It's no surprise that OT security has fared poorly over the last 30+ years. To many appsec folks, these systems have uncommon programming languages, unfamiliar hardware, and brittle networking stacks. They also tend to have different threat scenarios. Many of these systems are designed, successfully, to maintain availability. But when a port scan can freeze or crash a device, that availability seems like it hasn't put enough consideration into adversarial environments. We chat about the common failures of OT design and discuss a few ways that systems designed today might still be secure 30 years from now.
Segment Resources: https://linktr.ee/huxley_barbee
BSidesNYC: LinkedIn: https://www.linkedin.com/company/bsidesnyc/ Mastodon: https://infosec.exchange/@BSidesNYC
runZero has a tool that can safely discover your entire OT network: Free trial: https://www.runzero.com/try/signup/
Show Notes: https://securityweekly.com/asw-259