Plant & Facilities Engineering

Two words: BAD IDEA!

I can not envision ANY circumstances under which I would open any control or monitoring system to the possibility of compromise by unknown individuals who may or may not have questionable motives for accessing the system. In other words, NOTHING of value is EVER exposed to the web...

Hi,

Apple Mac's are used in any safety critical situation, I think it is fair to say.

Any extra cost in business is easy to afford when you hardly need worry about Virus and other safety attacks like key-logging and similar.

No matter what fancy expensive anti virus used on Microsoft they are a Magnet for attacks,

Take care.

Security systems configuration capabilities are adequately available to prevent unauthorized access without prohibitive cost and complication so why not?

A control system not connected to the net is vulnerable to hacking without proper precautions in place.

Hi itilty,

There is no reason for a dedicated computer or part of a system to use the web but, tell that to the selfish bloke in the office who wants to show a 'funny' bit off You Tube? The barrier is broken and the tide comes rushing in!. ....... All for the sake of ignoring the instruction of no web use?

Take care.

We are one of those industrial equipment manufacturers who want to install remote access in our equipment.

The reason is simple. Customers want instant fixes and modifications. Nobody wants to wait for a week or two anymore. This is difficult to provide on an international market.

The security issue is a problem that can be greatly reduces using an intermittent external connection. Under this scheme, the external connection is established by the customer's technician as needed using a temporary cable from our equipment to the external link. It is then removed after the work is done. This limit the access to a shorter time period reducing the chances of unwanted access. It is also under the customer's control.

Another way is to use a modem with a temporary telephone line. It is much slower than an Ethernet connection but it works for simple tasks.

Is that a good compromise for all of you who would have refused a permanent external connection?

There can be a lot gained by connecting instrumentation and control systems to the web. The risks can be great also. Being able to work on systems from the web can be a breath of fresh air. The problems about security, however are quite complex and usually glossed over. Companies that do not provide enough security generally suffer disasters of a very serious nature at the worst possible times. We do it, but we do it very,very carefully. By the way, we NEVER allow the direct control of any machine from the internet. You still have to talk to the control system itself, which adds its own level of security beyond the firewall and vpn's. We still control only such things that aren't critical such as HVAC.

Bad idea.

I put an unpatched XP box on a cable modem once just for grins and it was sending out spam inside 20 minutes.

Trading off the security and functionality of a control system for some convenience seems to me a very bad compromise.

Why not just VPN the patch with an MD5 hash to a technician who will then manually install it?

Stumbling upon a control system is a black hat's wetdream (think extortion).