IEC62443-4-2-wtf? Operational Technology Device Security

Presented at Disobey 2023, Feb. 18, 2023, 7:45 p.m. (30 minutes).

Operational Technology (OT) is what controls big moving things, medical systems and many other invisible but critical things. A single failure in an OT system can cause big trouble, in worst-case killing someone. Safety matters and more and more safety requires security. For a long time OT security was solved with air-gapped networks. However, today network connections are needed for both control and data collection. OT device manufacturers apply many standards. For example, safety alone has multiple essential standards. Now the industrial sector is in progress of adopting Operation Technology cyber security standard IEC62443-4-2. The standard set security requirements for industrial devices. Manufacturers may see security standard as just another standard to comply with. However, expecting device security standard alone to produce good security is pretty optimistic. Most device security standards do not give sufficient requirements for good security, but only set a starting point for the security work. This highlights the need to apply also less formal means to get focus into security, e.g., hacker mentality!

Presenters:

• Lauri Paatero - Security Architect, Wapice Oy
  Lauri has developed secure systems almost 30 years, including smartcards, mobile phones and cryptographic systems. While Lauri's main job has been to create things, finding vulnerabilities has always been a large and interesting part of this. Creating security that fits to the problem at hand is a key driver for Lauri. This often means not only improving security, but also combining security solutions with other important goals Multiple times this has resulted in new cryptographic solution where standard solutions are unsuitable. Lauri's main focus has been on embedded devices. The most notable creation has been the early work for Trusted Execution Environments, before TEE name was coined. Since 2019 Lauri has been working at Wapice Oy, helping customers implement industrial IoT securely and supporting in challenging cryptography designs.

Links:

• https://disobey.fi/2023/profile/wtf_operational_technology

Similar Presentations:

• Black Hat USA 2019 / The Future of Securing Intelligent Electronic Devices Using the IEC 62351-7 Standard for Monitoring
• Kernelcon 2022 / Secure OT Incorporation: Bringing the OT and IT Environments Together
• DeepSec 2020 „The Masquerade“ / Defending Industrial Control Systems (closed)