Privacy & Risks
Protect CNC Machines in Networked IT/OT Environments
Networking IT/OT environments is a bit like walking a tightrope, balancing the pursuit of intelligence and efficiency against the risks of exposing OT systems to the wider world. Trend Micro recently teamed up with global machine tool company Celada to identify specific risks associated with industrial CNC machines—and how to mitigate them.
IT/OT networking is a cornerstone of Industry 4.0, connecting technologies across industrial enterprises for centralized control and greater access to information. The pursuit of those advantages could nearly double the size of the industrial automation and software market from about $200 billion today to almost $400 billion by 2028, according to IOT Analytics.
Connecting traditionally siloed OT (operational technology) networks to more open IT environments introduces risks that many OT systems were never designed to confront. What those risks are and where they arise depends on the type of OT involved. Trend Micro recently teamed up with global machine tool company Celada to look specifically at the implications for one such technology: computer numerical control (CNC) machines.
CNC machines are used in reductive manufacturing processes, anything that requires drilling, routing, lathing, or other removal of raw material. Their computer-controlled functions make them extraordinarily precise, capable of working within finer parameters than humans can perceive with their natural senses—to about 10 microns.
Because CNC machines have not historically had—or needed—built-in security features, networking them with enterprise IT devices brings a range of cybersecurity risks.
Why CNC machines need protection
CNC machines cost into the tens of thousands of dollars and have components that are expensive to replace if they wear or break. The products they make have a wide variety of uses—from airplane parts to hip replacement prosthetics—where quality and reliability are of paramount importance. Any tampering by a bad actor can have severe consequences, financially or for human health and safety.
Every CNC machine has an interior process area where machining is done. Its multiple moving `parts include an automated dolly that positions raw material for processing and a spindle that rotates at different speeds to drill, route, lathe, or perform other actions. The computer controlling system manages those actions and also receives sensor inputs to monitor waste buildup, heat thresholds, positioning errors, and more.
Despite their mechanical and computational sophistication, CNC machines run on surprisingly simple software: legacy Linux or Windows operating systems, for the most part, with code written in fairly primitive programming languages. Anyone with access to the command line interface can input a command and have it executed. These are minor risk factors in closed environments staffed by trusted personnel but become significant as soon as a CNC machine is exposed to the outside world.
In a networked IT/OT environment, threats can reach CNC machines without direct access by an attacker. IT users who visit vulnerable websites or click on phishing emails can admit threats into the corporate network that eventually propagate over to the OT side and onto individual machines.
The supply chain is another risk channel because many different players take part in it: numerical controller manufacturers, machine builders, retailers, and integrators. This creates ample opportunities for threats to be injected, especially since CNC machines are typically highly customized, meaning there are a lot of ‘hands under the hood’ as they proceed from manufacturing to installation and configuration.
What are the risks?
The legacy software and rudimentary code used by CNC machines can be easily exploited by attackers. The machines themselves, when part of an IT/OT network, may leak information such as product counts and machining instructions through their interfaces. In many environments, to save time and because they weren’t historically needed, CNC machines’ authentication measures are often disabled and access controls are lacking, meaning virtually anyone can interact with the controller.
Combined, these risks make networked CNC machines susceptible to remote code execution and other harmful manipulations.
Remote code might be used to exfiltrate sensitive data including competitively vital intellectual property (IP). Malicious commands can disable important safety features or manipulate parameters to degrade performance or damage the machine itself. Every CNC machine, for example, has a “feed hold” function that stops all moving parts so an operator can reach inside the process area for cleaning and other tasks. If that function is disabled, the operator could be seriously harmed.
Similarly, if the machine’s thresholds for tool load or part wear are altered, components could break down from overuse or prompt users to replace them more frequently than needed, causing financial harm at a minimum and potentially creating health and safety hazards as well.
What can be done to safeguard CNC machines?
A few immediate steps can be taken to protect CNC machines in networked IT/OT environments. First is simply to inventory all CNC tools to have a clear and up-to-date picture of what’s in the network. It’s also best to keep the CNC machine network in a segment unto itself: that way, traffic flows in and out can be monitored more easily—and cut off, if needed. As well, intrusion prevention systems (IPS) and firewalls should be deployed.
Any legacy software that can be patched should be patched to minimize risk. Some patching is not possible because ‘interfering’ with the CNC machine directly can affect its warranty, but in such cases deploying other security measures around the machine can help protect it.
Finally, access and authentication controls must be enabled, and any default passwords (such as “admin”) should be replaced with strong, customized ones. This applies both on site and for any users who have a remote connection into the OT environment and the CNC machines.
More broadly, a three-pronged defense is recommended for networked IT/OT environments overall:
- Deploy mitigation measures specifically tailored to OT assets and networks, such as those described above for CNC machines.
- Adopt an attack surface risk management approach to gain a complete understanding of the full IT/OT attack surface, the assets associated with it, and their relative levels of risk.
- Roll out context-aware detection and response capabilities such as XDR that can detect cyber incidents, generate insights to quickly isolate the cause, and implement the appropriate response.
Working together to mitigate CNC machine risks
After gathering insights into the potential risks faced by CNC machines from the world’s four biggest CNC manufacturers, Trend Micro Research and Celada engaged in a productive, responsible disclosure process with those manufacturers to help them address the issues discovered—before making the research public.
Catching up with the security reality
IT/OT networking is the way of the future. Understanding the specific vulnerabilities of tools such as CNC machines is key to protecting a business from potentially significant data, safety, and financial risks. In addition to specific mitigation measures tailored to the technology and organization at hand, networked IT/OT environments can—and should—also be defended by adopting attack surface risk management approaches and deploying context-aware detection and response capabilities for the most proactive and robust security posture possible.
Next stepsLinks to: