This past week at Takedowncon in Dallas (I just happened to be "there"), Dillon Beresford elected to pull his talk on cascading SCADA vulnerabilities, after some conversations with Siemens (the SCADA manufacturer with the vulnerabilities as indicated in this talk) and DHS, who apparently indicated to him the seriousness of the issue. I sense all sort of conspiracy here, even though I was literally standing next to Dillon discussing the mess with Jayson Street. I find it commendable that Dillon elected to pull the talk themselves, but is that the REAL story? Did Dillon really not understand the gravity of the situation?
Further, does this actually work? Think of it like this: he did not do the research in a vacuum, I am sure he had co-workers and others helping. Also, he was communicating with the vendor and DHS. So let’s assume there were more than 10 people who knew about the research. This is being very generous because any government bureaucracy will have a crap-ton of people in a number of meetings to make any decisions. The point I am trying to make is this: the reason to suppress this talk was most likely not to stop the information from getting "out-there" because it already was. The people who would be interested in this research most likely have the means and capabilities to get it.
No, I fear the real reason for suppressing this talk was to cover the "sterling" reputation of the vendor and DHS. And that is a frightening prospect. I do understand that these SCADA attacks can be dangerous. But in reality, any vulnerability leveraged in the right way can be dangerous.
But I am glad Dillon made the call. It was his to make. Maybe we need a vulnerability disclosure panel or webcast on PaulDotCom in the near future.
PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31