"He basically lectured me about how INL doesn't interact with hackers and I should be very careful throwing that word around," Finisterre recalled. "I was like, 'Dude, I really hope you're joking, because you're supposed to be at the forefront of the research on this."

Call it an early skirmish in a culture clash between two worlds: the independentsecurity researchers accustomed to dealing with tech firms such as Microsoft and Adobe, who have learned to embrace the hacker ethos, and the more conservativecompanies that develop and test industrial control systems, who often act like they wish these white-hat hackers would go away.

Earlier this year, Dillon Beresford, a security researcher at the consultancy NSSLabs, found a number of flaws in Siemens' programmable logic controllers. He had no complaints about the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, run out of INL. But he said Siemens did a disservice to its customers by downplaying the issues he'd uncovered. "I'm not pleased with their response," Beresford said earlier this year. "They didn't provide enough information to the public."

ICS-CERT was set uptwo years ago to handle the kind of bugs that Beresford and Finisterre are now finding with ease. The number of incidents funneled through ICS-CERT has increased six-fold in the past few years, from dozens of issues to hundreds, according to Marty Edwards, director of the Control Systems Security Program and the person in charge of ICS-CERT.

"The reason we're seeing such an increase is because, quite frankly, SCADA and industrial control systems [have become] cool," he said. "Things like Stuxnet have raised the attention level that industrial control systems and critical infrastructure systems are getting."