Security wonks accuse Siemens of underplaying SCADA risk

Some don't accept explanation of why discussion of SCADA flaws was cancelled

Last week German systems-software developer Siemens threw a scare into everyone who was already worried about the cybersecurity of U.S. utilities, by cancelling a security presentation on the topic at the last minute.

The obvious assumption was that U.S. anti-terrorism investigators demanded the session at Wednesday's TakeDownCon conference be cancelled because releasing information on vulnerabilities in Siemens' industrial-control systems was like asking to be attacked.

That interpretation became gospel in a week's worth of chatter and bloggery, much of which focused on the potential for a Stuxnet-like counterattack from Iran and the provocative tone of the abstract describing the talk itself:

"We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state. We will also present how to write industrial grade malware without having direct access to the target hardware," according to the blurb from the Siemens presenters.

Now Siemens is saying the session was cancelled not because of the potential danger, because the real fix for one major flaw didn't work.

"Siemens found out, near the last minute, that the mitigation they had planned [to present as part of the talk] didn't work. It could be bypassed," Vik Phatak, chief technology officer at NSS Labs, which sponsored the conference, told CSO magazine.

Which means, if I parse it right, that the information in the talk was too dangerous to be presented, largely because the flaw that was supposed to fill the gap, didn't.

Which doesn't really change anything. There is still what CSO calls a SCADA security arms race underway, as researchers on opposing sides rush to figure out how to attack or defend the SCADA and PLC systems used to control industrial equipment like the centrifuges in Iran's nuclear-fuel processing plant and most utilities, factories, traffic-control systems, water systems and other civil engineering facilities in the U.S.

Some now accuse Siemens of covering up the problem and minimizing even the flaws it planned to present dramatically at the NSS conference last week.

The most interesting bit of information in the coverage was the suggestion that the designers of Stuxnet didn't necessarily have to have been richly funded, heavily staffed cyberwar labs in the U.S. and Israel, as Iranian officials have charged.

During its reverse-engineering and analysis of Stuxnet, NSS Labs ' results led Phatak to believe it could have been written (though possibly not launched and directed quite as precisely as Stuxnet was) by smaller groups of smart hackers.

"Our researchers have shown what can be done with about $2,500 in equipment, time, and skill," he said.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon