Administrator Advice

Not us, but our customers.
Our solution is that the machine networks that we supply and the company networks aren't directly connected to each other.
There are routers between the machine and company networks.
On the machine network side there are usually fixed IP addresses. On the company network side there is what the customer wants. The two sides can still exchange data with each other, for example for ERP purposes.
If the customer insists, it is the customers IT dept. that manage these routers, with our assistance.
This seems to satisfy everyone.
 
You need to define the lines between IT and OT(Controls carefully) and you may need OT managed machines that have dedicated functions that are not in the IT domain.

Another option is virtual machines and Laptop with a virtual machine to program or even a Virtual machine for IT stuff like email)

But it's hard! Our IT to take the stand that all users will have user rights and if you need elevated access and IT admin will remote in and do the revelation. This means I can install diddly and do diddly controls-related work from my WORX laptop. To do any controls-related stuff I have to use a none IT laptop and it's not allowed on the IT network. ......

Our IT won;t even allow Hyper V or VMware to run.... GRRRR

4 Years and I'm still fighting...
 
Argh... Siemens PG, built like a panzer, slow (out of date when new), heavy, very exspensive, I remember the originals 675, 685, 750, 730 and of course the TI monsters, that's why I have arms as long as a gorrilla.
 
We(I'm in IT) issue our controls folks separate laptops from the Enterprise one. They are in a different OU w/ different policies applied to them.
After the required training, The controls folks are granted admin on those machines.

I came from the controls side, so I know what the requirements are and we wrote the SOPs to allow it to happen AND keep corporate security off our backs.
 
You can tell your current IT that in your previous job, a super cool & smarter IT provided you a tool that allow you to change IP address at ease without the need of admin.

You can also give him a choice to build you a virtual machine.
 
You can tell your current IT that in your previous job, a super cool & smarter IT provided you a tool that allow you to change IP address at ease without the need of admin.

You can also give him a choice to build you a virtual machine.

If you're using a windows machine, put the users into the
'Network Configuration Operators' group and it'll let them change adapter settings like the IP address.
 
I am local admin on my PCs.

I also use VMWare Workstation, so I set the Guests VMs as I need.

If your IT department will not compromise, then personally, I would look for a new place to work.
 
1. I blame the controls companies for making software that works better with admin rights. Least privilege is one of the tenents of cyber security.
2. Perhaps another reason why I dream of a Linux based IDE.
 
At a previous employer IT suggested to me that they were going to take my local admin rights way...

I suggested to them that if they tried it, I would just wipe my computer and remove their domain level access...

We stared at each other a half a minute, and then it was never mentioned again...

IT in any medium to large company are out to cover their own ***, their job is to facility technology for other people to do their jobs more effectively, and balance that with security. Most of the time. they forget the first part, and become detrimental to productivity.

I am not opposed to the concept of zero trust, the problem is you can implement Zero Trust Policies in a practical manner, with out dedicated security software designed for it. Zero Trust is dynamic activity monitoring. A lot of IT guys just try to lock everyone out of everything (except them selves obviously) and the manually give people temporary access to things. This is a night mare, and ironically most of these IT guys use shared admin passwords too... like I don't think you understand how segmentation and zero trust works...

Morons.

Did you guys get the idea I am not a fan of IT people?
 
Some years ago I joined a company, the IT dept. was definitely a secret scociety, at the time there were two scada systems, one Fix32 controlling a large batching plant & one that monitored many things like utilities, data concentrating etc. both connected to the corporate network, had no idea of the relationship between the contractors who installed them & the IT Dept.
The IT manager replaced the network card in the batching system (There were two no idea why but it appeared that the one talking to the PLC could not ue the same network), IT decided that instead of the two cards to just use an upgraded card (note all were exposed to the corporate network), I go a call that the scada was not responding & went to investigate, there was the IT manager sweat poring down his face, I tried to reason with him I said there was probably a reason for the two cards, he got quite irrate, we did put it back to how it was, then it turned into a high level meeting with the higher management & the CEO, IT were definitely anti engineering I believe this was due to them having little understanding of industrial connections, there importance & felt threatened.
At one point it was suggested that I was moved out of engineering into IT, this was not going to happen as far as the Eng. Manager & I was concerned.
However, I began to closely work with IT, gained their trust, I had admin rights on my laptop, as well as certain access to the servers & databases.
The relationship grew to the extent of them even giving me their master password (this became important when at a suppliers who were configuring a new system on PC's supplied by us), so it can work, I became trusted and had a good relationship with IT.
So it can work but it takes patience.
 
In the company I used to work for ( I am retired now), I set up a network exclusively for PLCs control and It was hardware independent from Intranet (I was the administrator), the only link between intranet and PLCs control network was a gateway used to send reports, dead times, OEE, etc.
This way I got rid of IT people, I did not even let them enter Our Control Room.
All my engineers had two PCs one for intranet and another for PLCs control.
 
So we are sharing IT horror stories. The new plant manager wanted picture evidence of the defects in material. He was building a case to slow the line down and make a better product instead of running fast and junk. So I added a few Banner camera to the system. They took pictures and sent them to a network folder. Everyone was happy until the remote IT department looked at network traffic and saw these huge data transmissions. The immediately blocked the port. We talked and nothing got resolved. The new plant manager asked me I showed him all the email documentation. He got the problem resolved within a few days. We then bought about 10 more camera because the plant manager said lets show IT who they work for. We flooded the network and shut machines down. Oooops.

It then took over all network switches, even our switches in the panel. I had laid out the swutches do everything on tgid machine was in this panel and 1 port went to the network. IT removed our switches and used their existing. They ehere a few ports shy so the justdplit them between their switches. It worked great until midnight on Saturday night when there was a software update on these switches. No notice from IT becauee it was a Saturday night nobody would be there in the office. Production was 24×7 it cost them about $15k in bad product per line. We had 3 lines. The kicker was a pump ran dry and was a $60k repair. The plant manger was less than happy. We got our network back
 

Similar Topics

I have asked Rockwell (Chat only), and searched Google and the Rockwell KB, and I am still not sure what this means... [$Administrators] This...
Replies
8
Views
2,765
Hello great folks... I need to contact the Administrator...how do I do it...?
Replies
1
Views
1,098
To all I have a NOS Allen Bradley 6180-FLIFHLHTHCZ industrial computer running Windows NT 4.0. When I started the unit I got to the Windows...
Replies
13
Views
6,271
Hi All, Recently i installed Proficy iFix 5.8 on Win 7 64 bit. When i run iFix demo and open the database manager, it gives a message saying...
Replies
11
Views
3,807
Hi all... i was trying to set up a trend which enables crolling(historical) since i'm new i iFix scada.. for that i was trying to collect the tag...
Replies
0
Views
1,858
Back
Top Bottom