I've recently taken on the IT management role for a small machine shop, and I'm facing a challenge. Right now, our CNC machines and other related equipment are connected to the main corporate data network. My goal is to set up a separate VLAN that doesn't connect to the internet, effectively isolating these manufacturing machines from the corporate network.
The issue is that our engineers currently send programming data to these machines over the network. I need to figure out how other admins in the manufacturing sector are handling this separation while still allowing programming information to reach the machines. Using USB drives isn't a viable option for us because our compliance requires BitLocker encryption, and the manufacturing machines can't work with BitLocker. Additionally, sharing USB drives between corporate computers and machines with outdated operating systems seems risky. Any advice on this would be greatly appreciated!
5 Answers
A good practice is to implement a default deny policy between the corporate network and your CNC network, allowing only the necessary IPs, ports, and protocols to access the CNC setups. That way, you keep your manufacturing machines secure.
If your operation is small, using VLAN ACLs could work for you. But if not, a dedicated firewall can help a lot. You can set specific rules to permit contact between the industrial machines and designated IT machines while preventing anything outside of those rules from accessing the manufacturing network. Just know it's not an air gap, but it might be the right compromise for your needs.
You might want to consider setting up a file server that can connect to both your corporate network and the secured manufacturing network. There are various ways to configure this, like using VLANs or multiple network interfaces. It can allow for smoother data transfer while maintaining security.
Consider setting up a jump box with the appropriate software that engineers can use to access the machines. It adds a layer of separation while allowing necessary communications. Just don't think of any ancient setups—it's for functionality, not nostalgia!
Figure out the exact methods you are using to transfer data and see if it's based on standard IP protocols. If so, you might be able to configure your network to allow those transfers while restricting other access.
Yeah, that’s pretty much what we've done, and it works well!