Questions for Security Experts

fabianaj

Member
Join Date
Sep 2018
Location
Richmond, VA
Posts
5
What questions would you have for a panel of self-described industrial automation security experts?

(As you might guess, I'm helping to organize said panel. I'm not 100% on-board with security "experts" though, especially versus real-world experience.)
 
This sort of separation between experience and "experts" or theoretical knowledge always reminds me of a text by a fellow countryman of mine.

The translation is poor, but should be enough to get the gist of it.

"Every theory is made to be put in practice, and every practice must obey a theory.
Only the superficial minds disconnect theory from practice, not taking into account that theory is practice of theory and practice is nothing more than theoretical practice.
Those that know nothing of a subject and by chance or randomly do something related to it, calls theoretical to those who know more and, by the same measure of luck, achieves less.

Those who know, but know not how to apply, meaning, that he doesn't really know because not knowing how to apply is too a way of not knowing, feels angry at those that apply by instinct, or without really knowing.

But in both cases, for the sane and intelligent man, there is an abusive separation.
In life, theory and experience complete each other. They were made for each other."

The questions from my current position would be along the lines of where do they see security between PLC's and SCADA's in the near future.
It's all fun and games, but short of OPC UA, I can't think of a driver/PLC comms that includes some sort of security level.

Second, I would ask what is their opinions and best practices for third party remote support. Although I completely disagree with this and every plant should have someone that knows what the controls are doing, this is not always the case and having a way of implementing this safely by taking into consideration that each vendor should only be able to access his equipment would be interesting.

Lastly, what is their opinion on why safety does not take into account physical access in the industrial automation world. I was forced by IT to install an Active Directory based access control to the SCADA system of the plant... our tank farm sits outside a shared site and anyone can open as many valves as they want and start pumps from the buttons sitting outside. IT looked at this and didn't bat an eye...
 
I was forced by IT to install an Active Directory based access control to the SCADA system of the plant... our tank farm sits outside a shared site and anyone can open as many valves as they want and start pumps from the buttons sitting outside. IT looked at this and didn't bat an eye...

That's a clear example of why you can't seperate physical and cyber security if I've ever seen one! Thanks for your responses, I think they've very insightful.
 
Based on my experience..

1. Do you know what a PLC is, ever program one? Ever get called at 2AM for a machine issue?

2. Why or why not use a air-gap (the reasoning is what matters).

3. Familiar with ISA-95 or Rockwell/Cisco CpWE?

4. What's the difference between Compliance and Security?
 
Based on my experience..

1. Do you know what a PLC is, ever program one? Ever get called at 2AM for a machine issue?

2. Why or why not use a air-gap (the reasoning is what matters).

3. Familiar with ISA-95 or Rockwell/Cisco CpWE?

4. What's the difference between Compliance and Security?

For #3, is there a point to be made about ISA-95 or CpWE? It'd be good to rephrase that so that it's not possible to just answer with a single word. I really like your second and fourth questions because they generate discussion and differences of opinion.
 
What questions would you have for a panel of self-described industrial automation security experts?

(As you might guess, I'm helping to organize said panel. I'm not 100% on-board with security "experts" though, especially versus real-world experience.)

Are you trying to vet the "experts" to pick the best ones, or create a list of leading questions to provide good discussion during the panel?

There are some good questions so far. Cardosocea makes a great point, discussion at these events is usually focused on teh digital, and physical security is at least as important. Assuming your goal is to provide discussion generating questions, here are few more:

1) What are some differences between the requirements of traditional IT security and security in an industrial production environment?

2) What are your best practices for keeping devices updated?

3) When you discovered that one of your systems had been compromised, how to did you resolve the situation?

4) A question about penetration testing (red team vs blue team hacking, etc) might be interesting as a follow up to 3. not sure how to phrase it, though. A bit of "scare the audience straight" is good for any security talk.

It's all fun and games, but short of OPC UA, I can't think of a driver/PLC comms that includes some sort of security level.

slightly OT, but I know Siemens has the option to password protect HMI/SCADA comms to their S7-1500. It's a proprietary protocol, though, so I don't know if anyone else has implemented/reverse engineered it yet.

It's better than nothing, but it's definitely nowhere near where OPC UA is. The everyone seems to be OK treating the automation network as a trusted zone, except that every plant I walk into practically considers the generic operator to be a malicious actor.

There's also Bedrock, but I've never had the opportunity to talk to a user to understand how practical the system really is, compared to what you expect from the big name PLC vendors these days (safety, motion control, IO over Ethernet, etc).
 
Last edited:
Are you trying to vet the "experts" to pick the best ones, or create a list of leading questions to provide good discussion during the panel?

We've got three really solid panelists so far, two that have reputations in information security, and one who's spent his life in PLCs. All have public speaking experience. We're hoping to find about two more, plus a moderator.

These questions are to be the prompts to the panelists at the event. Panelists will have access to the questions before hand, though they wont know which one's well choose to ask. It's not like we're trying to trick them - we're hoping for insightful responses and an interesting dialog. There will also be audience questions.
 
It's not like we're trying to trick them

Hah, oops, when I said "leading questions" I meant "giving them questions that are easy to answer/turn into a discussion", like a "softball" question. Sorta like on late night interview shows, how the host JUST HAPPENS to always ask questions that the celebrity answers with a hilarious story to plug their movie/book/album/show.

Yeah, trying to play "stump the panelist" as the host is a quick way to have an empty panel next time.
 
I guess I should have asked, what's the purpose?

I had assumed you are just vetting people to help you come up with a workable security scheme for your organization. Hence my answer.
 
I guess I should have asked, what's the purpose?

I had assumed you are just vetting people to help you come up with a workable security scheme for your organization. Hence my answer.

Hah! fair enough though, I didn't really give much context for this.

What's going on is that my group of engineers and engineering students is putting on an event, which is a panel-style discussion of PLC security. The event is meant to be educational, and a chance for either those to work in PLCs or those that work in computer security to meet "the other side" and exchange ideas. If it goes well we're hoping to have a series of these panels on various topics within the field of electrical and computer engineering.
 
1. why do you keep the management network from the plant manufacturing network?
2. when do you have to turn off the firewall on pc's
3. why is license management critical?
4. why do you scan laptops, jump drives, and other media coming into the plant from outside sources and when company systems have been elsewhere or abroad?
5. how would you allow someone to be at home and remote into the plant?
what are some of the risks involved with this and how would you eliminate some of those risks?

regards,
james
 
  1. How do you balance security with remote access/troubleshooting?
    It's nice to have a secure system but if it isn't working because the one guy who needs to connect and reprogram it is 3500 miles away, a secure system isn't a useful system.
  2. How do you plan for the obsolescence (or at least lack of security updates) of operating systems that may not be used in PLC but are still used for programming troubleshooting older systems.
  3. How do you secure a PLC based on an embedded PC, such as one still running Windows XP?
 
1) What are some differences between the requirements of traditional IT security and security in an industrial production environment?

2) What are your best practices for keeping devices updated?

Very good questions these... I think the first one is tricky as I don't think there are many people that are aware of the risks on both sides. Although over time there will be.
 
1) What are some differences between the requirements of traditional IT security and security in an industrial production environment?

Very good questions these... I think the first one is tricky as I don't think there are many people that are aware of the risks on both sides. Although over time there will be.

A followup is a discussion of how they are similar and one affects the other (or becomes a point of failure). It was a while back one of the big box retailers had their credit card system compromised because of lack of security on the HVAC system. Most nefarious actors aren't gonna hack the credit card system to take over the air conditioning but I imagine there are companies that would not want their recipes on a PLC compromised by something injected into the enterprise network (or taking out their Uranium enrichment centrifuges :)).
 

Similar Topics

Hello, I was wondering if anyone remembers how to use the security section of Panelbuilder32. I'm working with a 2711-B6C2L1, PV600. I can't...
Replies
6
Views
2,982
Good day and Happy Holidays! Everytime I restore an .APA or .MER file into project for editing, the accounts and their passwords are replaced...
Replies
1
Views
4,617
Hello, I am new to Codesys, and am trying to learn about it for a project we're developing. I've got a couple questions, but first a little...
Replies
1
Views
72
I'm trying to build my Classic Step 7 programming skills this weekend. I get stuck on little things that are not covered in YouTube tutorials. I'm...
Replies
7
Views
248
Hello all, I'm a new member here. I've joined as I want to learn about PLC programming. I've got a few questions to begin with. To get me...
Replies
37
Views
4,416
Back
Top Bottom