A no BS guide for Chicagoland manufacturers to find and fix risky smart devices (without ripping and replacing your whole network)
Let’s cut to the chase
If your shipping dock has a $60 camera on the WiFi, that’s not security—that’s an open door. In the Chicago Metro area, we keep seeing doorbell cams, smart thermostats, and random “helper” gadgets bridged onto the same flat network as ERP and MES systems. One outdated widget, one bad default admin password, and your plant is staring at downtime.
We’re local—based near Frankfort—and we walk the floor, not just the firewall. Here’s what we’re finding across the suburbs as well as inner city plants and what to do next.
What’s sneaking onto plant networks (and where)
- Dock & yard: $99 IP cameras pointing at doors and lots; wireless scales on guest Wi‑Fi that isn’t actually guest.
- On the line: Smart TVs used for KPI dashboards, tablets for work instructions, CNC/robot cells with “temporary” cameras for remote viewing that never got removed from guest networks.
- Facilities: HVAC systems, smart thermostats and badge readers chatting to the cloud from the same subnet as accounting.
- Warehouses: Offsite camera clusters streaming to consumer clouds over site-to-site tunnels.
Translation: convenience devices + flat networks = ransom note waiting to happen.
Real-world examples (no vendor bashing, just facts)
Verkada camera platform breach (March 2021): Attackers accessed live video from dozens of organizations, including well known manufacturers and tech firms, by abusing an admin account. Lesson for plants: cloud managed cameras aren’t “set and forget.” Treat them as computers—segment them and lock egress.
Widely exploited IP camera flaws (Hikvision & Dahua, 2021–2024): CISA has repeatedly warned about critical camera vulnerabilities actively exploited in the wild. Translation: if a $99 camera sits on the same flat network as ERP/MES, an attacker doesn’t need to be clever—just connected.
What it means for your floor: Keep cameras, thermostats, TVs, and badge readers with outbound policies on their own VLAN and firewalls they pass through properly configured. Broker access for anyone who needs to view footage—don’t route IoT (Internet of Things) equipment straight into production.
Your smart device safety checklist (plant floor edition)
Use this list during a single 30–45 minute walk with IT + Ops. If you can’t check a box, you’ve found work.
1. Inventory the “non‑IT” IT.
- Cameras, TVs, thermostats, badge readers, scales, tablets, labelers.
- If you can’t name it, it doesn’t belong on the production network.
2. Segment your network—really.
- Cameras/thermostats on their own VLAN; ERP/MES on another; OT networks with no flat routes.
- Multisite? If, say, an Elk Grove warehouse needs camera access, use controlled, brokered access, like VPN, reverse proxy, firewall rules, or API gateways—don’t bridge subnets.
- If admin/admin still works, you don’t have a VLAN problem—you have a priorities problem.
3. Lock down outbound.
- Default deny egress for device VLANs; allow only known services/regions.
- If a thermostat’s chatting with servers in Eastern Europe—or anywhere it shouldn’t—auto‑block first, ask questions later.
4. Control discovery protocols.
- Fence mDNS/SSDP to keep TVs/tablets from finding everything.
- “It just popped up!” is your cue to kill broadcast scope.
5. Harden credentials & updates.
- Kill defaults; rotate strong credentials; enforce MFA where supported; schedule firmware windows (quarterly is fine—just do it).
- If the vendor won’t document updates, treat the device like a guest.
6. Monitor the chatter.
- NetFlow/PCAP on device VLANs; alert on new destinations, spikes, or DNS lookups that don’t make sense.
- Noise is not normal—quiet networks are secure networks.
7. Document and label.
- Asset tags + VLAN label + owner (Ops, Facilities, or IT).
- Ownership ends finger pointing.
What “good” looks like (for a mid‑sized Chicagoland plant)
- Production VLANs: ERP/MES, file servers, and line of business systems.
- IoT/Facility VLANs: Cameras, thermostats, TVs, badge readers—no lateral to production.
- OT cells: SCADA/gateways segmented per line; brokers for anything that needs to cross.
- Egress policy: Device VLANs allow only vetted destinations/regions.
- Observability: Flow logs + basic anomaly alerts. No heroics—just the right basics done consistently.
Why this matters more here
Chicago area manufacturing leans on multisite logistics and older circuits in spots. Cloud cameras can saturate uplinks right when Q4 shipping spikes; unmanaged devices also expand your attack surface at the worst possible time. Fixing segmentation and egress now avoids outages when trucks are lined up at the dock.
Book a Chicagoland Smart Device Safety Check
Who it’s for: Plant managers, IT managers, and Ops leaders in the South/Southwest suburbs (Frankfort, Mokena, Tinley Park, Orland, Joliet, New Lenox, Lockport, Romeoville, Bolingbrook) and beyond.
Outcome: Clear priorities that reduce downtime risk and alert noise, fast.
https://rwksolvesit.com/discoverycall/
FAQ
Do you support plants across Chicagoland or just the South/Southwest suburbs?
Both—we’re based near Frankfort and cover Will, Cook, DuPage, Lake counties and beyond. Same day emergency support is common.
Will this force us to rip and replace?
No. We start by segmenting what you have and blocking risky egress. You can upgrade hardware on your timeline.
We already have cameras. Isn’t that security?
Cameras are visibility, not protection. If they sit on the same subnet as ERP, they’re part of the problem.
What about OT?
We treat OT cells as separate trust zones with brokered access—no blanket routes across production.
Service Area
Chicagoland manufacturing IT & OT security for: Frankfort, Mokena, Tinley Park, Orland Park, Joliet, New Lenox, Lockport, Romeoville, Bolingbrook, Oak Lawn, Chicago Heights, Elk Grove Village and beyond (warehouse support).
Final word
If admin/admin still works anywhere in your plant, start there. Give us 45 minutes on site—we’ll help you shut the easy doors first, then plan the rest without drama.
