Just wanted to share "Private Network"

damica1

Member
Join Date
Aug 2015
Location
Illinois
Posts
839
I really just wanted to share this information, as I do think a lot plants could benefit from this.

I hear everyday about the factory/plant not wanting their network to be accessible through the "Internet". They always preach "Security" and somebody/hacker being able to reek havac on the network.

We just created our own "Private Network" with the help of Verizon. Now what this does is this.

The factory/plant network is no longer accessible from the "Internet" as you know it.
The "Factory/Plant Private Network" can't even be seen from the "Internet".

But yet allows you or "Administration" people with proper access to login from anywhere in the world and Manage the Complete Plant Network.

Security is at it's most with this type of network, because this network does not exist to the outside world.

And now the question is COST, how about $500.00, now there is some special hardware that is at around $600.00.

But do you know how much the plant can save because of the added support that becomes available?

Something you might want to check into.

Pass along to your IT department.
 
If you can access the network from anywhere in the world, then saying it can't be seen from the internet isn't really accurate, is it? It just means that someone would have to hack Verizon's system to get into it instead of hacking the router/gateway that was set up by IT at the local plant.
 
I realize "NOTHING" is hack proof!

But who's security protocol would you trust more? The plant (2yr degree, under paid, student, IT person) or "Verizon" that has to provide Security to the "Pentagon"?

This is the only point:

I'm trying share with other support personnel that may be in a position that has to manage and work with plant networks.
 
I realize "NOTHING" is hack proof!

But who's security protocol would you trust more? The plant (2yr degree, under paid, student, IT person) or "Verizon" that has to provide Security to the "Pentagon"?

This is the only point:

I'm trying share with other support personnel that may be in a position that has to manage and work with plant networks.

Most definitely the plant. Based on my experience with deploying networking infrastructure, Verizon (and most large companies) will have a tech at your plant while they outsource everything to India.

That being said, I'm still unclear as to what they installed exactly. Did they just segment your network through a switch? Did they install servers? A firewall?
 
Pass along to your IT department.
This assumes the IT department is actually interested in doing what they're paid for, i.e. supporting the business, and not thinking that they are the business, which in my sad work experience seems to be the norm. Though, I believe it is changing as management in companies starts being replaced with people used to computers.

It also reminds me of the company I worked for offshore. They did have remote access to some of the automated equipment for support, it was reasonable too.

But, you don't do modifications or upgrades remotely and every now and then someone would have to visit the installation to carry out the upgrade... and God forbid he forgot some file because IT would not let him connect to the onboard Wi-Fi to download documents he needed that weren't available off the internet.

One year in particular, we had one support call because I wanted someone to agree to the temporary change I wanted done and about 10 to 20k worth of twiddling thumbs time to get someone to find the documents and either mail them to me or access the remote interface and copied them over there.

My new job is slowly changing this perception of IT, but I still get angry at those idiots.
 
I trust a VPN and firewall that I've set up significantly more than some black box system that a big corporate is selling. And if you can access it remotely then it's connected to the internet. No one is doing leased line directly between end points anymore.

however, using a system like the one you describe is better than nothing.
 
I trust a VPN and firewall that I've set up significantly more than some black box system that a big corporate is selling. And if you can access it remotely then it's connected to the internet. No one is doing leased line directly between end points anymore.


Did you use Juniper Firewalls with well known vulnerabilities by any chance?



Not saying that Verizon isn't vulnerable to this, probably more if their equipment is custom made for them and not widely used in public, but it's always good to keep it in mind.
 
Nope, Palo Alto for the VPN appliance and Moxa EDR as a transparent firewall between the VPN and a control system DMZ.

Only traffic allowed through is that required for remote desktop connection to a jump server in the DMZ, NTP, windows updates and antivirus updates. All other addresses / ports denied.

Between DMZ and control network is another Moxa EDR firewall. Only traffic permitted is that from the jump server MAC. All other traffic denied.

From the jump server we use RealVNC to get into the SCADA terminals or engineering workstation.

I like to combine different brands of gear; sometimes that causes hassles but if a vulnerability is found in one product that is unlikely to also exist in other.

This is for a large plant; it is costly to implement and certainly not a solution that fits everyone.
 
Honestly I'd be much more worried about Verizon being hacked than my plant. Verizon is a big target, there's likely thousands of people around the world constantly trying to hack them in different ways. My plant isn't, it's targetted by phishing emails at the worst.

Knowing that they can host VPN for you is good information but I just wanted to make sure that people were getting more than the sales pitch. It sounds like they blew some sunshine up your 'you know what', David.
 
The Pentagon and the DOD were hacked multiple times in 2018 and I mean major data breaches so don't think that being on a Verizon private network like metro ethernet or other solutions will keep you secure. All networks can be seen you just have to know how and where to look and there are many people who know how and where to look.

Does Verizon have good security for those type of services yes they do and is it likely hackers will invest the time and resources needed to hack your plant well depending on what your plant does maybe but it's highly unlikely?

Sounds like a good solution that works for your setup but just don't let it get you into a false sense of security is all I am saying because nothing is 100% secure.

If they can hack the Pentagon they can hack anything in the private sector.
 
It's called a VPN vestural private network
and if you want to take to the next level the can get an encrypted VPN

The IT guys don't want to use them because they have to do a little work to set them up. They don't want others to know about their magic smoke.
 
But, you don't do modifications or upgrades remotely and every now and then someone would have to visit the installation to carry out the upgrade... and God forbid he forgot some file because IT would not let him connect to the onboard Wi-Fi to download documents he needed that weren't available off the internet.

My new job is slowly changing this perception of IT, but I still get angry at those idiots.

I've only had an issue with IT once, and it was a small business were my manager and the owner were "IT". Let me tell you, they weren't IT. But pretty much every IT person I've come across has been top notch.

But for the over all thread... corporate network should already have VPN setup. Getting a server that can be used a remote work station that is on business and process network should be all it takes. Then have a server with your Rockwell stuff. So, it's 2 remote desktop sessions but I think it's the safest route.

edit - when working with a client I had them work with their IT to get me VPN access and a computer connected to a machine that needed changes. I implemented that the remote computer was only ever connected to the machine when I was actively working on it, and disconnected when I signed off. This just required a local tech to go into the room a couple times.
 
Last edited:
The easiest way to find those who are the most vulnerable is to find those who brag about being the least vulnerable. The minute you tell yourself you can’t be defeated, you will be. The best way to stay protected it to always believe (and rightfully so) that you are vulnerable and that you need to be constantly upgrading your protection. Those who follow that philosophy are the ones who have the least security issues.
Also, I would bet on a 2 yr degree, under paid, “Kid” who is the entire IT department long before I would Verizon. Verizon has millions of networks associated with it which makes them, (and the other worldwide ISP) a huge target. If you constantly go after the latest and greatest you will learn how to defeat the latest and greatest giving you the larger opportunities.
 

Similar Topics

I'm using raspberry pi 4b to poll 3 different plcs with modbus tcp and then publish the tag data using mqtt sparkplug b back to my Ignition...
Replies
15
Views
3,420
Hello, I'm struggling with getting an email to send using an eweb module on a controllogix system. Any chance I could get someone here to help?
Replies
4
Views
1,817
Greetings to all ... I've never owned or needed a household generator – but current conditions have convinced me that now's the time to buy one...
Replies
23
Views
6,731
With the Automation Directs Open Source Arduino Compatible PLC and the Open plc Project, plus all the Raspberry Pi HMI's, what are your opinions...
Replies
12
Views
4,259
Attention all PLCs.net members!! As Covid-19 has put many of us factory automation folks out of work, let’s work together to help get as many of...
Replies
18
Views
19,473
Back
Top Bottom