Computerized test equipment - network or not? Virus safeguard issue

[tkamiya]

I'm really not sure where to put this question.  But it's about OS in test equipment, so I'm going to put it here.

As we all know, many equipment are based on PC for not only UI but for base functions.  Some are based on Linux, some are based on proprietary stuff, some are Windows 95 to Windows 10.  My logic analyzer is based on Windows 2000.  I can access it from different PCs or print to my network printer, if I put it on a network.  My HP3048A runs on anything from DOS to HPUX to HP Basic running on Win10.  I think my Siglent runs on some kind of Linux based OS.

However, what about virus and other intrusion problems?  I have regular PCs on the same subnet.  If one gets infected with virus or something, it can act as a host and contaminate all PCs on my network.  I can't simply upgrade the OS to the latest as all drivers and software are not written to run on anything later, and it's already de-supported.

So here's a question...  do you connect your test equipment to your network, or do you air-gap it? 

[Kleinstein]

This is a good point - especially for the PC (x86 based) systems. With other CPUs, espeicallly Linux variant on ARM (other non x86 CPUs) I would be less afraid, as there are not many virusses around effecting ARM systems. In addition the chances are good that the Linux systems would be relatively well limited to the parts actually needed and thus not effected by most security issues.

[Fungus]

Start by scanning for open ports on the test gear and see what you find.

[DaJMasta]

Air gap is going to be the convenient way, but the sort of lesser versions of that could be a change of protocol (GPIB or USB control to a network connected machine), or a local network.  A lot of PCs, at least desktops, will have a second ethernet port, so if you have a local net for your equipment that gets to that port but which isn't bridged over to your internet connected network, while it's not as secure as a true air gap, it can be a good combination of security and usability.

[RoGeorge]

I have all my network capable instruments in their own LAN, with a dedicated switch and no Internet connection.

The desktop PC has two LAN cards with two different IP clases, one of which is for instruments only.  The other network card is for LAN connections with the router for my ISP and other devices requiring Internet access.

It happens that everything is running Linux, I ditched Windows some years ago.

[nfmax]

A very timely question! I am currently in the process of splitting my home network up into separate (V)LANs  for different purposes, with a firewalling router to allow only what connections between them I choose. Test gear, on the 'orange' LAN, can be accessed by trusted (i.e. fully up-to-date patched) machines on the 'blue' LAN, but can itself access only specific ports on the 'green' LAN, which hosts printers and servers. There is no access from the 'orange' to the 'blue' LAN, nor to the Internet. I can access the 'orange' LAN remotely over an IPsec/IKE VPN, from a trusted machine.

I also have other LANs for specific purposes, with their own firewall rules

[tv84]

Network segmentation/isolation doesn't do much if the PC used to access the equipment is compromised.

So, it's essential to take care of that machine also.

[nfmax]

Network segmentation/isolation doesn't do much if the PC used to access the equipment is compromised.

So, it's essential to take care of that machine also.

Agreed - that's why I said trusted machines. It is important to identify the threat. I suspect with my test equipment the main risk is that of an old, unpatched system being compromised and used as a staging post to attack other, more valuable targets on the local network. In my case that is blocked because the test equipment cannot access anything (except for other test equipment) other than printers, and those only through specific print protocol ports.

In another situation, the main risk might be of exfiltration of sensitive data from test equipment to the Internet. In my system that cannot be done directly: it would be necessary to compromise a trusted machine on the 'blue' LAN first.

I have also set up a firewall rule of last resort, that blocks old, unpatched, systems from the WAN by their MAC addresses. They can't access the Internet no matter which LAN they are connected to (except possibly if someone attached a USB network dongle - but that requires physical access)

[tv84]

Agreed - that's why I said trusted machines. It is important to identify the threat.

I was not referring to your msg in particular as you know perfectly well what you are doing.

It was more as an additional checkpoint to OP and some others.

BTW, although the term "trusted" is well defined in the security community, generally people don't assign the proper meaning (security-wise) to it and consider their personal PC a "good ol' trusty" device just because it has a fast proc/mem and Windows doesn't crash... They are taught that the only thing "untrusted" is the internet, whatever that means...

[artag]

This is one of the reasons I find it difficult to justify using Windows on specialised equipment. There would be an advantage if you could write your own (or buy) extensions to the functionality, but as far as I'm aware that's not usually the case, at least on low-end equipment.

I would regard patching the OS with Microsoft upgrades as risky, as it may break the main functionality.

So it just ends up being a component with a relatively short life : maybe even planned obsoiescence.

Of course, any publicly-available OS such as Linux potentially suffers the same problems (remember Stuknet ?), but Windows seems a particular problem as it's likely to suffer collateral damage.
 

[coromonadalix]

Anything who goes on the net is not to be trusted,  sorry whatever the OS is.

For metrology  or any test equipment  you use a closed network,  you need to add files or programs   you use an usb key or any medium you can scan for virusses or threats before plugiin / putting it in the closed network

"Trustable" machines is not a perfect term,    since i worked in a military coumpound i know a few things, trustable people is important too.

You close every usb ports, disable floppys, disable dvdr drives etc ...  scan for open gateways or ports,  you get the idea    we had only one computer who could go on the net, isolated from everything,  anything downloaded was screened multiple times.

But it get contradictory  if you need as wrote earlier to add files or programs, you get vulnerable at this point until the task is done, and you have to do checks aftewards.

The threats are the people, the machines and the transport mediums you use to do your job.

A good rule in network settings is to accept only identified and permitted mac adresses,  good firewalls, nat translations, updated antivirus, kill non authorized wi-fi or Bluetooth signals,    the list goes on.   We used Fortinet based routers,  they almost blocked everything  lolll maybe too much.

One thing i've seen good, are deepfreezed machine(s), works wonders in many cases,  a single reset cleared most of the damadges.

Even now  a single image may contain bad code(s), an mp3 can do bad things too,  any documents  .... i'm not paranoid, but Ive seen too many things  loll

[capt bullshot]

I have all my network capable instruments in their own LAN, with a dedicated switch and no Internet connection.

The desktop PC has two LAN cards with two different IP clases, one of which is for instruments only.  The other network card is for LAN connections with the router for my ISP and other devices requiring Internet access.

It happens that everything is running Linux, I ditched Windows some years ago.

+1 on this, especially the segmented network and using Linux.
For segmentation, one could also use VLANs and manageable switches to save some cabling.

[jjoonathan]

+1 for segmented networks

Even if you don't habitually click on every phishing mail that lands in your inbox, first-party malware is on the rise these days and it pays to be prepared.

[phlegeton]

Segmentation of networks is a good thing (don't use default route ;-) However keep in mind a regular 'packet firewall' (layer 2 or layer 3 and above) is not able to stop viruses or malware. Every network port which is set open in a firewall is a potential security risk. Most likely the standard ports, since DNS, HTTP(s), SSH etc. are always needed.. Even when source filtering / destination filtering is used. The question is: How far is one willing to go with network security, what does it cost, and what are the risk?

For example:
It's not only about segmentation, and using firewalls: What about: keeping every OS up-to-date, know the traffic on the network (even could as far as monitoring it for tcp flags which shouldn't be set).  etc. etc.. And how about the own written software for doing automated measurements / tests. Is this software written with security in mind? or is it something that needs to be added later... How to deal with DNS (cache) poisoning ? DHCP snooping ? (and I could go on and on...) It's all about the weakest link

So is the extra complexity actually helping? or does it just add this extra complexity, cost, and security procedures with no real benefits at all?

[Bicurico]

In an industrial/academic environment, where test equipment is used, it is perfectly acceptable to have a dedicated and isolated network with computers that are not otherwise connected to the internet or company network.

[graybeard]

The company I work for forbids (as a fireable offense) connecting anything to a computer usb or network (isolated or not) not provided by IT.  Test equipment must have IEEE488 or a serial interface to be connected to a computer.

[nfmax]

The company I work for forbids (as a fireable offense) connecting anything to a computer usb or network (isolated or not) not provided by IT.  Test equipment must have IEEE488 or a serial interface to be connected to a computer.

And of course GPIB & serial interfaces are going the way of the Dodo. Still, you have the perfect excuse not to show any test results in your monthly reports

[tkamiya]

My home network is already segmented.  One side has no way to see the other side.  I call it, green zone and pink zone.  I used to have a red zone as well.  I don't want to go into any more details on a publicly viewable forum.  But One side is for PC and the other side is IoT devices where I have no control over security.  Most of them do not issue security updates.  There are no devices that are connected to both.

All PCs are kept up to date on updates and I don't randomly download stuff from internet or click unknown buttons.  Yet, these days I can never be sure if I'm doing enough.  Chances are, probably not.  I probably am only preventing harm from casual hackers.

My issue is, test equipment doesn't always (more likely never) accept latest OS and sometimes latest patches without risking loss of functionality.

I guess I'll have to setup a third network that doesn't connect to Internet at all.  I'm really not comfortable putting anything less than latest OS on internet.  I can have a dedicated PC in my office too access them.  Thanks all for assistance. 

[Bicurico]

You should never expose any device that is not running with the latest patches to the internet. That includes test equipment.

[tkamiya]

I know?   

[0culus]

I'm really not sure where to put this question.  But it's about OS in test equipment, so I'm going to put it here.

As we all know, many equipment are based on PC for not only UI but for base functions.  Some are based on Linux, some are based on proprietary stuff, some are Windows 95 to Windows 10.  My logic analyzer is based on Windows 2000.  I can access it from different PCs or print to my network printer, if I put it on a network.  My HP3048A runs on anything from DOS to HPUX to HP Basic running on Win10.  I think my Siglent runs on some kind of Linux based OS.

However, what about virus and other intrusion problems?  I have regular PCs on the same subnet.  If one gets infected with virus or something, it can act as a host and contaminate all PCs on my network.  I can't simply upgrade the OS to the latest as all drivers and software are not written to run on anything later, and it's already de-supported.

So here's a question...  do you connect your test equipment to your network, or do you air-gap it?

Air gap it and sneakernet anything you need over. Most (all?) of it is unpatchable and should not have a route to the internet.

[jjoonathan]

keeping every OS up-to-date

latest patches

First party malware.

They got away with FTDI, they got away with breaking a ton of embedded installs with win7 expiration advertisements, they got away with forcing microsoft.com cloud accounts for anyone who didn't know about the ethernet workaround. It's only going to get worse from here.

[PwrElectronics]

Back in the mid '00s, we got a new Lecroy scope at work.  I was not involved with the purchase but later used this scope a fair amount.  It ran a early version of Windows XP.  It was connected to the company network.  It was super convenient to setup and drop data right to your project directory on the network.

Then, IT updated anti-virus software and it was pushed out to everything on the network.  Pretty much killed that lecroy.  Now it took about 15 min to boot up and was so slow as to be unusable.  I had to work with IT to get them to remove network access from the scope and uninstall that AV software.  It was a pain.

The next Lecroy we got in 2008 with XP, I made sure IT never heard of its existence and it has never been setup to access the company network.  We have a few other upper level scopes from Lecroy, Keysight, and TEK around that I am sure could be configured to be on the network but have not.  Data ends up being saved to a flash drive so its "sneaker-netted"....

Generally, write access to flash drives is disabled on most engineering laptops by default and you need to get manager sign off to enable it.  Most of the test lab engineers have access as they often have more of a mix of equipment to deal with and save data from various data logging equipment that uses a PC for a user interface.  Design engineering unless you need to use some stand-alone programmer, etc its a use case.