Maybe we should start from threat analysis. What are we trying to protect the equipment from? Script kiddies who may screw it up?
A threat analysis is usually conducted on an installation (e.g. the device is in a context together with technology, procedures and having a purpose/being in use somewhere for a specific interest) and not on a device by itself. Doing it on a device (or in this case a whole class of devices) will give an explosion of interpretations, assumptions, possiblities and opinions.
It is like asking if a car needs to be bullet proof. That doesn't depend on the car but on the situation I put the car in. The bullets are usually not for the car but for someone in it.
My question was: Are there bullet proof cars?
I'm willing to give the threat analysis a shot. So here we go down into this the rabbit hole:
Threads are usually seen as a combination of motivation, opportunity and capability.
Adding the impact of the thread actually taking place it will give risk.
Capability:
The capability to exploit a weakness is almost always present because there is no security measure present on the T&M device (we're considering the device, not a possible network shielding the device, that comes later) and google is everybody's friend. So, capability is always high.
Opportunity:
If the device is placed in a properly shielded LAN network the opportunity to exploit is reduced significantly from other LAN users or the internet, to the level a lot of cases can indeed accept the residual risk. This is probably the most common case/best practice nowadays. Common exceptions are environment with explicit policies about hardening that state each device or component must be hardened by itself.
If the device is placed in a not shielded LAN network anybody on the same network has opportunity, only a low change if the network is small and physically protected. Otherwise a high change of opportunity.
If the device is connected to the internet: This is a rare case, so we don't consider it (although some people
https://www.trendmicro.com/en_us/research/20/a/security-analysis-of-devices-that-support-scpi-and-visa-protocols.html)
Motivation:
This one is broad because this analysis is not specific. To name a few I that could be considered generic:
- the occasional student/intern/bored employee just messing around and causing an 'oops' or 'i was just looking' or plain stupid actions like network administrators performing an aggressive scan on the network. There are a lot of these people and situations where this happens. Anybody ever went to school/university?? It's sounds strange but this is the most common motivation. Usually the coresponding impact for these cases is low.
- Economic motivation: This used to be much about stealing IP etc. which is very specific to organisations and specific departments within organisations. Ransomware is more common nowadays and is only interested in T&M equipment as a jumphost to e.q. a file server they can encrypt (if the firewall was opened to allow logging to the fileserver, I've seen this one). Ransomware ranges from automatic attempt to low value targets (will fail for this case, so very low risk) to high profile targets where this one is a possibility. Here it depends on you industry if you or your IP are high valued to someone usually not the device.
- hacktivism/religion/organised crime/state actors: Not specific to T&M equipment that I can think of, this is very industry/organisation specific. Also in regard to the determination and amount of resources (also a capability) different actors have in different industries.
Impact:
This can also range from just an annoyed co-worker to a small fire (power supplies also have SCPI...), messed up long running measurements, equipment with unnoticed messed up calibration. The real impact these kind of things have is installation specific not device (except for the possible replacement cost of the device if the hacker breaks it).
Risk:
Combining the above factors: The only generic case I can find is that it is essential to take away the opportunity by taking network protection measures because the capability is always there with the current state of technology and if opportunity and capability are there all options for motivation and impact may or may not happen.
In the end a generic threat analysis is not very useful except for the conclusion you better put some network protection in place otherwise you're at risk.
Suppose you make a specific threat analysis for a specific situation AND as a result you want to turn on some form of authentication/security on your device you are out of luck: T&M equipment is plain insecure by itself?
So I'm back to my original question: Are there really no T&M devices with at least a little bit of security build in (via ethernet/wifi connection)?