would he bother to second guess spending some 1000 bucks on someone who would provide this information, while a law abiding CISO or CSO at a company using those systems (who might instead go to sec cons to hear about them) cannot take these venues to receive the information.
Is it me or is the reasoning for suppressing the talk a tad bit backwards?

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Just so I get that straight by Sepodati · 2011-05-19 11:15 · Score: 1
  
  By not conducting the talk, the risk level is not increased, at least. It's still there, obviously. The companies that would have attended this talk should already be working on isolating SCADA and similar systems as much as possible, with or without the specifics of the talk. I doubt companies are going to be patching SCADA systems themselves without help from Siemens or their vendor. If Siemens is indeed honestly working on a solution, then _delaying_ the talk is entirely reasonable.
Re:"probes" by Anonymous Coward · 2011-05-19 12:19 · Score: 0

First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic? Same thing with prison-rape jokes. I'm about as much a fan of those jokes as I am of the acts.
It's bad practice to say that being afraid of somebody's hobbies makes you afraid of them because it infers that you have to do those hobbies with them. I'm not saying the jokes are classy. I'm saying somebody's hobbies are their own personal business and due to common courtesy. I'm also saying that somebody can be scared to death of homosexuality, suck it up, and profit immensely by being civil to the people around him/her.
Some clear this up for me... by Anonymous Coward · 2011-05-19 15:01 · Score: 0

Why are these things internet accessible in the first place?
I mean why don't they just add a "blow everything up" or "emit random signals that will probably destroy the attached equipment" button and save everybody the trouble?
The big picture. by AftanGustur · 2011-05-20 00:12 · Score: 1

If the US intelligence services and Siemens had worked together in the past to exploit SCADA vulnerabilities in systems owned by unfriendly nations.
Why would they want to increase awareness of SCADA problems?

--
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Industrial viruses - a new competitive weapon? by Anonymous Coward · 2011-05-20 00:30 · Score: 0

This and the recent Stuxnet virus story show the potential for viruses to start hitting infrastructure and equipment - providing an opportunity for both corporates and governments to do some really serious damage... a new book that considers the potential here is 'A joy to serve the company' http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Ddigital-text&field-keywords=a+joy+to+serve+the+company&x=0&y=0