undefined | Better HN

0 pointsprocarch20194y ago0 comments

Yea, that is correct. I typically put together the solutions for new systems, including security. I give the sales team part numbers and hours for security software and related hardware. They then add that as an option to quotes. No principal automation engineer wants to take that on and no IT want to be involved. Also, when money is tight that’s an easy target for them to pass on.

Luckily I’ve pushed enough over the years that we at least include A/V software as mandatory.

I’ve been able to carve out a nice space within my company bridging the IT/OT divide. It’s been particularly good recently since the bigger companies are dictating good cyber practices, but rely on integrators and vendors to implement.

I don’t think there will ever be an out of the box solution unless a system stands on its own, which is becoming increasingly harder with modernization and reliability efforts. Add on top of that privileged access, remote monitoring and support, automated (kind of) patching, etc. you have to interface with the IT side a bit.

0 comments

rhodozelia4y ago

Sadly the OT networks are 100% trusting of any device on the network. With Schneider plcs any device on the OT network can write to any addressed memory register over modbus - it’s like direct memory access DMA.

I hope that one day every device on the OT network has a yubikey and all messages are signed so that no unauthenticated access is possible.

procarch2019OP4y ago

Interesting, I'll have to take a look at yubikey. I just installed a Tofino firewall with the Modbus Enforcer LSM between one of our DCS and accompanying SIS systems. We have never had a system communicate process data directly up the networks except through OPC (mostly DA, which is even more problematic for firewalls). Luckily OPC UA is now natively supported on our application, so things are starting to move in that direction.

Luckily a lot of our customers use PI, so we install the PI OPC interface on the application layer and only PI ports need to be opened to the next level.

Even more so the vendor we work with, Emerson, even has IPD firewalls to go between the DCS computers (engineering, historians, operator stations) and the I/O (what we refer to as level 2). The price tag can really jump when you implement all these security features, but an argument can easily be made that it's worth it when you consider some of our customers run batches that can be worth $500K or more per batch.

j / k navigate · click thread line to collapse