Last week security researcher Dillon Beresford cancelled a scheduled presentation at the Takedown Conference about Supervisory Control and Data Acquisition (SCADA) exploit proof-of-concept after consulting with representatives from Siemens and the Department of Homeland Security over security concerns.
SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants, and the information in Beresford's presentation would have exposed previously undisclosed threats.
“They requested that I not share the data, but it was absolutely my decision to cancel. In no way tried to censor the presentation, and the conference organizers were very supportive... We did the right thing,” Beresford said.
As information continues to trickle out regarding the exploit developed by Beresford and collaborator Brian Meixell, it is becoming clear that the methodology they developed is more than a simple proof of concept regarding a previously unknown vulnerability.
Beresford and Meixell's work is now being described as a homemade cyber weapon comparable to the infamous Stuxnet virus.
Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA system, and the Stuxnet virus is thought to have caused severe damage to Iranian uranium enrichment facilities which reportedly set back the nation's nuclear program several years.
The fact that two researchers could easily develop such a critical threat in their spare time over the course of just several months provides further insight into the Department of Homeland Security's decision to intervene, and is indicative of the widespread vulnerabilities that exist in systems controlling the nation's critical infrastructure.
Beresford subsequently issued some harsh criticism this week regarding the manner in which Siemens is handling the disclosure of the vulnerabilities which are related to the company's programmable logic controllers (PLCs).
"Siemens has said some things to the press that I am not entirely comfortable with... I would to address it right here in the open, with all of you, because damage control and impact minimization a typical tactic used by vendors to protect their public image," Beresford said.
Beresford's criticism is in response to attempts by Siemens to characterize the exploit as being a highly sophisticated developed under an artificial set of circumstances that would be difficult for a supposed attacker to recreate.
Beresford countered Siemens' assertions, stating that the exploits were not of a sophisticated nature. "The flaws are not difficult for a typical hacker to exploit because I put the code into a series of Metasploit auxiliary modules, the same ones supplied to ICS-CERT and Siemens."
Beresford argues that Siemens is attempting to downplay the significance of the the vulnerabilities in the press, which may account for the seeming lack of concern expressed by those in the security industry since the exploits were disclosed.
“This is another egregious example of a vendor trying to minimize the impact of multiple security vulnerabilities in their products and being somewhat evasive about the truth. The clock is ticking, and time is of the essence. I expect more from a company worth $80 billion, and so do [their] customers," Beresford warned.
Some network security experts have taken note of the disclosures, and warn that SCADA vulnerabilities and the likelihood of more Stuxnet-like attacks on critical infrastructure should be of the utmost concern.
"The reaction by Siemens is the old school knee-jerk reaction: 'Just 'cus some kids can do it does not mean we are targeted'. Industrial control vendors and users have to take this very seriously. They are being targeted, they are vulnerable, and the repercussions could be very expensive," said Richard Stiennon, founder of IT-Harvest and the author of Surviving Cyber War, in an email to Infosec Island.