It is mind boggling the lack of basic security principles some people have. I won't just put that on the plants and their IT/OT, or lack thereof. I've seen plenty of vendors and integrators do some cringe worthy stuff too.
The whole automation industry is a security disaster but it is because security isn’t part of the deliverables for any party. It isn’t in the specs, civil, mechanical, electrical engineers it isn’t their responsibility.
If the owner has an IT department they usually don’t want to be responsible for it either since locking things down leads to weird issues with legacy proprietary SCADA systems.
There is no out of the box secure solution available yet. Rockwell certainly makes an attempt with their factory talk directory but I highly doubt that isn’t easily worked around somehow.
Yea, that is correct. I typically put together the solutions for new systems, including security. I give the sales team part numbers and hours for security software and related hardware. They then add that as an option to quotes. No principal automation engineer wants to take that on and no IT want to be involved. Also, when money is tight that’s an easy target for them to pass on.
Luckily I’ve pushed enough over the years that we at least include A/V software as mandatory.
I’ve been able to carve out a nice space within my company bridging the IT/OT divide. It’s been particularly good recently since the bigger companies are dictating good cyber practices, but rely on integrators and vendors to implement.
I don’t think there will ever be an out of the box solution unless a system stands on its own, which is becoming increasingly harder with modernization and reliability efforts. Add on top of that privileged access, remote monitoring and support, automated (kind of) patching, etc. you have to interface with the IT side a bit.
Sadly the OT networks are 100% trusting of any device on the network. With Schneider plcs any device on the OT network can write to any addressed memory register over modbus - it’s like direct memory access DMA.
I hope that one day every device on the OT network has a yubikey and all messages are signed so that no unauthenticated access is possible.
Interesting, I'll have to take a look at yubikey. I just installed a Tofino firewall with the Modbus Enforcer LSM between one of our DCS and accompanying SIS systems. We have never had a system communicate process data directly up the networks except through OPC (mostly DA, which is even more problematic for firewalls). Luckily OPC UA is now natively supported on our application, so things are starting to move in that direction.
Luckily a lot of our customers use PI, so we install the PI OPC interface on the application layer and only PI ports need to be opened to the next level.
Even more so the vendor we work with, Emerson, even has IPD firewalls to go between the DCS computers (engineering, historians, operator stations) and the I/O (what we refer to as level 2). The price tag can really jump when you implement all these security features, but an argument can easily be made that it's worth it when you consider some of our customers run batches that can be worth $500K or more per batch.
