Slashdot Mirror

← Back to Stories (view on slashdot.org)

Siemens SCADA Hacking Talk Pulled From TakeDownCon

Posted by timothy on from the but-motel-6-keeps-the-lights-on dept.

alphadogg writes "A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released. Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC systems, the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships. But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."

3 of 104 comments (clear)

  1. Re:Security through obscurity by chemicaldave · · Score: 5, Informative
    Did you RTFA? That's exactly why they decided not to give the talk, because Siemens hasn't fixed the problems. As NSS Ceo Rick Moy points out:

    "The vendor had proposed a fix that turned out not to work, and we felt it would be potentially very negative to the public if information was put out without mitigation being available." ... In the past, technology companies have threatened legal action against researchers, but Moy said that in this case the lawyers were not involved. "It's a temporary hold on the information; it's not that it's being buried," he said. "We just don't want to release it without mitigation being out there for the owners and operators of the SCADA equipment."

  2. Re:Secrecy by chemicaldave · · Score: 5, Insightful

    Did you RTFA? They're waiting for Siemens to fix the issues first, a common practice in security research. Siemens and DHS didn't force them to pull the talk and didn't even get lawyers involved. So please stop with your accusations. You clearly lack an understanding of the situation at hand.

  3. Hallelujah, Siemens gets it by Hierarch · · Score: 5, Informative

    A lot of people seem to want to scream about censorship, but they're missing the point. This is one of the best case scenarios I've seen in relations between companies and security researchers.

    For those who can't be bothered to RTFA, here's a summary.

    Researchers found a serious flaw. The company developed a fix. It turned out that the fix was flawed. The company told the researchers about the potential impact of giving the talk before the flaw was fixed, and the researchers voluntarily postponed the talk while a better fix is built.

    That's it, and it looks like everybody did the best thing they could. Isn't this what we'd want Siemens to do? "You've got a right to give your talk, but we'd like you to postpone it. Here's why. Your call."

    --
    --Somebody infect me with a .sig virus, I'm too lazy to write my own!