With the spate of ransomware and crypto virus attacks on automation systems, perhaps a quick review of network security is in order:
- Isolate the automation system on a separate network from the general office network and do not allow internet access on the automation system’s workstations or servers.
- Use a separate switch for all automation network connections.
- install a small router between the automation network and the office network. On the router, the WAN port faces outward toward the office network, making the WAN port non-pingable. Grant access from the office network for certain users; e.g. traffic, music director, etc via access lists. Open up a few ports for VNC or RDP on the router so technicians can remotely access machines to do maintenance and troubleshooting.
- Use supported and up-to-date operating systems.
- Use separate admin and user accounts, make sure that admin rights are removed from user accounts, and keep machines logged in as users. This ensures that some errant DJ or other person does not install any unauthorized programs.
- Install and keep up to date with a good antivirus program.
- Back up the data and test the backups.
The office network is more vulnerable because of the human element. Internet access is required, of course. Click on a pop-up, sure! Hey, that photograph has a funny file extension, lets’s open it and see what it is. I never heard of this person before, but look, they sent me an executable!
Much of the office network security will rely on the quality of the router connected to the internet and the antivirus software installed. Of course, the network users have a good deal of responsibility also.