Highlights for Hackers

The Black Hat and DefCon hacker conferences are taking place in Las Vegas at the beginning of August. There, more than 20,000 IT security insiders will meet to learn about the latest tricks in the hacker scene. Security experts from Siemens will also be on hand, because sharing ideas and information with the hacker community helps make Siemens products more secure.

Las Vegas: Gambling, flamboyant shows, and neon signs as far as the eye can see have made this city in the Nevada desert a mecca for entertainment junkies. Once a year, however, visitors meet here who aren’t looking for amusement but rather like-minded people: hackers and nerds interested in IT system security. The Black Hat conference, which first took place in 1997, has now grown to over 20,000 participants, making it the world’s most important convention along with DefCon. DefCon was founded in 1993 and is traditionally held immediately after the Black Hat conference in Las Vegas. Black Hat and DefCon create a great deal of stress for the hotels, supermarkets and banks, who fear hacker attacks on WLAN networks, ATMs, and pay TV billing software during the conference.

Although the conference takes its name from the evil hackers bent on destruction, they’re hardly ever found among today’s attendees, or at least they don’t identify themselves.

The myth of the evil hacker

And no wonder. After all, the term "hacker" is used by many people to describe nerds in hoods that smuggle malware into PCs to obtain secret information or blackmail their owners. They’re often young people with something to prove, and sometimes even work for government intelligence services. So it might come as a surprise that since 2003, employees from Siemens’ Security Assessments and Penetration Testing research group have also been attending the conferences. Sven Lehmberg, head of the research group, isn’t afraid to meet with hackers. “The public perception of hackers has changed.” In the early days of computers, they were simply technology enthusiasts with specialized IT knowledge. It wasn’t until later that the public started associating the term with criminal manipulations. “But now there are many hackers working with companies to make their IT systems more secure,” he explains. Siemens has been successfully cooperating with these “good” white-hat hackers for many years, including at conferences like Black Hat. Although the conference takes its name from the evil hackers bent on destruction, they’re hardly ever found among today’s attendees, or at least they don’t identify themselves.

Nasty surprises

With hackers’ increased sense of responsibility, the nature of the collaboration has also changed. Occasionally companies experience nasty surprises at these conferences because a hacker will secretly hack a product and then flaunt their results before the public. White-hat hackers, on the other hand, always announce what they’re working on ahead of time. This allows companies like Siemens to close security gaps before they become public. “Today we have honest discussions with hackers and approach them as equals,” says Lehmberg. This generally also prevents relatively trivial security leaks from being hyped up into huge dramas on conference podiums.

Everything’s connected – is nothing secure?

For the Siemens Corporate Technology team in Munich, hacker conferences like Black Hat, DefCon, Bsides, or conferences organized in Germany by the German Chaos Computer Club are important hubs for information on IT security. Siemens’ motivation is clear: In the age of Industrie 4.0 and the Internet of Things, there are no longer any Siemens products that don’t use electronics and software. They’re all connected to the Internet, making them potential targets for attack. Ever since the Stuxnet computer worm brought the centrifuges of a nuclear power plant in Iran via a Siemens control system to a standstill in 2010, automation technology has been a favorite target for attackers. These components found not only in factory production systems, but also in power and water supply infrastructure where the potential for damage is extremely high. 

Sharing ideas and information with experts at conferences like Black Hat and DefCon is an important part of the puzzle for minimizing these risks.

Information and job fair

Sharing ideas and information with experts at conferences like Black Hat and DefCon is an important part of the puzzle for minimizing these risks. What procedures are hackers following? What new methods are they using? And how long do they need to overcome security measures? Sometimes individual hackers will spend months on a specific issue, and some even re-create hardware – like a machine controller – at home. And they’re happy to talk about it at conferences. Some are seeking recognition and others are looking for a job. Many conference participants are self-employed or work for small security companies as security testers and are there to recruit customers. Or they apply for jobs at large companies. “For us, the conferences are also an opportunity to gain new employees,” says Lehmberg.

 

And to make Siemens products more secure. According to Lehmberg, development processes are being adapted in collaboration with other Siemens security teams, and risks are being well managed. Nevertheless, “there will never be one hundred-percent security.” Instead, the solution is to make the hacker’s job as difficult as possible. “It’s the same with your home. If your wall is tall enough, intruders quickly lose interest.”

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.