Network connected torque wrenches

[Jim Becker]

If by that you mean the separate network itself should have no internet access, I sincerely doubt the practicality of that in the modern world. First, because keeping a network isolated when other networks in the same premises are connected is extraordinarily difficult Every such "air gapped" network I've ever encountered outside some national security facilities, proved when red-team attacked, to actually be connected. Maybe control of the environment is strong enough in some manufacturing settings to pull it off; it never was in any I've encountered. Second, because in most industries, the prevalence of partner-connected devices is exploding. Those devices need network paths to the outside world. As I mentioned elsewhere, by way of example, I've seen proton beam treatment facilities (which operate much like a factory building custom-variable inventory in terms of operational needs, and quality-control considerations) that required connectivity from hospitals in the United States to a manufacturer in Japan.

Use of virtual networks to provide "greater" isolation is not uncommon and has been in the picture for a couple of decades or more. And it's on the same wires and through the same gear. Yes, it's still possible to have a security issue, but it's a lot harder to pull off. Many of the networks I designed and sold for governmental entities (both local/county and Federal) utilized this method.

[Brian Elfert]

If by that you mean the separate network itself should have no internet access, I sincerely doubt the practicality of that in the modern world. First, because keeping a network isolated when other networks in the same premises are connected is extraordinarily difficult Every such "air gapped" network I've ever encountered outside some national security facilities, proved when red-team attacked, to actually be connected. Maybe control of the environment is strong enough in some manufacturing settings to pull it off; it never was in any I've encountered. Second, because in most industries, the prevalence of partner-connected devices is exploding. Those devices need network paths to the outside world. As I mentioned elsewhere, by way of example, I've seen proton beam treatment facilities (which operate much like a factory building custom-variable inventory in terms of operational needs, and quality-control considerations) that required connectivity from hospitals in the United States to a manufacturer in Japan.

You would think that someone selling network connected tools to a factory would be smart enough to offer a way to do updates that doesn't require Internet access. It is somewhat common for manufacturing networks to not have Internet access. Manufacturers don't want a manufacturing outage caused by ransomware, malware, or the like.

I'm not saying my network is 100% secure, but it is has no Internet access, and users can only access stuff on that network by utilizing PCs on that network. PCs on that network have no Internet, no email, and no connectivity to the rest of the network. Users who need access to email, Internet, and all that have a second PC for that. This network was not designed to be military level secure. Someone could still connect a USB stick to PCs, and stuff like that.

[Steve Demuth]

Use of virtual networks to provide "greater" isolation is not uncommon and has been in the picture for a couple of decades or more. And it's on the same wires and through the same gear. Yes, it's still possible to have a security issue, but it's a lot harder to pull off. Many of the networks I designed and sold for governmental entities (both local/county and Federal) utilized this method.

Jim,

Of course. There were 400,000 devices from somewhere around 250 different manufacturers on the hospital network where I last worked. We dealt regularly with attacks ranging from common criminal ransomware, to Chinese hackers prowling for biomedical intellectual property to steal, to foreign nationals posing as students to get into research labs, so they could attack from within. We had everything from a public guest network to DoD secret research on our networks (sometimes in the same building - clinics and hospitals, unlike factories, can't be physically isolated from the walk-in public). If there is a technique for securing, monitoring, or recovering networks we didn't use while I was there, it's because it was only invented since 2021.

I don't doubt Brian built what he said he did. It's not easy to keep them that way, though, in a world where "the network" encompasses physical ethernet, wireless ethernet, blue tooth, and cellular IP, and so many devices demand the right to talk to outside their local environment for one reason or other. Takes more than air gap, since so much of the traffic is literally coming and going through the air ;-)

[Mike Soaper]

Jim,

Of course. There were 400,000 devices from somewhere around 250 different manufacturers on the hospital network where I last worked. We dealt regularly with attacks ranging from common criminal ransomware, to Chinese hackers prowling for biomedical intellectual property to steal, to foreign nationals posing as students to get into research labs, so they could attack from within. We had everything from a public guest network to DoD secret research on our networks (sometimes in the same building - clinics and hospitals, unlike factories, can't be physically isolated from the walk-in public). If there is a technique for securing, monitoring, or recovering networks we didn't use while I was there, it's because it was only invented since 2021.

I don't doubt Brian built what he said he did. It's not easy to keep them that way, though, in a world where "the network" encompasses physical ethernet, wireless ethernet, blue tooth, and cellular IP, and so many devices demand the right to talk to outside their local environment for one reason or other. Takes more than air gap, since so much of the traffic is literally coming and going through the air ;-)

I can appreciate your work there, it sounds like the environment I worked in and took early retirement from.

I think it was a usb stick with stuxnet that infected the air gapped Iranian nuke centrifuges years ago.

I would disable the easily accessible front usb ports on desktop pc's for security reasons but kept the rear usb ports available for support personnel when rarely needed, still remember catching flak about that minor inconvenience.

Yeah, I also didn't see the networked wrenches, or networked kitchen oven cameras coming.