In this episode of the Unsolicited Response Podcast I interview Megan Samford and Rick Cherney of Rockwell Automation.
We cover two main topics. First, we discuss how they are dealing with vulnerabilities reported to them by researchers and other means. We focus on how this has progressed over the years as well as how vendors could provide more useful vulnerability and remediation information to their customers.
Second we discuss the Rockwell Automation getting past the Insecure By Design issue that has plagued the Level 1 / PLC devices. Most notably the signed firmware and ICS protocol security in CIP Security. We also delve into the challenges of getting CIP Security deployed in both green field and legacy systems.
I begin the podcast with a brief tribute to Mike Assante’s unique skills and how they helped the ICS security effort. They pale in importance to the tributes of Mike as a father, friend and mentor, but nevertheless were impressive and hopefully some can pick up the load.
- CIP Security Video from S4
- Rockwell Automation Security Home Page
- Rockwell Automation Industrial Security Advisory Index (Requires Account Registration)
- Factory Talk Policy Manager Getting Results Guide (CIP Security Configuration Software)
- S4x20 Call For Presentations
- Just three of the many Mike Assante tributes are an article on CSO from Aaron Turner, Rob Lee’s blog and a final message from Mike to the community.
This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation.
This episode was sponsored by aeSolutions. aeSolutions is an engineering and consulting company specializing in process safety and industrial cybersecurity. aeSolutions has pioneered the CyberPHA methodology which is a proven method to assess industrial control system (ICS) cybersecurity risk leveraging well established process safety techniques.