PostHole
Compose
Login
SE Radio 668: Steve Summers on Securing Test and Measurement Equipment
Steve Summers speaks with SE Radio host Sam Taggart about securing test and measurement equipment. They start by differentiating between IT and OT (Operational Technology) and then discuss the threat model and how security has evolved in the OT space, including a look some of the key drivers. They then examine security challenges associated with a specific device called a CompactRIO, which combines a Linux real-time CPU with a field programmable gate array (FPGA) and some analog hardware for capturing signals and interacting with real-world devices.
Brought to you by IEEE Computer Society and IEEE Software magazine.
Steve Summers speaks with host Sam Taggart about securing test and measurement equipment. They start by differentiating between IT and OT (Operational Technology) and then discuss the threat model and how security has evolved in the OT space, including a look some of the key drivers. They then examine security challenges associated with a specific device called a CompactRIO, which combines a Linux real-time CPU with a field programmable gate array (FPGA) and some analog hardware for capturing signals and interacting with real-world devices.
Brought to you by IEEE Computer Society and IEEE Software magazine.
Show Notes
Related Episodes
Transcript
Transcript brought to you by IEEE Software magazine.
This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.
Sam Taggart 00:00:18 This is Sam Taggart for SE Radio. I’m here today with Steve Summers. Steve is the security lead for aerospace and defense systems at NI and focuses on the security of mechanical test systems. He has worked in the test and measurement industry for more than 25 years. In full disclosure, I personally am an NI partner and LabVIEW champion, and today Steve and I are going to talk about securing test and measurement equipment. And before we get started, we’ve talked about similar subjects on this podcast in episodes such as Episode 639, Cody Ebberson on Regulated Industries, Episode 541 with Jordan Harband and Donald Fischer on Supply Chain Security and 587 with M. Scott Ford on Managing Dependency Freshness. Welcome Steve.
Steve Summers 00:01:03 Thank you.
Sam Taggart 00:01:04 Let’s start by defining test and measurement equipment. What exactly are we talking about securing?
Steve Summers 00:01:10 Great question. When I talk to engineers, of course I talk about the ability to test products that they’re making. But if I’m talking to my grandma, my grandpa and trying to explain what we do in test your measurement, what we do is we help engineers test the products that are delivered to customers, right? When you buy a new phone, you don’t want it to come out of the box dead. If you buy a new car, you don’t want any of the parts to not work. So we’re helping to test all of those components and the systems before they deliver. Really what we are, it’s the interface between the physical and the virtual world, right? Because if you’re testing an airplane wing, you need to bring those signals into your computer somehow. And because we’re playing that interface role of connecting from the real world to the virtual world, that makes security kind of interesting and also really important because now we’re actually touching things.
Steve Summers 00:01:57 And in the test world, that means one thing, but the fact that we play that broader role of just interfacing to the real world means that in some cases we’re controlling pumps and valves and electrical circuits and electrical grids, and we’re doing solar power testing and those kinds of things. All of that is more interesting in this new security world because now if somebody can break into one of our test systems or into one of our systems that’s connected to the real world, that gives them a way to go from their malicious habitat, right, into an actual physical thing, which might be a self-driving car, it might be a picture frame as we’ll talk about it. It might be all kinds of different things. So that’s what we’re trying to get to, is how do we secure those things that allow us to connect to the real world so we can do things like perform test.
Sam Taggart 00:02:42 So if I understand you correctly, what you’re saying is that the consequences can be much higher with this type of equipment as opposed to a computer system that’s just a database for a bank or something like that?
Steve Summers 00:02:53 Yeah. If you think about some of the more interesting stories we see on the news, you hear about banks and schools and hospitals being hijacked for money, and that’s really bad. I’m not trying to downplay that at all. That really stinks. But the stories that become really interesting is when they cut off our gas supply, when they cut down an electrical grid, when they interfere with our traffic lights, when they interfere with the products that we have. And so this world of operational technology is how we kind of differentiate from informational technology. So this world of operational technology is a big fat target because the consequences of it can be so much greater than just draining your bank account.
Sam Taggart 00:03:29 So when you say operations technology, is that when I hear people refer to the word OT, that’s what they’re referring to?
Steve Summers 00:03:34 Exactly. And so you’ll see in some of the government documentation, they’ll differentiate between an IT system and an OT system. And that’s what they mean is operational technology.
Sam Taggart 00:03:43 So if I wanted to understand that correctly, then it would be something that is connected more informational, more databases and transferring data back and forth, whereas OT is more interacting with the real world.
Steve Summers 00:03:54 Yeah, so think about operational technology as you can think about it as the back end of the office. So the front end of the office, all the websites and the finance systems, all of that is informational technology. And the back end is the PLCs, the robots, the automation, the field, things like valves and airports and all of those pieces. Those are all operational technology.
Sam Taggart 00:04:13 So you used the term PLCs. Do you want to say what that is just for those who might not know.
Steve Summers 00:04:18 Yeah. So when you start getting into automating something, right? If you’re automating a production line, or if you’re automating a roller coaster, you need a controller that can control that world. And most often that is done through discreet inputs and outputs. And one very common way of doing that is with programmable logic controllers. And those are PLCs. So those are made by big companies like Alan Bradley and Siemens, and they’re programmed through digital logic. And those are very, very common. My company at National Instruments, we don’t make PLCs, but because we’ve played this world of the interface between the real world and the virtual world, one of the interesting things that we do is that we make analog controllers that can control some of those circuits. So sometimes, rather than just looking at a gate or a door and say, is that door open?
Steve Summers 00:05:03 If the door is open, then flash this light, which is what a PLC is great for. We look at things like how fast something is changing. , is something vibrating? Is it vibrating out of control? If so, then go turn this other pump on or turn it off. So we’re controlling analog circuits by reading analog signals. That’s a lot harder for a PLC to do. And so that’s actually something that we do really well because we come from the world of analog circuitry and doing all the other kinds of testing. And the other interfacing that we talked about.
[...]