A talk on how to build "industrial grade" SCADA malware at the TakeDownCon in Dallas earlier this week was shelved--mere hours before it was scheduled to start. SCADA stands for "supervisory control and data acquisition" and is widely used in factories and industrial control systems. Dillon Beresford, an analyst at security product testing company NSS Labs, and Brian Meixell, an independent researcher, were originally slated to speak on Wednesday morning.

The flaws were elsewhere described as being serious enough to allow hackers to control a Siemens PLC (programmable logic controller) system. Speaking to CNET, Beresford said "We were asked very nicely if we could refrain from providing that information at this time," adding that "I decided on my own that it would be in the best interest of security...to not release the information." It was understood that the request not to hold the talk was made by Siemens and the Department of Homeland Security (DHS).

The researchers still plan to release their findings at a later date, says Rick Moy, president and CEO of NSS Labs, who spoke to SC Magazine. According to Moy, initial mitigation offered by Siemens did not work. As such, the talk was put off "due to the serious physical, financial impact these issues could have on a worldwide basis," but "further details will be made available at the appropriate time."

For now, Siemens is working on fixing the identified issues, and according to the company is "in the process of testing patches and developing mitigation strategies. In the meantime, Siemens has issued a statement that implied that the flaw was difficult to exploit: "While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers." Much like how the Stuxnet worm was developed, I suppose?

For more:
- see this article at SC Magazine
- see this article at PC World
- see this article at CNET

Related Articles:
Cyberattacks against critical infrastructure a constant occurrence 
White House cyber proposal offers carrots for industry 
More sunlight needed on network security discussion 
Three data breaches that underscore human error