What's new
What's new
By:
Advanced search…

Network Security For Modern CNC Controls

Mickey_D

Mickey_D

Stainless
Joined
Apr 18, 2006
Location
Austin, TX
One of the big takeaways from the recent IMTS is that a lot of vendors are pushing network apps that let you monitor and even a few have some remote control capabilities through a smartphone or computer. Remote monitoring, access to spindle utilization stats, scheduled maintenance, etc. could be very useful, but opens a whole new can of security worms.

Haas, Mori, and Okuma are all pushing monitoring apps, but even the application engineers were at a loss to explain how they kept everything secure. I know that Siemens controls have had several severe vulnerabilities that have been exploited to cause mayhem and damage to machines and systems. I also asked the Haas engineer how they handled network security updates (they seem to be running some kind of embedded linux) and got another blank look, and Okuma does not update theirs either.

In a previous career part of what I did was network design and router and firewall configuration in both data centers and on client sites and was pretty good at it. Despite, or because of, this experience I still do not put my network capable machines even on the local network, files move between systems on dedicated USB drives via sneakernet. I might be pretty paranoid, but I know that one day I will miss a router update or misconfigure a firewall and something or someone might get in and the next thing that happens is we are either serving goat sex porn to perverts from one of the machining centers or someone has remotely trashed one of my expensive machines.

Anybody else thinking about this or am I just too paranoid from dealing with past worms, viruses, and network breakins?
 
If the plan is to only monitor, it's as easy as a protocol bridge of sorts. From a previous job, my biggest familiarity is Modbus but I know there are numerous. Going from Ethernet/IP > Modbus or other protocol > Ethernet/IP eliminates any direct pass-through of any kind of usable network drive. It sounds like a pain, but a couple grand of hardware and a couple hours of programming the interface is a small price to pay to protect a several hundred thousand dollar piece of equipment.

Sent from my HTC One using Tapatalk
 
Mickey_D said:
One of the big takeaways from the recent IMTS is that a lot of vendors are pushing network apps that let you monitor and even a few have some remote control capabilities through a smartphone or computer. Remote monitoring, access to spindle utilization stats, scheduled maintenance, etc. could be very useful, but opens a whole new can of security worms.

Haas, Mori, and Okuma are all pushing monitoring apps, but even the application engineers were at a loss to explain how they kept everything secure. I know that Siemens controls have had several severe vulnerabilities that have been exploited to cause mayhem and damage to machines and systems. I also asked the Haas engineer how they handled network security updates (they seem to be running some kind of embedded linux) and got another blank look, and Okuma does not update theirs either.

In a previous career part of what I did was network design and router and firewall configuration in both data centers and on client sites and was pretty good at it. Despite, or because of, this experience I still do not put my network capable machines even on the local network, files move between systems on dedicated USB drives via sneakernet. I might be pretty paranoid, but I know that one day I will miss a router update or misconfigure a firewall and something or someone might get in and the next thing that happens is we are either serving goat sex porn to perverts from one of the machining centers or someone has remotely trashed one of my expensive machines.

Anybody else thinking about this or am I just too paranoid from dealing with past worms, viruses, and network breakins?
Click to expand...

Multiple levels of isolation. We do it all the time with medical imaging systems. The devices live in a local area network that only has access to local resources, everything inbound is through a VPN, with multiple levels of authentication. Distribution to the outside again is through portal systems that have no access to any of the internal networks. You literally have to log into multiple systems before you can access a CT scanner. Is there some hypothetical level of risk? Sure there always is, but it is not like a web server in the Amazon cloud. You have to know an awful lot about the network topology, and security and have to have preassigned security devices (PIV cards and token generators) to get in.

dee
;-D
 
I hashed out a lot of these issues in the "why aren't there any modern CNC controls" thread. Yeah, HAAS is using an Linux distro running on ARM and is violating the GPL by not releasing the source code. I've called them on it and they just put their fingers in their ears and go "ya ya ya ya ya ya".
 
I have been wondering about this type of security too – not so much for my machines but in general. I would think a concern would be somebody getting into a machine through a smartphone app and being able to download all the programs in memory. This would give a competitor a giant advantage, plus of course certain modifications could be made to the existing program to crash the machine or sabotage a production run...
 
Kevin Wilkins said:
I have been wondering about this type of security too – not so much for my machines but in general. I would think a concern would be somebody getting into a machine through a smartphone app and being able to download all the programs in memory. This would give a competitor a giant advantage, plus of course certain modifications could be made to the existing program to crash the machine or sabotage a production run...
Click to expand...

Information is stolen based on the perceived value to the thief. It is most likely they go after personal info and account numbers, than cad files. You have to know an awful lot to know how much that stuff is worth. It is more likely that a machine tool or a CAD/CAM system would be a target for a ransom attack. Where they lock all your files and demand a ransom to unlock it. If you pay you are a target for future attacks, because you proved that it is valuable. First time it is 500 then a 1000 and 5000 and so on. if you pay nothing it is worth nothing. Good isolated backups, offsite, and a service agreement to restore the machine to factory condition is a good defense. The other option is to have an isolated network that is not discoverable by any scanning means. The most secure system is the most inaccessible, as soon as you connect it to something it is less secure.

dee
;-D
 
It's true that you don't want your machines on your production LAN. So give them their own network. The best is physically separate hardware so there is an air gap between the machine LAN and the production LAN. The only computer on this network would be the DNC server. Now at least you can get all your programs from one source, instead of a million uncontrolled USB drives filled with viruses. It's easier to secure and control that one PC. How you get programs in to your DNC server is up to you. You could write\post code from that machine if you wanted 100% air gap. You could use your shady USB drives but that is really no better than plugging the machine in to a network. The other option would be a dual homed server: one cord plugged in to the CNC switch and one in to the production network switch. Now you have a choke point. You know all attacks would have to come through that interface to enter the enclave network. You can run a host based firewall to lock down that interface and perform all your other system hardening here. This gives you the best mix of usability and security.

:typing:
 
HAAS machines talk to the myhaascnc.com site, probably via an intermediary HAAS "cloud" service.

If HAAS is like any other outfit these days, they outsourced the infrastructure to AWS or another cloud provider and have a suite of DNS aliases for the machines to talk to.

One could *potentially* secure such an a design from outside attacks, but if the myhaascnc.com site is really a C&C (Command and control) platform, just hacking into that site and controlling it would be enough to get access to all of the data on hundreds of customer machines.

You only need to pick the low hanging fruit in order to make a pie.

EDIT: myhaascnc.com and my.haascnc.com resolve to a /25 block of IP addresses that HAAS has allocated to them. That's ~512 IP addresses, so it's *possible* they are running their own infrastructure. I *do* wonder what the machines talk to.
 
Perry Harrington said:
One could *potentially* secure such an a design from outside attacks, but if the myhaascnc.com site is really a C&C (Command and control) platform, just hacking into that site and controlling it would be enough to get access to all of the data on hundreds of customer machines.
Click to expand...

The enclave network I described would have no path to the internet unless you created a route on your dual homed server. That would be in your control at this point. I agree that you should do your own MDC and not use the cloud. You could specifically block myhaas but it's redundant. All you have to do is use a different subnet on the enclave network and omit default route on all machines within. Without a default route they can't even ask for the route that doesn't exist.
 
10 or 15 years ago HAAS would have sold a "server" product to customers that had the HaasConnect option. All of the intelligence and data would live on that server and sit standalone at the customer site. The machines would never be connected to the Internet. The server would also have a modem for sending pager messages to your text pager :D
 
Perry Harrington said:
HAAS machines talk to the myhaascnc.com site, probably via an intermediary HAAS "cloud" service.

If HAAS is like any other outfit these days, they outsourced the infrastructure to AWS or another cloud provider and have a suite of DNS aliases for the machines to talk to.

One could *potentially* secure such an a design from outside attacks, but if the myhaascnc.com site is really a C&C (Command and control) platform, just hacking into that site and controlling it would be enough to get access to all of the data on hundreds of customer machines.

You only need to pick the low hanging fruit in order to make a pie.

EDIT: myhaascnc.com and my.haascnc.com resolve to a /25 block of IP addresses that HAAS has allocated to them. That's ~512 IP addresses, so it's *possible* they are running their own infrastructure. I *do* wonder what the machines talk to.
Click to expand...

I have 3 machines coming with the NGC and the new WiFi capability. I'm hoping a guy will be able to leverage the machines "messaging" system without having to use the phone app or the myhaascnc.com link. I just don't see the need for the "M30" message to have to travel to California and back to let me know the green light is flashing. Maybe I don't understand how it works but that's what it sounds like.
 
The vast majority of what you saw offered from builders is read-only, so even if data is compromised it's just going to be statuses and other output from the control. The new control capabilities don't allow remote control, just monitoring.

It's sort of a shame that this distinction is not well-known among sales or engineering teams, because the two-way applications for remote control are not far behind and your security questions really, really need to be addressed better soon.
 
You must log in or register to reply here.

Similar threads

J
DMG Mori MAPPSV Network Setup
Replies
0
Views
153
Jram
J
M
What are the common VMC controls' standard memory capacity?
Replies
17
Views
908
mhajicek
mhajicek
chip_maker
Unsupported older Haas mill control and battery replacement question
Replies
1
Views
516
Donkey Hotey
Donkey Hotey
M
CNC Machines on the network
Replies
13
Views
3K
mmca
M
hydroblade
SNEAK PEEK: New small-format CNC waterjet
2 3
Replies
42
Views
1K
Speedie
Speedie








 

ABOUT PRACTICAL MACHINIST

With more than 10.6 million unique visitors over the last year, Practical Machinist is the most visited site for metalworking professionals. Practical Machinist is the easiest way to learn new techniques, get answers quickly and discuss common challenges with your peers. Register for the world’s largest manufacturing technology forum for free today to stay in the know.

Learn more about us.

STAY CONNECTED

Facebook Instagram YouTube LinkedIn Pinterest Twitter Tiktok

Register Become a forum member. Register today.

Sign Up Sign up for our e-newsletter.

© 2024 Copyright Practicalmachinist.com. All Rights reserved.

Back
Top