CNC Machines on the network

Do most people just leave their networked machine tools on the general network? Do they have internet access?

Or is the shop floor network isolated from the internet/general building network?

I recently purchased a VMC and have been poking at it from a network security perspective, and if it were a printer I probably wouldn't allow it on the office network.

I don't really have access to place with many new machines, all the shops I used to hang out at, were still using USB (and some floppies) to move files around. So would be nice to hear from people in more modern shops.

We have a segregated machine network, CAD/CAM station also. It's amazing to see how well windows systems do when they are not updated and have no internet access. Main network and machine network do not connect. We operate a few mobile workstations on both sides, but when connected to the machine network they also do not have internet access. 15 years, never had a problem but if you need to find something in the world or place an order, move to a different computer on the main network, that's a little annoying sometimes.

mmca said:

Do most people just leave their networked machine tools on the general network? Do they have internet access?

Click to expand...

I have the entire workshop space in a private subnet. It is not trusted to the general-purpose network, and vice-versa.

It has strictly controlled access to the public Internet. All inbound connections are dropped at the router and only specified connections are allowed outbound (the default policy is to drop traffic). I don't think any of the machine tools needed anything but I have some other stuff on that network that does.

Stuxnet should scare the crap out of everyone with a network-connected machine tool, IMHO.

This month's issue of Modern Machine Shop has an article on this very topic.
One thing, I've been noticing that more and more controls have some form of PC software/OS/drive on them and that leaves them vulnerable.

Perhaps a sub-net like mentioned above, but I wouldn't hook my CNCs to the outside world. Nope.

I use a Moxa Wireless Nport from my office PC to a Haas VF3 (1996). The configuration mimics a serial port connection, and is as 'safe' as a wifi network would be, which may not be provably safe. But AFAIK, you can't really invade an old CNC control without initiating some sort of transfer from the control end of things. Any controls with actual Windows on them, well, I just don't trust those to be on any LAN because you cannot trust Windows. I have one PC based cnc running a windows control, but it gets its programs by sneaker-net.

HuFlungDung said:

I have one PC based cnc running a windows control, but it gets its programs by sneaker-net.

Click to expand...

There's something to be said for USB's and PC cards..

trochoidalpath said:

.....
Stuxnet should scare the crap out of everyone with a network-connected machine tool, IMHO.

Click to expand...

Umm, did you mean non network connected machine tool?
Bob

CarbideBob said:

Umm, did you mean non network connected machine tool?
Bob

Click to expand...

google stuxnet scary but enlightening.

An air gap between your shop floor and the real world is good. Wifi is at this time inherently weak on security but there are rumors about a very robust new standard.
I like wire between machinnes !
A firewall between the shop and the real world is a good idea but it requires maintenance and some expertise.
Quite dated but read "The Cuckoo's Egg".

ss_user said:

google stuxnet scary but enlightening.

An air gap between your shop floor and the real world is good. Wifi is at this time inherently weak on security but there are rumors about a very robust new standard.
I like wire between machinnes !
A firewall between the shop and the real world is a good idea but it requires maintenance and some expertise.
Quite dated but read "The Cuckoo's Egg".

Click to expand...

Umm... YOU google Stuxnet.

Stuxnet jumped the air gap and was installed via USB thumb drive.

How many if any here have a had a virus or other infect their machine tool machine tool and what did it do?

Stuxnet was masterful in implementation. The deep details and methods for sure a case study if you like such things. A long time not discovered.
Every large manufacturing facility using these PLCs that I know of got infected. But it did nothing to them. It was in search of a specific process ID and code.

All of my cnc controls since mid 80's DOS or Windows based. At one time we found "empire monkey b" virus on everything and just about every floppy disc.
Hundreds of infections yet did nothing of harm. USB sticks added a whole new back door.

Biggest problem by far I have had with internet connected machines is second and third shift finding a way to the net and searching porn or playing games.
Personally if worried about such I'd fear a USB much more than a Wi-Fi or direct cable net connection.

But, and here it is... Who wants to "own" your cnc machine control or your CAD/CAM?
So lets hear some actual real world net connected problems that you have had in machine tools.
Is this a "the sky is falling" thing fed by media hype and computer security people?
I think some worry too much.
Bob

This is second hand (now third) so take it for what it's worth, but I heard of a night shift guy watching certain non work appropriate things on the multimedia capable Windows based control. Control had to be completely wiped and reinstalled.

mhajicek said:

This is second hand (now third) so take it for what it's worth, but I heard of a night shift guy watching certain non work appropriate things on the multimedia capable Windows based control. Control had to be completely wiped and reinstalled.

Click to expand...

well that sounds like a poorly implemented content filter on the network. Ours is pretty open, but there's definitely a few things that get blocked.

I know our machines are connected to the local network since all the files are saved to our servers, but I don't know if it's possible to get outside the local network with them.

maf1909 said:

well that sounds like a poorly implemented content filter on the network. Ours is pretty open, but there's definitely a few things that get blocked.
.

Click to expand...

I have no content filters and will not spend time and money on it. What I do have is the ability to terminate employee for any reason.
Such gets one a stern warning, second and then do not let the door hit your ass on the way out.
At break or lunch time on your phone or provided computers on my net..... This is your time and not mine to invade, control, or judge.
Bob

CarbideBob said:

But, and here it is... Who wants to "own" your cnc machine control or your CAD/CAM?
So lets hear some actual real world net connected problems that you have had in machine tools.
Is this a "the sky is falling" thing fed by media hype and computer security people?
I think some worry too much.
Bob

Click to expand...

I agree that there is no real benefit for a bad guy to mess with machine tools at this time. I mean how much state do they really hold? What would you lose on the machine that isn't backed up in several different places. If they encrypt and lock your VMC, it's gonna be cheaper to call up the local tech to reinstall the firmware than send 0.1BTC to some random address that may or maynot unlock my machine.

But I am really surprised with the complete lack of concern with network security from the major MTBs. Even home appliance manufacturers pay some lip service to security. I would think the MTBs would secure the machines better, even if its just to protect their own intellectual property.

So there may not be any ransomware for cnc machines today, but considering how complex the systems are becoming and how long machines stay in service I think it would be prudent to start best practices on network security sooner, rather than later.

-M