This is an open question. I don't really know if here's the best place to ask this, but I couldn't think about anything else.
Jump to the TL;DR if you don't want/need the context.
I make software for industrial machines, some of them have traditional computers, which are mostly used for interfacing and human operation, while the operation control is always handled by a PLC.
Some new challenges are coming up lately, it is increasingly important to extract data from those machines, usually on a OT network and transport them to the normal corporate network, so management can analyse and etc.
Usually, my approach is quite direct, get a cable and connect the SCADA computer to a server somewhere and let the customer's IT department do their magic.
My issue is that most IT departments nowadays are not allowing me to get the cable connected anymore, unless they're able to manage the SCADA computers and networks, applying domain security that always block automation software from operating (10 out of 10 cases, they use low level code that monitors the network traffic and drivers, this is always considered spyware by corporate antiviruses) and Windows updates that break those applications quite often (that's we tend to work with only tried, tested and validated windows images).
The SCADA software are industry standard, I don't have full stack control over them, meaning I can't track all services and associated tasks that are vital for their functioning and I certainly cannot change how they work.
PLCs are not designed to respect corporate network security also, they don't have OSes (most of the time), there's no user management or patching, they are crude little machines.
TL;DR:
Customer goals:
- Extract the machine data from my SCADA automatically;
- Manage user credentials automatically;
- Protect attacks from the machine side to the corporate network;
- Protect attacks to the machine side from the corporate network;
- Patch the machine's Windows computer.
My goals:
- Make machine data available to customer;
- Make it possible to update credentials automatically;
- Block usage of firewalls between SCADA PC and PLC;
- Only use the test/tried/validated Windows image on SCADA pcs;
- Keep customer's security.
So basically, I need some insights to learn how to improve my machine's security and at the same time understand the IT guy and try to find some compromises, that sweet spot that we can talk to each other instead of "flattering" each other's mothers. Jokes aside, I was wondering if deploying a Linux server between machine network and corporate network, DMZ style, would be a good compromise... Well, let me hear your insights.
I tried following IBM's Security Architecture course online and tried understanding more in regards to corporate network and doing some research by myself.
I was expecting to find a path or some clarity, but this area is so vast specific, most material available simply isn't catered for people with my background, most examples and exercises were simply too different be useful under my circumstances.