While acting with the best of intentions, DHS and Siemens persuading Dillon Beresford to drop his talk “Chain Reaction: Hacking SCADA” talk at Takedown last month has backfired. My favorite tweet on the subject is:
This is so true, like the “coverup is worse than the crime”. The DHS intervention moved this from another small to moderate ICS vuln story into a cause célèbre. This should not have been new or unforeseen, and a cynic might wonder if Dillon and NSS knew that pulling the talk would accrue to their advantage. There have been numerous examples in the IT security world where a vendor comes in with legal documents or threats to stop a vulnerability presentation. It never ends well for the vendor because the information gets out and has a big spotlight on it — what was so important that the vendor tried to take legal action to stop it? In this case it was persuasion, not legal threats, but the result was predictable and the same.
Maybe I’m just bitter because Dillon went from someone I could get on the podcast to a Black Hat star. Now he will present his work in technical detail to many unfamiliar with PLC’s and ICS applications. Another big step on the learning curve. Going back to my Lost Decade post, I’m not sure this is a bad thing. Perhaps we need more knowledgeable security professionals of every
had hat color to move ICS security forward at a faster pace.