Security precautions when plugging into clien's hardware

kalabdel

Member
Join Date
Feb 2015
Location
Ontario
Posts
1,108
Good evening gentlemen,


I've been concerned about this for a while and would like to know how others go about making sure they are not infecting nor getting infected when they plug into customer's notwork.


The equipment I deal with are never that critical, not infrastructure, Oil, Waste, Water , nothing like that.

All pretty much production of some kind or related (warehousing). But many have remote connection and I would like to put in place measures and procedures to manage security issues.



What do you personally do, what is your company policies and what do your customers expect or demand of you?


Thanks
 
one customer required me to let their IT department representative see what virus software was on the laptop and it had to be up to date.

my last employer had a policy (mostly ignored) that the IS/IT department look at outsiders and plant pc's when the employees returned from travel before connecting to the network. it was one of our admin guys that
at a sister plant that brought in a cornficker virus that almost brought the network down.
it took 3 of us 4 days / 18 hours a day to kill it. we had our engineering manager get a virus and we were notified. i got his laptop and thumb drives, looked at them, then destroyed them. he was not happy and went to my boss.
the boss told him he told me to destroy them.
not sure about where i am now.

i would use a vm with the programming software loaded on it and keep a backup.
james
 
Last edited:
Good evening gentlemen,


I've been concerned about this for a while and would like to know how others go about making sure they are not infecting nor getting infected when they plug into customer's network.


The equipment I deal with are never that critical, not infrastructure, Oil, Waste, Water , nothing like that.

All pretty much production of some kind or related (warehousing). But many have a remote connections and I would like to put in place measures and procedures to manage security issues.



What do you personally do, what is your company policies and what do your customers expect or demand of you?


Thanks
If we have a 3rd Party on our site then they use our Engineering Workstation there Laptop is not allowed on our network ( OT or IT)

Techinically the USB stick should go through a Sheep dip station or virus scanned before use.

They can get access to a Guess WIFI network, separated from Corperate.
 
Last edited:
I worked in a shop and used my own laptop.


The IT guy was adamant that no PC on the network could have anti-virus software on it, that it interfered with his network somehow.



They did get hit once with ransomware that encrypted all the files on the NAS and got on a couple computers and started encrypting files, but that was acceptable to him.


I found a way to change the taskbar icon and display name on my anti-virus so it looked like a RSLinx add-on and wasn't effected
 
I have one client with a site that does military surveillance work, so we bought laptops just for that site that went through their IT on the way in, and will only leave after being physically destroyed. No USB drives, no cell phones, no devices with general-purpose memory or wireless connectivity features. We had to get a waiver to bring activation dongles onsite after proving they had no general purpose storage. If I need to bring a program in, I provide it to their IT department via secure file transfer and they scan/review it before moving it onto the PC that's already inside.

But most places we just rely on our ESET antivirus and our PC firewalls, and scan all of our owned removable devices using ESET before and after connecting them to customer computers.

I'd like to be even more strict and secure, though.

My thinking is that I should get a small firewall device with two fast Ethernet ports and a USB host, so I can allow only the pertinent automation protocols across that firewall.

If I needed to "sneakernet" a file with a USB drive, I would format the drive with the firewall, then use a file transfer utility to read or write only the specific files.

I'm sure there are small hardware firewalls that are meant for that specific purpose. Any PLCTalkers use one ?
 
If I needed to "sneakernet" a file with a USB drive, I would format the drive with the firewall, then use a file transfer utility to read or write only the specific files.


There are flash drives with a 'switch' that activates a second flash drive built into it.



One I saw was by a fingerprint sensor, but there is another by a Command Prompt command.
 
My use case is that I want to plug into a client's automation network with only the necessary protocols, and not expose my computer to anything else on their network. I also want the same tools to be usable to get secure remote access to that network, and to provide some USB memory device hygiene.

I think what I want / need is a small commercially-available router, rather than trying to build my own out of a Raspberry Pi or similar hardware.

A lot of the "travel router" market seems aimed at people who want to encrypt their traffic when using public WiFi, or are very interested in connecting to the Internet anonymously using one of a dozen VPN services. GL.iNET has a dizzying array of products all by themselves.

What I'm interested in is:

Stability
Ease of Configuration
OpenWRT support
ZeroTier support

The more I work with little embedded Linux distributions, the more I like OpenWRT for its tidy browser interface, its graceful power cycle handling, and its just-enough extensibility and customization.

While OpenVPN and WireGuard are terrific, they still always require that your router have a port open to the Internet. I virtually never have that ability when I'm on a customer site, which is why I use ZeroTier to punch through their firewalls from the inside.
 
My use case is that I want to plug into a client's automation network with only the necessary protocols, and not expose my computer to anything else on their network. I also want the same tools to be usable to get secure remote access to that network, and to provide some USB memory device hygiene.

I think what I want / need is a small commercially-available router, rather than trying to build my own out of a Raspberry Pi or similar hardware.

A lot of the "travel router" market seems aimed at people who want to encrypt their traffic when using public WiFi, or are very interested in connecting to the Internet anonymously using one of a dozen VPN services. GL.iNET has a dizzying array of products all by themselves.

What I'm interested in is:

Stability
Ease of Configuration
OpenWRT support
ZeroTier support

The more I work with little embedded Linux distributions, the more I like OpenWRT for its tidy browser interface, its graceful power cycle handling, and its just-enough extensibility and customization.

While OpenVPN and WireGuard are terrific, they still always require that your router have a port open to the Internet. I virtually never have that ability when I'm on a customer site, which is why I use ZeroTier to punch through their firewalls from the inside.

I used to use Hamachi A lot and it uses server assisted NAT traversal and zerotier uses UDP hole punching both are better and much more secure than open firewall ports and port forwarding.
 
A lot of the "travel router" market seems aimed at people who want to encrypt their traffic when using public WiFi, or are very interested in connecting to the Internet anonymously using one of a dozen VPN services. GL.iNET has a dizzying array of products all by themselves.

For travel firewalls, I use these.

Firewalla Purple / Firewall and Wireless

https://firewalla.com/products/firewalla-purple

Ubiquiti Dream Machine / Firewall and Wireless

https://www.cdw.com/product/ubiquit...aUcVKoAl8HDvJTjhe9Dj2XKttVXUD6XoaAlbFEALw_wcB

Netgate 1100 / PF Sense Firewall and no wireless

https://shop.netgate.com/products/1100-pfsense



You can also put open wrt on Rasberry Pi for a nice solution that's fairly small and portable.
 
Last edited:

Similar Topics

Hello Friends I have a backup that I am trying t open in mi PC (RSLogix 17.01) and I get this message. I have read many posts and done many...
Replies
1
Views
135
After a recent revision of code in my system on both the HMI and the HC900 PLC, I now get a popup requesting me to login when I click on the...
Replies
2
Views
495
Is anyone aware of any recent Rockwell Software security issues that require version upgrades to mitigate? I'm talking over the past 2 months.
Replies
1
Views
702
Suddenly my In Touch Windows maker stopped working for some reason. I've got two errors which might be the reason as far as i am concerned. I...
Replies
1
Views
560
Hi. We're refurbishing a used machine with a Maple HMI5070TH HMI. I'm trying to establish the log-in details. There are four users; operator...
Replies
0
Views
324
Back
Top Bottom