While acting with the best of intentions, DHS and Siemens persuading Dillon Beresford to drop his talk “Chain Reaction: Hacking SCADA” talk at Takedown last month has backfired. My favorite tweet on the subject is:
This is so true, like the “coverup is worse than the crime”. The DHS intervention moved this from another small to moderate ICS vuln story into a cause célèbre. This should not have been new or unforeseen, and a cynic might wonder if Dillon and NSS knew that pulling the talk would accrue to their advantage. There have been numerous examples in the IT security world where a vendor comes in with legal documents or threats to stop a vulnerability presentation. It never ends well for the vendor because the information gets out and has a big spotlight on it — what was so important that the vendor tried to take legal action to stop it? In this case it was persuasion, not legal threats, but the result was predictable and the same.
Maybe I’m just bitter because Dillon went from someone I could get on the podcast to a Black Hat star. Now he will present his work in technical detail to many unfamiliar with PLC’s and ICS applications. Another big step on the learning curve. Going back to my Lost Decade post, I’m not sure this is a bad thing. Perhaps we need more knowledgeable security professionals of every had hat color to move ICS security forward at a faster pace.
Another side effect of the stoppage is the vulnerability is achieving cult status, similar to the relatively obscure Aurora vulnerability of video fame. (Yes, I said it. Aurora was wildly overhyped. There are so many easier vulnerabilities to exploit and processes to change with logical access. It was crazy that stopping Aurora became the critical item in Congressional and regulatory circles – – very poor risk management) Now Sen. Lieberman has at least twice referenced the Beresford vulnerabilities, once giving DHS major credit for stopping the presentation.
One final note on the Beresford vulns. This is an example of a “secret” ICS-CERT bulletin. You have to sign up to a list and promise some things to get these, or have numerous people forward it to you to get it. We don’t sign up for these don’t disclose lists because it raises problems when we blog on it with the information from other sources. Walt Boyes over at ControlGlobal has a heated blog entry on this practice.