We have a customer that has a completely seperated, hardwired automation network installed. However, for the engineering team, they have a VPN possibility installed, so that they can connect to this automation network when there are on the global wifi network of the plant. This is for maintenance, startup, … purposes. This has a risc, cause they can also dialin to the VPN from home. Is there any way to detect how users are connected, so that we can differentiate their connection as being on the factory wifi network, or being dialed in from outside the factory ? In this way it would be possible to prevent them from operating machines when not on site.
This sounds like what Security Zones are for.
It probably depends on your VPN setup, but if it’s anything like ours all the VPN users are coming from a certain set of IPs. You might need to work with IT a bit to get it figured out.
As Kevin is mentioned security zone is perfect, also consider using reverse proxy.