A security researcher who voluntarily canceled a talk about critical holes in Siemens' industrial control systems has criticized the German company for downplaying the severity of his findings.

“The vulnerabilities are far reaching and affect every industrialized nation across the globe,” Dillon Beresford wrote in an email posted to a public security list. “This is a very serious issue. As an independent security researcher and professional security analyst, my obligation is not to Siemens but to their consumers.”

Siemens also suggested that the vulnerabilities “might be difficult for the typical hacker to exploit.”

In his email, Beresford disputed those claims.

“There were no 'special laboratory conditions' with 'unlimited access to the protocols,'” he wrote. “My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory. He said he acquired the Siemens PLC, or programmable logic controller, with no trouble, using money supplied by his employer, NSS Labs.

So-called supervisory control and data acquisition systems control industrial equipment at oil refineries, manufacturing plants and waste treatment facilities. The security of SCADA became a major focus after the discovery of Stuxnet, a worm that some security experts was designed to sabotage Iran's nuclear program.

More from IDG News is here. ®

Related stories

• Second water utility reportedly hit by hack attack (18 November 2011)
• Duqu spawned by 'well-funded team of competent coders' (9 November 2011)
• Critical Windows zero-day bug exploited by Duqu (1 November 2011)
• Hacktivists pose growing threat to industrial computing (18 October 2011)
• Stuxnet clones may target critical US systems, DHS warns (27 July 2011)
• Siemens fixes SCADA holes found by hacker (13 June 2011)
• Stuxnet-style SCADA attack kept quiet after US gov tests (19 May 2011)
• Iran lays blame for Stuxnet worm on Siemens (18 April 2011)
• Dozens of exploits released for popular SCADA programs (22 March 2011)
• Stuxnet blitzed 5 Iranian factories over 10-month period (14 February 2011)
• Israel and US fingered for Stuxnet attack on Iran (17 January 2011)
• Iran admits cyberattack hit nuke programme (29 November 2010)
• Stuxnet 'a game changer for malware defence' (9 October 2010)
• SCADA worm a 'nation state search-and-destroy weapon' (22 September 2010)