Node-RED in a production environment. A good idea or just a self installed trojan horse?

If you know Node-RED you’re probably just like me, convinced it is a powerfull tool. It can be used to create dashboards, connect IoT stuff, do some analytics or collect data in multiple kinds of databases.

In a production environment all these functionalities can be very useful for monitoring, preventive maintenance and troubleshooting. Receive an e-mail or a push notification when the current of a motor is out of range? Node-RED can do this for you (or, to be correct: you can make Node-RED do this for you).

Another nice thing about Node-RED are the tons of nodes available for connecting various devices. For example the s7comm nodes, that allow us to connect to Siemens S7 PLC’s. When the motor from the example above is monitored by a PLC things are really easy. Read the current, evaluate the value and send a message when a limit is exeeded. connecting and configuring these nodes can be done in a few minutes.

But hey, all those nice things, why shouldn’t I just install Node-RED on a production server and start playing with it? What could go wrong?

Well, Node-RED is an IoT product and just like a lot of those products, Node-RED is just made to work. Not taking into account the ‘S’ in IoT. The ‘S’? Yeah, I know, there is no S of security in IoT, but that’s the point.

Luckily for us Node-RED isn’t that bad. It doesn’t send our data to an unknown cloud in an undefined region in the world accessible by people we don’t know. But by default the security options are not enabled.

by default, Node-RED is an open gateway to your production environment

The default Node-RED installation:

  • is accessible on your entire network on port 1880
  • has no password protection
  • can write to your production PLC’s

So, by default, Node-RED is an open gateway to your production environtment. It can not only be used to collect business critical information but also change process parameters in production PLC’s.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.