I’m here today to write about one particularly thorny area of operational technology (OT) and security that I run into somewhat routinely. Given my own particular interests as an incorrigible vulnerability-gazer, and my professional role as vice president of security research at runZero, I deal with OT security issues more often than the average bear. I’ve noticed that there’s definitely a vibe of, “IT be like this, but OT be like that” going on in the wider world of vulnerability management. The process of discovering, documenting, and disclosing vulnerabilities all have their own little quirks here in OT-land, so let’s jump into it!
Here, everything is legacy
At DEF CON, the ICS Village is one of the more popular places to hang out. It works well for folks who are either new to the field of infosec and cybersecurity, or old-hands in the industry, for the same reason: once you get close enough to a piece of OT technology with your modern IT vulnerability-hunting tooling and instincts, it often feels like you’re hacking like it’s 1999, all over again. Until very recently, OT, as a class, hasn’t been much concerned with prompting for passwords or validating user-supplied inputs; the assumption was that the local network is trusted. The software itself is typically run as compiled objects with limited hardware resources, so there’s not much room for fancy 21st Century defenses like ASLR and DEP (Address Space Layout Randomization and Data Execution Protection, respectively). Therefore, it’s an ideal platform species to practice, and kind of nostalgic for the more, shall we say, life-experienced.







