Researchers Decide Not To Give SCADA Vulnerability Talk

A security researcher who was scheduled to present at TakedownCon 2011 in Dallas yesterday decided to withdraw his SCADA vulnerability talk, citing concerns about the possible risk to human life.

Dillon Beresford, security researcher at NSS Labs, pulled his presentation of vulnerabilities and proof-of-concept exploit code at the 11th hour after collaborative discussions with ICS-CERT and Siemens. SCADA vulnerabilities are those that affect systems that support critical infrastructure, such as utilities and water distribution.

"DHS' Industrial Control Systems Cyber Emergency Response Team [ICS-CERT] frequently engages with industry partners and members of the cybersecurity community to share actionable vulnerability information and mitigation measures in an effort to better secure our nation's critical infrastructure," the Department of Homeland Security said in a statement.

"In this collaboration, DHS always prioritizes the responsible disclosure of vulnerability information, while concurrently providing actionable solutions and recommendations to better secure our nation's infrastructure," the DHS stated. "This responsible disclosure process does not encourage the release of sensitive vulnerability information without also validating and releasing a solution."

"Considering the repercussion to the world at large and human lives, it is only reasonable that any responsible security organization like EC-Council will accede to a request to withdraw such a presentation from a technical conference like TakedownCon until a suitable solution has been made available to the user community," said Jay Bavisi, president of EC-Council, the organizer of the TakedownCon conference series.

Beresford has been invited to give his talk at the Hacker Halted conference in October, if he considers the vulnerabilities to be rectified.

The description of the presentation, entitled "Chain Reactions--Hacking SCADA," reads: "Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, as demonstrated with Stuxnet. The attacks against Iran's nuclear facilities were started by a sequence of events that delayed the proliferation of nuclear weapons.

"We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state," the description continues. "We will also present how to write industrial grade malware without having direct access to the target hardware. After all, if physical access was required, what would be the point of hacking into an industrial control system?"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.