Dan_S

Hi Jaker, I'll take a crack at some of your questions. In the interest of full disclosure, I work for a company that makes industrial networking gear, including a firewall/router/VPN appliance; but I'll yank off the ol' marketing hat and give you an objective answer: I'll recuse myself from the specifics about which PLCs/HMIs are more vulnerable than others, but suggest you to read up on Project Basecamp (http://www.digitalbond.com/2011/09/01/project-basecamp-hacking-plcs/) which is an on-going project researching ICS vulnerability. Security is analog, not binary so you can't go from "totally open" to "totally secure" by flipping a switch. Putting a router with firewall/VPN is an excellent start though, so long as you take a little time to configure it properly. That is, you can get the best firewall in the world and still set it to "accept all" and you've not made yourself any more secure. The firewall will allow you to restrict traffic by IP address and type of traffic (Modbus, HTTP, etc) and often MAC address as well (a lot more work to manage this though). It is better to be more restrictive and then just open what you need to make it work, than to open everything to make it work and then try and "tighten it down" later. I don't know of any PLCs built with a firewall in them (yet), but its a great idea that will one day come to pass. Point to point like T1 lines are much less common now because a. they are really expensive, b. its easy to get 5 or 10mb from a Comcast or Verizon type ISP for like $30/month and c. the technology to do this securely has come a long way. A lot of our customers use VPN as a way to secure their inexpensive "public" connection. With a VPN, it's like you have a 1000 mile patch cable that connects you to your remote network. And many VPNs let you go site to site (in addition to single user to site) so that a single connection can give a team of engineers/technicians the access they need. One last point about security - make sure that whatever firewall and other security you use, take the time to setup its logging and to then review those logs. It's a great way to ensure there isn't anything malicious (or even accidental) going on on your network. Best of luck, Dan