[pdx]

It seems like there's opportunity here. A little box with raspberry pi or similar device and two CAT5 connectors to be placed inline between the PLC and the network, as well as between the network and all other network based displays, interfaces, and sensors. This would allow non-hardened equipment on a non-hardened network to be easily retrofit with encrypted connections.

Edit: These already exist. [1] ;-( Oh well. Just need to have facilities start using them throughout the site.

[1] https://www.lifewire.com/best-vpn-enabling-devices-4140254

[snowwindwaves]

Devices exist to filter out modbus data that doesn't belong [0], but I have yet to see one in the wild. Whenever I have offered plant owners additional security such as a VPN endpoint at the satellite ISPs base station, they have opted against it due to cost.

[0] https://www.tofinosecurity.com/products/Tofino-Modbus-TCP-En...