Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
nttt
Viewer
a week ago
a week ago

Endpoint security for engineers' devices

I am responsible for security measures at a manufacturing company. We have numerous software and hardware engineers on staff, and within our internal corporate network, we have:

  1. Operating systems (recently released OS) that are not yet supported by endpoint security tools such as EDR tools,

  2. Specialized devices (such as oscilloscopes) where endpoint security tools cannot be installed.

If anyone has experience in handling the security measures for such equipment, I would appreciate your insights.

Reply
0 Kudos
3 Replies
denbesten
Community Champion
a week ago
a week ago

Our problem is more the other end.... old devices.  Our solution is a network segment that is (mostly) isolated from the rest of the corporate environment and have limited Internet access -- OS updates, software downloads, etc, but no general purpose web browsing.  And, the are joined to a "special" Active directory domain that has limited trust.

 

The engineers may hate it, but they can read their email and browse the web on "standard" devices and reserve the "special" ones for the more sensitive activities.

Reply
emb021
Advocate I
Wednesday
Wednesday

I would echo @denbesten answer.  We did the same at Motorola.  Separate subnet for this equipment with strong access controls to limit access.  Make use of a whitelisting tool as well.

You also need good inventory on these devices, and for those that eventually CAN have an EDR tool, make sure you know when this is available, so they can be updated.

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Reply
tatssa
Newcomer II
yesterday
yesterday

@nttt wrote:

I am responsible for security measures at a manufacturing company. We have numerous software and hardware engineers on staff, and within our internal corporate network, we have:

  1. Operating systems (recently released OS) that are not yet supported by endpoint security tools such as EDR tools,

  2. Specialized devices (such as oscilloscopes) where endpoint security tools cannot be installed.

If anyone has experience in handling the security measures for such equipment, I would appreciate your insights.


Since traditional EDR tools won’t work in these cases, other steps can help. One option is network segmentation keeping these devices on separate VLANs with strict access controls to reduce risk. A Zero Trust approach is also useful, allowing only authorized users with the least necessary privileges.

 

Monitoring traffic with network-based security tools like IDS/IPS can help spot any suspicious activity. Even if full security software isn’t available, keeping systems updated is still important to reduce vulnerabilities. It’s also a good idea to limit internet access for these devices to prevent exposure to external threats.

 

If remote access is necessary, using a VPN with multi-factor authentication adds an extra layer of security. Lastly, making sure engineers are aware of security best practices can go a long way in preventing accidental risks.

Reply