(In the technical department meeting room of the food factory, Engineer Zhao sits at the main position of the conference table with a laptop, projecting the workshop network topology on the screen. Engineer Zhang flips through the equipment ledger, while Assistant A holds a freshly printed PLC parameter list.)
Engineer Zhao (typing on the keyboard): Engineer Zhang, have you heard about the incident at the beverage factory next door last week? Hackers tampered with the filling machine program through a remote port. We need to take this opportunity to conduct a comprehensive inspection of the cybersecurity of our industrial control systems. The IT department just completed a full network scan of the factory and found 17 high-risk vulnerabilities in the production network. Today, we will focus on reviewing the inspection checklist.
Engineer Zhang (pushing up his glasses): Engineer Zhao, you came at the right time. Our technical department has also been rectifying industrial control security recently. However, the perspective of the IT department is definitely different. Can you specify where we should start checking?
Engineer Zhao (pulling up the scan report): Let’s first look at the network architecture — your production network and office network are actually on the same subnet! If the finance department’s computer gets infected, the virus can easily reach the fermentation tank’s PLC. Our IT department’s standard is to implement “three-layer isolation”: the office network, production monitoring network, and control network must be strictly separated, with industrial firewalls in between for unidirectional access control.
Assistant A (pointing at the topology diagram): Engineer Zhao, look, this is our current wiring method. The upper computer in the packaging workshop can directly connect to the administrative department’s Wi-Fi, which is said to be convenient for production statistics…
Engineer Zhao (frowning): This is simply running naked! Last year, a company was breached by ransomware in this way, and the upper computer became a springboard. We must immediately disconnect cross-border connections, install an independent wireless router for the production network, enable WPA3 encryption, hide the SSID, and only allow authorized tablets to connect. Assistant A, make a note that all upper computers’ Wi-Fi modules must be disabled by the end of the day, and use wired connections instead.
Engineer Zhang (flipping to a certain page in the ledger): The remote maintenance aspect is indeed a bit chaotic. The vendor said it was convenient for debugging, and installed “Sunflower” software on three PLC s, with passwords being the last six digits of the device numbers. Engineer Zhao, does your IT department have a standardized remote access plan?
Engineer Zhao (opening an encryption software interface): The problem lies here! Last week’s scan revealed that your sterilizer’s PLC still has the 3389 remote desktop port open, and can be logged in with a weak password. The correct approach is to deploy a “bastion host”, and all remote operations must go through it, with full video auditing. Look at our IT department’s plan: using VPN + two-factor authentication, every remote access requires a work order application, automatically disconnecting after timeout, and logs are kept for six months.
Assistant A (suddenly looking up): No wonder when the German engineer was debugging the homogenizer, Engineer Zhao, you kept sending verification codes! It turns out it wasn’t unnecessary.
Engineer Zhao (smiling): That’s to prevent both internal and external threats. Last month, we caught an abnormal connection attempting to log into your S7-1200 from a foreign IP, which was blocked thanks to two-factor authentication. Engineer Zhang, you need to delete all default accounts and set passwords to a combination of “uppercase + lowercase + numbers + special characters”, with a minimum length of 12 characters — Assistant A, check the password complexity of key devices now and note it down.
Engineer Zhang (pointing at the red nodes on the topology diagram): The network in the fermentation workshop was set up five years ago, and now it has become “an island within an island”, how do we connect to the central control room? The operators always complain that it’s inconvenient to view data.
Engineer Zhao (drawing an isolation gateway on the diagram): Use a “data diode”! Allow data to flow from the control network to the monitoring network unidirectionally, but the monitoring network cannot send commands back. It’s like installing a one-way valve in a fish tank; water can flow out, but impurities cannot come in. Look at the renovation case in the candy workshop; after the data diode was activated, operators in the monitoring room could see real-time curves but could not change the stirring speed, ensuring safety without affecting production.
Assistant A (taking out a temperature recording device): How do we transmit sensor data? The temperature curve of the sterilizer must be summarized to the MES system, right?
Engineer Zhao (pulling up the encryption protocol document): Use the secure channel of OPC UA, issuing a “digital certificate” to each sensor. The ordinary Modbus protocol is like shouting slogans; anyone can hear it; encrypted transmission is like writing a secret letter that only the recipient can decrypt. Last week’s inspection found that your molasses flow meter was still using plaintext to transmit data, and packet capture software could analyze it to read even the formula ratios.
Engineer Zhang (tapping the table): What about old equipment? The Siemens S7-300 in the cold storage hasn’t even had firmware updates; does the IT department have a solution?
Engineer Zhao (opening the vulnerability database): Such “zombie devices” are the most dangerous. Last year, ransomware specifically targeted vulnerabilities in this type of module. Our solution is to install an “industrial firewall”, allowing it to communicate only with specific IP addresses in the central control room, opening only necessary 502 ports and blocking all others. It’s like installing security bars on an old house; while you can’t change the door, you can prevent thieves from entering.
Assistant A (suddenly remembering): Engineer Zhao, last week I found that the PLC on the packaging line kept reporting “connection timeout”, is the firewall set too strictly?
Engineer Zhao (remotely logging into the firewall): Look at this log; there are more than 200 scanning requests from the office network every hour, and the firewall is automatically rate-limiting. This is not a fault; it’s normal protection. However, your rules do have a problem — allowing PLC s to access external NTP servers leaves a backdoor open. Change it to synchronize with an internal time server, and set the outbound rules to “only allow responses, not allow active connections”.
Engineer Zhang (reviewing the maintenance records): Speaking of logs, our device logs are always overwritten in a very short time, and we can’t even keep logs for a week. Last time, I wanted to check who modified the fermentation parameters, but I couldn’t find the records at all.
Engineer Zhao (showing the log server interface): We must establish a “log audit center”, where all PLCs, upper computers, and switches store logs centrally, keeping them for at least 90 days. Our IT department’s system can automatically analyze abnormal operations, such as logging in at midnight or batch parameter changes, which will trigger alarms. Last month, we caught a maintenance worker who made a mistake thanks to this, saving three batches of yogurt from loss.
Assistant A (pointing at the corner of the screen): What does this “shadow IT” mean? It was marked in red in the scan report.
Engineer Zhao (zooming in on the topology diagram): You secretly connected a wireless AP! It’s right in the power distribution cabinet of the sterilization workshop, said to be convenient for maintenance workers to debug. This thing is not connected to the firewall, directly exposing the control network to the entire factory’s Wi-Fi. During last week’s audit, we found that even the cafeteria’s POS machine could ping your PLC. Assistant A, go unplug it now; if you need to use it, go through the IT department for approval. We will install an enterprise-grade AP with intrusion detection capabilities.
Engineer Zhang (looking troubled): Engineer Zhao, your plan is standardized, but production cannot stop. For example, if the firewall rules are too strict, how do we handle it if the vendor’s remote debugging takes half a day to get approved?
Engineer Zhao (pulling up the emergency plan): We have already considered this. Establish an “emergency channel”, which is usually locked down, but can be temporarily opened in emergencies with authorization from the workshop director, technical department, and IT department, with full video recording and automatic closure after timeout. Last time, when the homogenizer malfunctioned, it only took 15 minutes from application to opening, which was faster than your previous direct port opening.
Assistant A (suddenly raising a hand): By the way! Our Profinet network keeps dropping; is it because the encryption affects the speed?
Engineer Zhao (opening a packet analysis software): It’s not an encryption issue; it’s because you turned off the switch’s “storm suppression”. Last week, packet capture revealed that the sensors on the packaging line were sending 3000 broadcast packets per second, saturating the bandwidth. Industrial networks need to implement “traffic shaping”, giving control messages the highest priority and rate-limiting non-critical data. We have already adjusted the parameters; Assistant A, you should test it this afternoon; it should solve the disconnection issue.
Engineer Zhang (flipping through the new equipment list): The newly arrived German fermentation tank has cloud platform functionality, which is said to enable remote diagnostics. Is it okay to connect this to the control network?
Engineer Zhao (frowning): This kind of “smart device” is the most dangerous! Last week’s scan found that it had the 445 port open by default and was secretly uploading data to overseas servers. We must implement “network isolation”, creating a separate DMZ zone for it, opening only necessary diagnostic ports, and installing an intrusion prevention system to monitor it. Assistant A, remember to have the vendor disable the cloud functionality; if needed, route it through our internal proxy server.
Engineer Zhao (opening his notebook): Lastly, regarding vulnerability management. Your PLC firmware hasn’t been updated in an average of three years, and the S7-1200 is still using a relatively old version, which has three high-risk vulnerabilities that can be exploited remotely. The IT department has compiled a “device whitelist”, indicating which can be updated with firmware and which need to be replaced — Engineer Zhang, you need to schedule a time next week for us to cooperate on the downtime for updates.
Assistant A (taking quick notes): Let me summarize the key inspection points: three-layer network isolation, remote access through a bastion host, logs stored for 90 days, cleaning up shadow IT, device firmware updates, and new devices designated to a DMZ zone, right?
Engineer Zhao (nodding): There’s also a key point — starting next week, we will conduct monthly “red team exercises”, where our IT department simulates hacker attacks, and your technical department defends. After three drills, you will know where the vulnerabilities are. Last year, the candy factory discovered weak password vulnerabilities in the upper computer through drills, or the losses would have been significant.
Engineer Zhang (closing the ledger): Alright, let’s proceed as you said. Engineer Zhao, please send more people from your IT department to guide us, especially regarding the firewall configuration; our technical department is indeed not professional in IT. Assistant A, starting tomorrow, you will follow Engineer Zhao’s team and compile a list of issues every day.
Engineer Zhao (putting away his laptop): It’s a pleasure to cooperate! The cybersecurity of the food factory’s industrial control systems is not just the responsibility of the IT department or the technical department; it needs to be like making yogurt — the IT department is the “starter culture”, and the technical department is the “raw material”, and they must be mixed well to produce a good product. Assistant A, here is the “Industrial Control System Security Inspection Manual” we compiled, which contains specific operational steps; you can look at it first and feel free to ask if you have any questions.
Assistant A (taking the manual): Thank you, Engineer Zhao! I will check the password complexity of the PLC now and dismantle the wireless AP this afternoon. Engineer Zhang, should I contact the vendor to disable the cloud functionality of that German fermentation tank now?
Engineer Zhang (standing up): Go ahead, report any issues at any time. Engineer Zhao, stay here for lunch; let’s discuss the specific configuration of the emergency channel while we eat — after all, safety in production must not be compromised.
Engineer Zhao (smiling as he stands up): Sure, I’d love to try your new probiotic yogurt. By the way, I have already set up the account for the audit log system; your technical department’s permission is to view it, and changing the rules requires approval — this is also part of security.