Security expert Dillon Beresford of NSS Labs cancelled a scheduled presentation yesterday at the Takedown Conference in Dallas, Texas, after consulting with representatives from Siemens and the Department of Homeland Security.
The session, titled Chain Reactions: Hacking SCADA, was intended to outline critical Supervisory Control and Data Acquisition (SCADA) vulnerability exploits that Beresford and his team at NSS Labs had identified.
SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants, and the information in Beresford's presentation would have exposed previously undisclosed threats.
“Based on my own understanding of the seriousness behind this, I decided to refrain from disclosing any information due to safety concerns for the consumers that are affected by the vulnerabilities... DHS in no way tried to censor the presentation,” Beresford told Wired's Threat Level.
Beresford and officials at NSS Labs decided to err on the side of caution in their decision to cancel the session.
“Things could explode. I don’t want to overplay this and sound like it’s a bunch of FUD but physical damage can occur and people can be seriously injured or worse. So we felt… it was best to be prudent and wait a little bit longer until we get more information," said NSS Labs CEO Rick Moy.
The synopsis for Beresford's presentation stated: "SCADA exploits have recently taken center stage in the international community. These types of vulnerabilities pose significant threats to critical infrastructure. Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, as demonstrated with Stuxnet. The attacks against Iran’s nuclear facilities were started by a sequence of events that delayed the proliferation of nuclear weapons. We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state. We will also present how to write industrial grade malware without having direct access to the target hardware. After all, if physical access was required, what would be the point of hacking into an industrial control system?"
Beresford indicated that the key to the exploits his team discovered center around the Programmable Logic Controllers (PLCs) manufactured by Siemens.
“They’re very easy to exploit. As long as you have access to [a PLC's] network you will be able to exploit," Beresford said.
NSS Labs had previously disclosed the vulnerabilities to officials at Siemens, as well as to DHS's ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).
“Siemens is fully aware of the vulnerabilities in its Programmable Logic Controllers discovered by researcher Dillon Beresford of NSS Labs, and we appreciate the responsible disclosure provided by NSS Labs. We are in the process of testing patches and developing mitigation strategies," said Siemens spokesman Bob Bartels.
Both government and the private sector have expressed increasing concern over the state of network security on systems that control critical aspects of the nation's infrastructure ever since the emergence of the infamous Stuxnet virus, a highly sophisticated designer-malware responsible for damaging equipment at an Iran uranium enrichment facility last year.
Stuxnet-type viruses are uniquely dangerous because they are capable not only of affecting network computer systems, they can also cause actual physical damage to the equipment the networks control.
In March, a separate set of researchers released details on dozens of SCADA systems vulnerabilities, and some of the vulnerabilities could allow attackers access to critical data located in system configuration files, while several others would allow the remote execution of malicious code.
The unprecedented release included thirty-four proof-of-concept exploits for common SCADA software including those produced by Siemens, Iconics, 7-Technologies, Datac, and Control Microsystems.
The vulnerability dump came just one week after Russian security firm Gleg released a tool that attempts to consolidate all known SCADA exploits into one package. The tool, called Agora SCADA+, contains twenty-two modules with eleven zero-day exploits aimed specifically at SCADA system software.
In contrast to the previous disclosures, NSS Labs' decision to cancel the presentation will allow officials time to study and mitigate the threats Beresford's team identified prior to advertising the system weaknesses for those who may seek to capitalize on the vulnerabilities.