A security presentation into vulnerabilities in Siemens computer systems has been pulled because the powers that be fear that it might be too dangerious.
According to Network World, independent security researchers Brian Meixell and Dillon Beresford, who work for NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens’ programmable logic controller systems.
The software is used to power open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships. A hack of it brought Iran’s nuclear plant to its knees.
At the last minute, Siemens and the U.S. Department of Homeland Security asked the pair not to release the talk because the information they would have released could be potentially dangerious.
Rick Moy, CEO of NSS Labs said his outfit had been working with DHS’s ICS CERT (Industrial Control Systems Cyber Emergency Response) group for the past week-and-a-half trying to get the problems resolved.
Siemens had tried a fix that turned out not to work, and NSS felt it would be bad for the public if information was put out without mitigation being available, he said
Moy said that there had been no legal threats from either Siemens or the spooks. The company would release the information eventually, he just did not want to release it without mitigation being out there.
Apparently Siemens and DHS said that it was up to them to be responsible, but did point out some of the number of vulnerable devices and where they’re deployed.
Certainly some of them would be in places that it would be rather frightening if a cyber terrorist took them down.
Meixell and Beresford said they would show how to write “industrial-grade” malware to exploit the hole and demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world.