undefined | Better HN

0 pointsbilbo0s4y ago0 comments

This.

I've said it a thousand times, all the security in the world will not defend a SCADA system if someone left TeamViewer running somewhere.

Don't mean to pick on TeamViewer. It could be any number of packages, but I think security minded people get an idea of the type of attack vectors I'm talking about.

0 comments

procarch20194y ago

It is mind boggling the lack of basic security principles some people have. I won't just put that on the plants and their IT/OT, or lack thereof. I've seen plenty of vendors and integrators do some cringe worthy stuff too.

rhodozelia4y ago

The whole automation industry is a security disaster but it is because security isn’t part of the deliverables for any party. It isn’t in the specs, civil, mechanical, electrical engineers it isn’t their responsibility.

If the owner has an IT department they usually don’t want to be responsible for it either since locking things down leads to weird issues with legacy proprietary SCADA systems.

There is no out of the box secure solution available yet. Rockwell certainly makes an attempt with their factory talk directory but I highly doubt that isn’t easily worked around somehow.

procarch20194y ago

Yea, that is correct. I typically put together the solutions for new systems, including security. I give the sales team part numbers and hours for security software and related hardware. They then add that as an option to quotes. No principal automation engineer wants to take that on and no IT want to be involved. Also, when money is tight that’s an easy target for them to pass on.

Luckily I’ve pushed enough over the years that we at least include A/V software as mandatory.

I’ve been able to carve out a nice space within my company bridging the IT/OT divide. It’s been particularly good recently since the bigger companies are dictating good cyber practices, but rely on integrators and vendors to implement.

I don’t think there will ever be an out of the box solution unless a system stands on its own, which is becoming increasingly harder with modernization and reliability efforts. Add on top of that privileged access, remote monitoring and support, automated (kind of) patching, etc. you have to interface with the IT side a bit.

1 more reply

no-s4y ago

> It is mind boggling the lack of basic security principles some people have.

OpSec - it's not just a buzzword, it's the Way.

j / k navigate · click thread line to collapse

0 comments

procarch20194y ago

rhodozelia4y ago

If the owner has an IT department they usually don’t want to be responsible for it either since locking things down leads to weird issues with legacy proprietary SCADA systems.

There is no out of the box secure solution available yet. Rockwell certainly makes an attempt with their factory talk directory but I highly doubt that isn’t easily worked around somehow.

procarch20194y ago

Luckily I’ve pushed enough over the years that we at least include A/V software as mandatory.

1 more reply

no-s4y ago

> It is mind boggling the lack of basic security principles some people have.

OpSec - it's not just a buzzword, it's the Way.

j / k navigate · click thread line to collapse