SE Radio 668: Steve Summers on Securing Test and Measurement Equipment
May 13, 2025
auto_awesome
Steve Summers, the Security lead for aerospace and defense systems at NI, dives into the vital topic of securing test and measurement equipment. He clarifies the distinctions between operational technology (OT) and information technology (IT) while discussing pressing security challenges faced within OT systems. The conversation spotlights the CompactRIO system's security intricacies, including its specialized Linux distribution and the importance of FPGAs. Additionally, they touch on evolving regulations and the need for robust cybersecurity practices in safety-critical industries.
Differentiating between IT and OT is crucial, as OT focuses on managing physical processes, posing unique security risks.
Test and measurement systems are vulnerable targets for hackers, making their security critical to prevent widespread malware distribution.
The evolving landscape of cybersecurity regulations is pushing manufacturers to enforce stricter standards for critical operational technologies.
Deep dives
Understanding Test and Measurement Equipment
Test and measurement equipment plays a critical role in ensuring the functionality and reliability of various products before they reach consumers. This equipment serves as the bridge between the physical and virtual worlds, allowing engineers to test components like airplane wings or car parts. For instance, the equipment is utilized to control devices such as pumps and valves, which raises substantial security concerns. If compromised, these test systems could be manipulated to affect real-world physical devices, thereby posing a much greater risk than traditional IT systems.
The Distinction Between IT and OT
Operational technology (OT) differs from information technology (IT) in that OT focuses on the management of physical processes versus data systems. IT systems handle data storage and retrieval, while OT involves controlling and monitoring physical devices in industries such as manufacturing, transportation, and energy. The security implications for OT are particularly significant, as breaches can result in physical harm or disruption to critical infrastructure, like gas supplies or electrical grids. Therefore, the distinction is crucial in understanding the varying security strategies needed for each type of technology.
Threat Models Specific to Test Systems
The threat model for test and measurement systems varies greatly depending on the application and the devices being tested. These systems can become prime targets for hackers looking to spread malware, especially given their role in product production lines, such as those producing consumer technology. A notable example involves compromised picture frames which were used to spread malware across networks once delivered to consumers. In a riskier context, attacking the test systems for critical devices like military aircraft can potentially enable attackers to deploy harmful code across numerous high-stakes systems.
Security Challenges of LabVIEW and TestStand
LabVIEW and TestStand are widely used programming environments in the test and measurement industry, facilitating the creation and execution of test procedures. However, their unique graphical programming approach poses challenges in applying standard security practices applied to text-based programming languages. Security tools such as static code analyzers are less effective with LabVIEW due to its graphical nature, leaving developers responsible for implementing security measures manually. Ongoing collaboration between developers and security experts is necessary to identify and mitigate vulnerabilities specific to LabVIEW environments.
Evolving Security Regulations and Practices
The landscape of regulations concerning cybersecurity in the operational technology sphere is evolving, especially following incidents involving compromised infrastructure. Government bodies, particularly in the U.S. and Europe, are beginning to enforce stricter cybersecurity standards on systems involved in critical operations, like the Cybersecurity Maturity Model Certification (CMMC) for defense contractors. In Europe, new regulations mandate that digital products meet certain security thresholds before being sold, driving manufacturers to adopt more robust cybersecurity practices. As cyber threats continue to grow, organizations must adapt to these changing regulations while securing aging systems against new threats.
Steve Summers speaks with SE Radio host Sam Taggart about securing test and measurement equipment. They start by differentiating between IT and OT (Operational Technology) and then discuss the threat model and how security has evolved in the OT space, including a look some of the key drivers. They then examine security challenges associated with a specific device called a CompactRIO, which combines a Linux real-time CPU with a field programmable gate array (FPGA) and some analog hardware for capturing signals and interacting with real-world devices.
