The factory network might have been designed under the assumption that there were no such unsafe devices around, somebody might have poked a hole on the firewall for something completelly different that exposed these tools, somebody might have taken one of these home or to a company office for some reason and brought it back infected, somebody with a notebook connected to the Internet via Mobile came to the factory, an attacker physically parked next to the factory and started hacking, the good old “drop a USB disk with a virus in the parking lot”, and so on and so on…
You’re really supposed to design networked software under the assumption that at some point it will be exposed to an unsafe network.
to be able to get information about new parts or procedures, or updated information from the device manufacturer or the manufacturers of the parts the device is designed to interact with.
None of that requires internet access though. It should all be handled through the company intranet.
I work in manufacturing and our tools are connected to the company network but blocked from the internet because some still rely on things like WindowsXP or Win7 for example.
putting together a WAN with your vendors would be a great big old thing. I suppose you could figure out some way to pull vendor patches and updated specs into your LAN via a single point of entry as well.
An assembly line making variations of the same product makes sense but why would they be exposed to the internet?
My friend who works designing such tools says production stuff should never be connected to the internet for obvious reasons. Someone fucked up.
The factory network might have been designed under the assumption that there were no such unsafe devices around, somebody might have poked a hole on the firewall for something completelly different that exposed these tools, somebody might have taken one of these home or to a company office for some reason and brought it back infected, somebody with a notebook connected to the Internet via Mobile came to the factory, an attacker physically parked next to the factory and started hacking, the good old “drop a USB disk with a virus in the parking lot”, and so on and so on…
You’re really supposed to design networked software under the assumption that at some point it will be exposed to an unsafe network.
to be able to get information about new parts or procedures, or updated information from the device manufacturer or the manufacturers of the parts the device is designed to interact with.
None of that requires internet access though. It should all be handled through the company intranet.
I work in manufacturing and our tools are connected to the company network but blocked from the internet because some still rely on things like WindowsXP or Win7 for example.
putting together a WAN with your vendors would be a great big old thing. I suppose you could figure out some way to pull vendor patches and updated specs into your LAN via a single point of entry as well.