Two researchers say they canceled a talk at a security conference today on how to attack critical infrastructure systems, after U.S. cybersecurity and Siemens representatives asked them not to discuss their work publicly.
"We were asked very nicely if we could refrain from providing that information at this time," Dillon Beresford, an independent security researcher and a security analyst at NSS Labs, told CNET today. "I decided on my own that it would be in the best interest of security...to not release the information."
Beresford said he and independent researcher Brian Meixell planned on doing a physical demonstration at the TakeDown Conference and shared their slides and other information on vulnerabilities and exploits with Siemens, ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), and the Idaho National Lab on Monday.
A DHS official provided this statement: "DHS' Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) frequently engages with industry partners and members of the cybersecurity community to share actionable vulnerability information and mitigation measures in an effort to better secure our nation's critical infrastructure. In this collaboration, DHS always prioritizes the responsible disclosure of vulnerability information, while concurrently providing actionable solutions and recommendations to better secure our nation's infrastructure. This responsible disclosure process does not encourage the release of sensitive vulnerability information without also validating and releasing a solution."
A U.S.-based representative for Siemens, a German company, did not respond to a call or e-mail. Siemens was expected to make a statement on Thursday, according to Beresford.
Earlier in the day, an organizer of the conference said that it was Siemens and the Department of Homeland Security that had requested that the researchers hold off on their talk. ICS-CERT is a division of DHS.
The presentation was entitled "Chain Reactions--Hacking SCADA" (supervisory control and data acquisition), which is technology used in manufacturing and critical-infrastructure systems. About 300 people were registered to attend the TakeDown Conference, which is happening today and tomorrow in Dallas.
"Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, as demonstrated with Stuxnet. The attacks against Iran's nuclear facilities were started by a sequence of events that delayed the proliferation of nuclear weapons," a summary of the talk says. "We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state. We will also present how to write industrial grade malware without having direct access to the target hardware. After all, if physical access was required, what would be the point of hacking into an industrial control system?"
Last year's Stuxnet was believed to be the first malware designed specifically to target industrial control systems. Experts say it was written to seek out particular Siemens software and was likely aimed at sabotaging Iran's nuclear program.
News of the cancellation first spread on Twitter, when another presenter at the conference, Jayson Street, tweeted: "Since DHS just banned next speaker from giving his talk [on SCADA] I'm up next!"
However, Beresford said they were merely asked to not give the talk.
"Dillon was not threatened or prevented from speaking. Rather, he made the decision based on the potential negative impact to human life and the fact that the vendor's proposed mitigation had failed," NSS Labs Chief Executive Rick Moy said in an e-mail. "ICS-CERT has done a great job of assisting us with this process, and we look forward to Siemens being able to address the issue for their customers."
Updated 6:21 p.m. PT with DHS comment and 5:53 p.m. PT to clarify that U.S. and Siemens merely asked researchers to cancel talk; specify that ICS-CERT was involved; add more details and comment from researcher.