20
irene
3y

I was working in a manufacturing facility where I had hundreds of industrial computers and printers that were between 0 and 20 years old. They were running on their own clean network so that someone has to be in the manufacturing network to access them. The boss announced that the executives will be pushing a “zero trust” security model because they need IoT devices. I told him “A computer running Windows 98 can’t be on the same VLAN as office computers. We can’t harden most of the systems or patch the vulnerabilities. We also can’t reprogram all of the devices to communicate using TLS or encrypt communications.“ Executives got offended that I would even question the decision and be so vocal about it. They hired a team to remove the network hardware and told me that I was overreacting. All of our system support was contracted to India so I was going to be the on-site support person.

They moved all the manufacturing devices to the office network. Then the attacks started. Printers dumped thousands of pages of memes. Ransomware shut down manufacturing computers. Our central database had someone change a serial number for a product to “hello world” and that device got shipped to a customer. SharePoint was attacked in many many ways. VNC servers were running on most computers and occasionally I would see someone remotely poking around and I knew it wasn’t from our team because we were all there.

I bought a case of cheap consumer routers and used them in manufacturing cells to block port traffic. I used Kali on an old computer to scan and patch network vulnerabilities daily.

The worst part was executives didn’t “believe” that there were security incidents. You don’t believe in what you don’t understand right?

After 8 months of responding to security incident after security incident I quit to avoid burning out. This is a company that manufactures and sells devices to big companies like apple and google to install in their network. This isn’t an insignificant company. Security negligence on a level I get angry thinking about.

Comments
  • 2
    I hope you work at a better company now. Also were there any other on site employees that could help you
  • 1
    Just the iot aspect makes
    Me shudder and seems entirely outside the requirements of the scenario you described
  • 0
    @molaram The company coul conduct a investigation if the hack was big enough to care and he would be fired. Better to tell the big customers like google anonymously
  • 2
    @Sony-wf-1000xm3 There was always a contracted on-site IT guy but it would be a different guy every month or two.

    My main worry is that they were making industrial devices. Those devices failing could destabilize the whole internet. Like I hear the company name in security podcasts. The company is too big and important for this sort of behaviour.
  • 0
    This almost sounds like it is intentional. Does someone in charge have a death wish for the company? I guess they could just be really stupid.
  • 2
    @Demolishun it wasn’t intentional. The executives would go to company conferences and sit through sessions about manufacturing innovations.

    They came back from a conference where they saw “the future” with internet connected sensors and the ability to manage and control the factory from anywhere. The old factory couldn’t be “smart” because it is a closed system. The factory of the future is “smart” and always connected. For that future you need to use a zero trust security model.

    They got back and said “We don’t want to have an old facility stuck in the past. The big step that enables ‘smart’ is the zero trust security model. That was what the guy said. We need to do that.”

    I wish I were joking.
  • 1
    If your company operated in the EU and would fail to even report one such incident would make them drown in fines
  • 1
    @Katakompe They are headquartered in the EU. To my knowledge only one of the SharePoint incidents was reported. The problem was that the intruders weren’t sticking around long enough for our offsite support, which took days to respond, to be able to catch in the act. So according to the support contractor it was all hearsay and they didn’t find anything.
Add Comment