A scheduled talk on vulnerabilities in industrial control systems, which operate things like power plants and oil refineries, was shelved Wednesday at a security conference after the affected vendor was unable to develop a working fix in time.
Dillon Beresford, an analyst at security product testing company NSS Labs, and Brian Meixell, an independent researcher, planned to demonstrate at the TakeDownCon in Las Vegas how to build “industrial grade SCADA (supervisory control and data acquisition) malware without access to the target hardware,” according to a conference news release.
However, the pair decided to pull the plug just hours before they were to hit the stage due to the potential of real-life harm that the research could have caused.
“Dillon decided to temporarily delay giving the talk due to the human risks and the fact that the mitigation offered by Siemens did not work,” Rick Moy, president and CEO of NSS Labs, told SCMagazineUS.com in an email. “We are working collaboratively with ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) and the vendor and look forward to their response to the issues.”
He said the researchers still plan to release their findings at a later date.
“Due to the serious physical, financial impact these issues could have on a worldwide basis, further details will be made available at the appropriate time,” Moy wrote. “NSS Labs is working with all parties to validate remediations for the issues.”
Vulnerabilities affecting SCADA software and hardware products have become a research hotbed in recent years as these systems become interconnected with corporate data networks and the public internet, making them increasingly open to attack.
Products made by Siemens, a well-known SCADA manufacturer, were targeted by the vicious Stuxnet worm, considered the first malware written to specifically target industrial control systems. Stuxnet exploits hit Iran’s nuclear program, though no major damage occurred.
In March, an Italian researcher warned about 34 flaws in SCADA products that could allow people to monitor and control the various hardware sensors and mechanisms located in industrial environments, enabling attackers to remotely execute code via buffer and heap overflows.
A Siemens spokeswoman could not be immediately reached for comment on Thursday.
Wrote Moy in a blog post: “Exploitation of vulnerabilities in systems can always have negative effects, such as loss of availability, productivity, data loss or compromise, and even result in identity theft and financial loss. However, unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems can have devastating physical world implications such as loss of life and environmental impact.