What questions would you have for a panel of self-described industrial automation security experts?
(As you might guess, I'm helping to organize said panel. I'm not 100% on-board with security "experts" though, especially versus real-world experience.)
Are you trying to vet the "experts" to pick the best ones, or create a list of leading questions to provide good discussion during the panel?
There are some good questions so far. Cardosocea makes a great point, discussion at these events is usually focused on teh digital, and physical security is at least as important. Assuming your goal is to provide discussion generating questions, here are few more:
1) What are some differences between the requirements of traditional IT security and security in an industrial production environment?
2) What are your best practices for keeping devices updated?
3) When you discovered that one of your systems had been compromised, how to did you resolve the situation?
4) A question about penetration testing (red team vs blue team hacking, etc) might be interesting as a follow up to 3. not sure how to phrase it, though. A bit of "scare the audience straight" is good for any security talk.
It's all fun and games, but short of OPC UA, I can't think of a driver/PLC comms that includes some sort of security level.
slightly OT, but I know Siemens has the option to password protect HMI/SCADA comms to their S7-1500. It's a proprietary protocol, though, so I don't know if anyone else has implemented/reverse engineered it yet.
It's better than nothing, but it's definitely nowhere near where OPC UA is. The everyone seems to be OK treating the automation network as a trusted zone, except that every plant I walk into practically considers the generic operator to be a malicious actor.
There's also Bedrock, but I've never had the opportunity to talk to a user to understand how practical the system really is, compared to what you expect from the big name PLC vendors these days (safety, motion control, IO over Ethernet, etc).