Hey everyone! I work in manufacturing and have been modernizing our operations over the past few years. We have over 20 production machines that rely on PCs to function. My company is considering connecting these machines to a network to collect data and allow for remote troubleshooting by the manufacturers. Until now, they've been isolated and not connected to the Internet, so I haven't been too concerned. However, with this upcoming change, I'm feeling apprehensive about the setup. I'm weighing the option of adding these machines to our domain to implement Group Policy for configuration and security purposes, as well as installing antivirus, endpoint detection and response tools, remote monitoring management software, and backups. If you were in my position, would you connect them to the domain, or consider a separate domain? What software would you suggest installing? Also, keep in mind that we're regulated by the FDA, so compliance is a big deal. I'd love to hear your thoughts and any important considerations! Thanks!
6 Answers
It's crucial to keep each machine and its PC on separate VLANs to limit traffic through the firewall. What remote access solution do you plan on using? Joining these machines to the domain can create compliance headaches if you can’t keep the OS updated regularly.
In my previous experience, all production machines were on a completely different network from office machines. It helps maintain security and efficiency in operations.
Set up a dedicated VLAN and consider using a VPN for remote access to keep things secure. This would help isolate the machines from external threats.
It's essential to ensure these machines are on a secured network, preferably air-gapped or firewall-protected. Production systems often run on older OS versions, so isolation is key.
Given that these are production machines, I imagine they might be using outdated versions of Windows. A completely separate network and domain without internet access would be the safest route.
Avoid joining these machines to the domain or letting them connect to the internet. It’s vital to understand the Purdue model and implement proper zones for data collection. Also, getting leadership on board will be vital for success. Remote access should be strictly controlled, possibly through a DMZ server.
If that's the case, it might be worth checking out some specific forums dedicated to your equipment. I initially thought of the PC, but maybe there's an HMI aspect to consider.