Slashdot Mirror

← Back to Stories (view on slashdot.org)

Siemens SCADA Hacking Talk Pulled From TakeDownCon

Posted by timothy on from the but-motel-6-keeps-the-lights-on dept.

alphadogg writes "A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released. Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC systems, the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships. But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."

18 of 104 comments (clear)

  1. Security through obscurity by Anonymous Coward · · Score: 4, Insightful

    Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.

    1. Re:Security through obscurity by Hatta · · Score: 2

      Why would Siemens bother fixing holes nobody knows about?

      --
      Give me Classic Slashdot or give me death!
    2. Re:Security through obscurity by LunaticTippy · · Score: 3, Informative

      At my workplace, all our PLCs are on a process control network. It is isolated from the business network and internet completely. We assume that the PLCs are not secure and they are business critical. We can't take any chance a malware outbreak or hacker causes actual physical things to happen.

      It makes doing work more difficult, and there are still some attack vectors.

      --
      Man, you really need that seminar!
    3. Re:Security through obscurity by ThunderBird89 · · Score: 2

      To the best of my knowledge, they never did prove that the US created Stuxnet. In fact, I've seen Israel blamed far more, based on vague references in the code.

      --
      Hyperbole: I use it liberally!
    4. Re:Security through obscurity by chemicaldave · · Score: 5, Informative
      Did you RTFA? That's exactly why they decided not to give the talk, because Siemens hasn't fixed the problems. As NSS Ceo Rick Moy points out:

      "The vendor had proposed a fix that turned out not to work, and we felt it would be potentially very negative to the public if information was put out without mitigation being available." ... In the past, technology companies have threatened legal action against researchers, but Moy said that in this case the lawyers were not involved. "It's a temporary hold on the information; it's not that it's being buried," he said. "We just don't want to release it without mitigation being out there for the owners and operators of the SCADA equipment."

    5. Re:Security through obscurity by Svartalf · · Score: 2

      Heh... If they think that those patches will get deployed in a timeframe measured in anything other than months or years, they're kidding themselves...

      SCADA systems typically don't get patched- and when they do or get upgraded, it's a "big thing".

      --
      I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
    6. Re:Security through obscurity by imsabbel · · Score: 3, Informative

      And stuxnet was transmitted via USB sticks doing the sneakernet stuff...

      --
      HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
  2. In other words by Attila+Dimedici · · Score: 2

    In other words, if your systems rely on PLC systems from Siemens, you had better hope that no attacker can get through your firewall.

    --
    The truth is that all men having power ought to be mistrusted. James Madison
    1. Re:In other words by Charliemopps · · Score: 4, Interesting

      I used to work in provisioning in a telco and it entirely depends on who's managing the plant. We'd install circuits in some power plants that were so strict that they insisted on fiber use only. We'd run copper to an access point outside their security perimeter then have a mux convert it to fiber to run across the perimeter into the facility where it would terminate in an outer building. Their security plan did not allow ANY outside network connections to the plant itself. They had networked equipment but it was all housed in an outer building with no connection to the main plant or control systems. They refused to allow copper on the premises because it's relatively easy to splice into and carry elsewhere. Fiber would be much more difficult to splice and bring in.

      Other facilities were less secure. I remember getting a panicked call from someone shouting "The Damns gonna bust!!!" They had a single "Circuit" they paid about $20 a month for that was nothing more that a single copper that ran from some building to the local damn. They'd apply +5 volts to the line to open the damn, and -5volts and it would close. They'd reacted too slowly to rising waters and it had flooded the copper pair they used to control the damn. They wanted us to send a phone tech into their overflowing damn to repair the circuit so they could open it from the safety of their administrative building. They had a hard time understanding my near hysterical laughter.

  3. Re:As the Iranians found out the hard way... by gellenburg · · Score: 2

    As the Iranians found out the hard way, it's difficult to keep an intruder out despite the obscure nature of PLC (most people probably don't even know what that is.)

    Programmable Logic Controllers.

    I prefer Allen-Bradley PLCs myself.

  4. Re:Secrecy by chemicaldave · · Score: 5, Insightful

    Did you RTFA? They're waiting for Siemens to fix the issues first, a common practice in security research. Siemens and DHS didn't force them to pull the talk and didn't even get lawyers involved. So please stop with your accusations. You clearly lack an understanding of the situation at hand.

  5. Reponsible Disclosure by betterunixthanunix · · Score: 4, Insightful

    There is a notion in security engineering of responsible disclosure, which is letting a company know about a vulnerability long enough before you present it so as to allow the company to fix it and deploy the fix. I believe that what happened here was that the company complained that they did not have enough time to fix the problem and deploy the fix, and that DHS and the researcher agreed with that conclusion. I do not think this is terribly far fetched, and I doubt that there is a conspiracy to leave vulnerabilities in industrial equipment used here in America, not when the Iranians want to get back at the US and Israel for Stuxnet.

    --
    Palm trees and 8
  6. Hallelujah, Siemens gets it by Hierarch · · Score: 5, Informative

    A lot of people seem to want to scream about censorship, but they're missing the point. This is one of the best case scenarios I've seen in relations between companies and security researchers.

    For those who can't be bothered to RTFA, here's a summary.

    Researchers found a serious flaw. The company developed a fix. It turned out that the fix was flawed. The company told the researchers about the potential impact of giving the talk before the flaw was fixed, and the researchers voluntarily postponed the talk while a better fix is built.

    That's it, and it looks like everybody did the best thing they could. Isn't this what we'd want Siemens to do? "You've got a right to give your talk, but we'd like you to postpone it. Here's why. Your call."

    --
    --Somebody infect me with a .sig virus, I'm too lazy to write my own!
    1. Re:Hallelujah, Siemens gets it by Mr.+Freeman · · Score: 2

      I have a hard time believing that it took siemens this long to develop a fix. The fact that stuxnet was designed to compromise siemens PLCs and how it accomplished this has been known for several months now. There's no excuse not to push out a (working) patch within a few months of a huge 0-day being discovered. To have not fixed this by now, especially given the critical applications some PLCs are used in, suggests negligence.

      Responsible disclosure says that you should give the responsible party a reasonable amount of time to fix the problem before disclosing it. Responsible disclosure is NOT keeping your mouth shut indefinitely so as to allow the responsible party to ignore the problem for as long as possible.

      --
      -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
  7. Re:"pointed out the possible scope of the problem" by ArcCoyote · · Score: 2, Informative

    Idiot.

    First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic? Same thing with prison-rape jokes. I'm about as much a fan of those jokes as I am of the acts.

    Didn't you read the part where the DHS CERT (a part of US-CERT, which falls under DHS but has nothing to do with the TSA...) told NSS something like, "Um, guys, the patch Siemens released doesn't work, and there are thousands of these devices deployed all over the place, including the power plants in this here city.."

    NSS decided to play it safe, they weren't forced to do anything. It's called responsible disclosure, and when Siemens gets their products fixed, it will be released.

    But I know your type. You, my familial-basement-dwelling troll, assume coercion and conspiracy is how everything gets done by three-letter agencies. Ironic, considering you love to rant about how those same agencies assume everyone brown is a terrorist.

    Bar none, the libertarian, open-source evangelizing, Apple/Microsoft bashing, EFF supporting types are some of the most bigoted, narrow-minded, reactionary, paranoid individuals I've ever met.

  8. Re:As the Iranians found out the hard way... by Svartalf · · Score: 2

    Yeah, they're a bit cleaner. The big problem is that it's not just a Siemens problem. It's endemic throughout the industry in varying ways.

    Networks that're claimed to be air-gapped- but aren't because of "ease of use" concerns.
    Networks that shouldn't have a single Windows box because of that risk that do.
    And, so on and so forth.

    --
    I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
  9. Re:As the Iranians found out the hard way... by datapharmer · · Score: 2

    The Iranians didn't find out about the obscure nature of PLC, they found out it isn't a good idea to buy your infrastructure from foreign countries... See in the U.S. we are careful to only use... oh nevermind.

    --
    Get a web developer
  10. Re:"pointed out the possible scope of the problem" by russotto · · Score: 2

    First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic?

    Nonsense; it's a reference to bodily violation which works no matter what your gender and orientation. Just because a man is gay doesn't mean he wants the TSA up his ass.

    NSS decided to play it safe, they weren't forced to do anything. It's called responsible disclosure, and when Siemens gets their products fixed, it will be released.

    Disclosure delayed is disclosure which doesn't happen.

    You, my familial-basement-dwelling troll, assume coercion and conspiracy is how everything gets done by three-letter agencies.

    When you have the kind of power they have, coercion IS how everything gets done. When they "ask", refusal always has serious negative consequences whether express or implied.