Use of computerized numeric controls (CNC) keeps expanding across an ever greater number of production plants, and is a cornerstone of most modern organizations.
In recent years, with the appearance of Industry 4.0 in factories and shopfloors, new connectivity needs have began to sprout. Because of this, your modern CNC units are no longer mere mechanical devices that work offline, or through point to point communication protocols. Today, these machines connect to many different systems on your plant through networks and the internet (or will be doing so in the near future), which presents a plethora of benefits for your company, chief among them being a fine-grained production control and optimization.
Despite this transformation offering new business opportunities, it also opens the door to cybersecurity threats that many companies are not presently aware of.
In this context, Trend Micro and Celada have published an investigation report on the risks related to connectivity of CNC machines, having performed security evaluations in four of the most representative CNC control providers across the globe: Haas, Okuma, Heidenhain and Fanuc.
Simulador de Okuma utilizado durante el testing (Fuente: Trend Micro)
Investigation and results
The evaluations have identified and confirmed succesful execution of 18 attacks (or attack variants) grouped in 5 types: RCE (Remote Code Execution), machine damage, denial of service (DoS), hijacking and theft of intellectual property.
The following warnings published by Incibe-cert (response center for security incidents of the Spanish National Cybersecurity Institute) show the CVEs related to the investigations, all of them of a high or critical importance:
Besides, even if the investigation is not focused on Siemens CNCs, CVEs are also periodically published for such control types:
The market is starting to see the king has no clothes on when it comes to industrial cybersecurity, and is becoming increasingly aware of the huge vulnerabilities machines are subject to. This results in many machine connections never being made, as the required updates are often not applicable.
What can you do to prevent these attacks?
Some solutions in the market showcase as a competitive advantage the practice of not using intermediate devices for machine data collection, which is a mistake. You have already observed how new vulnerabilities keep emerging periodically, and manufacturers produce the corresponding mitigation updates and patches, a completely normal procedure in any kind of software development. But,updating each of your machines individually every time a new vulnerability is found & published is not viable, as it often requires production stops to apply the update, which is not feasible in many environments.
For this reason, Savvy's strategy is always to employ the intermediate device Savvy SmartBox.
By using our system, your controllers will never need to connect to any network or the internet - they will only interface with our SmartBox device, which utilises two distinct, non-switched network sockets: one to connect to the machine controller, and another to connect to the IT network from where to obtain all the cybersecurity updates and patches regularly. In this fashion, it does not matter whether your controller is up to date for cybersecurity, as our SmartBox is in charge of (and is certified for) keeping your communications secure, and above all else, keeping your machine isolated.
Even if our solutions were temporarily vulnerable until we found and patched the corresponding vulnerability, the attack vector to reach your machine is so complex that it becomes unfeasible, due to the many layers of security, authentication and audit trails that our system posseses as base defenses against potential attacks on assets.
In addition, connecting your machines to our systems carries many other benefits:
- Data analytics on the Edge (right next to your machine).
- Avoid overloading elements in charge of machine operation, such as PLCs or CNCs.
- Versatile software updates.
- Simplicity in asset management.
- Easy to install, self-deploying and self-configurable.
- Collect data from multiple levels of sources: PLC, CNC, ERP; other industry standards OPC UA, MQTT, etc. and for legacy systems, compatible with FTP, XML, CSV, SQL.
In Savvy Data Systems, we take Cybersecurity very seriously when it comes to designing and implementing digital solutions for our customers. Proof of this is the fact that we are the only company with a triple cybersecurity certification: Common Criteria, ISO/IEC 15408, ISO / IEC 18045.
