Cariad Heather

I decided to ask ChatGPT a question I once had during a job interview before being hired on at my current company:

Tell me what to do as a cyber security professional working in an industrial control network when an HMI is compromised and human safety is possibly at risk

And its immediate response was to give me this answer:

If you're a cybersecurity professional working in an industrial control network and you suspect that an HMI (Human Machine Interface) is compromised with potential risks to human safety, it's crucial to take immediate and systematic steps to address the situation. Here's a general guideline:

1. Isolate the Compromised System:

• Identify the compromised HMI system and disconnect it from the network immediately to prevent further spread of the attack.
• If possible, isolate the compromised system physically to ensure it cannot communicate with other networked devices.

2. Notify Relevant Personnel:

• Alert the appropriate personnel, including operations, management, and IT security teams, about the compromise.
  Activate the incident response team and emergency procedures as outlined in your organization's cybersecurity and safety policies.

This has me quite pissed off.

The thing that ChatGPT did here was assume that industrial control security is handled no differently than enterprise or general computing; this is dead wrong.

Industrial control involves human safety and taking an HMI out of the equation can actually make matters worse. There have been documented situations where making arbitrary decisions such as the recommended "disconnect it from the network" can trigger cascading effects or outcomes that are undesired.

Unplugging an HMI from a PLC and a control network as a whole could cause a ripple effect that puts human lives in danger. An HMI is basically a computer (but built to withstand a rugged environment) and a PLC (programmable logic controller) is the interface the HMI interacts with to make machines do things. I am simplifying things greatly here, but the point is that they're not regular computers.

ChatGPT correctly states to notify relevant personnel, but this both fails to put this at the start and doesn't mention someone like a plant manager or similar role. You need people who are familiar with the equipment to do things like lockout, shutdown, et cetera--in my field we call them "subject matter experts" or "SMEs".

If I am to hear of a compromised HMI, my instinct is to talk to the person overseeing the operations first and get them to help mitigate it before even dreaming of disconnecting anything unilaterally. I do not want to be responsible for or creating increased risk for human casualties.

This scares the fuck out of me.

Via Wikipedia:

One significant difference from previous versions of Windows NT is that the Graphics Device Interface (GDI) is moved into kernel mode rather than being in user mode in the CSRSS process. This eliminated a process-to-process context switch in calling GDI functions, resulting in a significant performance improvement over Windows NT 3.51, particularly in the graphical user interface. This, however, also mandated that graphics and printer drivers had to run in kernel mode as well, resulting in potential stability issues.

It has been my longest-standing gripe in cyber security--I probably first started complaining about this in discussion forums as early as 2003. LogoFAIL pretty much demonstrates my point.

A forum I'm on¹ declined to add 2Fa for these reasons:

• Implementing a third-party sign-on solution comes with a big technical cost for a security benefit that isn't any better than using a unique password on every website
• Many users would get locked from their accounts if they lose their phones or something similar, which will create a lot of administrative problems for our staff. The recovery pathway for lost 2-factor on websites is based on reconfirming ownership of your email account, and we will be using that same reverification of email account in our own login security features instead, without causing drama when trading in for a new phone.

1. It's Chicken Smoothie, a child-friendly virtual pet game. Remember those dogs in people's forum signatures?

This is a half-assed post here.

Implementing a third-party sign-on solution comes with a big technical cost for a security benefit that isn't any better than using a unique password on every website

1. No. The point of 2FA is so if one's password is compromised for that specific website or service, it prevents them from logging in. This is of course potentially moot if the database for said service is compromised, but in a situation such as phishing, it absolutely is worthwhile.

2. Implementing a third-party sign-on solution is actually better in a lot of ways provided you can trust it to begin with. I personally advocate against someone running their own authentication if they can help it. For larger services, this is probably not worth doing but isn't completely worth dismissing all together, but for some random message board, you're probably better off not doing it yourself.

Many users would get locked from their accounts if they lose their phones or something similar, which will create a lot of administrative problems for our staff. The recovery pathway for lost 2-factor on websites is based on reconfirming ownership of your email account, and we will be using that same reverification of email account in our own login security features instead, without causing drama when trading in for a new phone.

There are a lot of ways to do 2FA where it does not require effort on your staff's part should you provide it. Have some faith in your users should they enable it. Backup methods should be easy to come by.

In any event, whoever runs this website is unaware of things. If they won't enable it and have this mindset, they're probably going to stick their heels in.

I don't think 2FA belongs on everything and even a random Internet forum probably doesn't need it.

Making it mandatory is problematic in my mind, but it should be easy to enable.

I have first-hand experience with cases where people lacking phones cannot use 2FA and thus am not very zealous towards having it on everything. That said, if I see an option to enable it for myself, I will.

A forum I'm on¹ declined to add 2Fa for these reasons:

• Implementing a third-party sign-on solution comes with a big technical cost for a security benefit that isn't any better than using a unique password on every website
• Many users would get locked from their accounts if they lose their phones or something similar, which will create a lot of administrative problems for our staff. The recovery pathway for lost 2-factor on websites is based on reconfirming ownership of your email account, and we will be using that same reverification of email account in our own login security features instead, without causing drama when trading in for a new phone.

1. It's Chicken Smoothie, a child-friendly virtual pet game. Remember those dogs in people's forum signatures?

This is a half-assed post here.

Implementing a third-party sign-on solution comes with a big technical cost for a security benefit that isn't any better than using a unique password on every website

1. No. The point of 2FA is so if one's password is compromised for that specific website or service, it prevents them from logging in. This is of course potentially moot if the database for said service is compromised, but in a situation such as phishing, it absolutely is worthwhile.

2. Implementing a third-party sign-on solution is actually better in a lot of ways provided you can trust it to begin with. I personally advocate against someone running their own authentication if they can help it. For larger services, this is probably not worth doing but isn't completely worth dismissing all together, but for some random message board, you're probably better off not doing it yourself.

Many users would get locked from their accounts if they lose their phones or something similar, which will create a lot of administrative problems for our staff. The recovery pathway for lost 2-factor on websites is based on reconfirming ownership of your email account, and we will be using that same reverification of email account in our own login security features instead, without causing drama when trading in for a new phone.

There are a lot of ways to do 2FA where it does not require effort on your staff's part should you provide it. Have some faith in your users should they enable it. Backup methods should be easy to come by.

In any event, whoever runs this website is unaware of things. If they won't enable it and have this mindset, they're probably going to stick their heels in.