One more worry for industry: CNC hacks

Nov 29, 2023

By Lee Teschler | December 13, 2022

Teschler on TopicLeland Teschler • Executive Editor[email protected]On Twitter @ DW_LeeTeschler

Back in the 1980s, a buddy of mine who was a plant manager proudly showed me the computer network he’d set up. The primary task of the network was to let people in the front offices program the plant's CNC machines with G code without having to visit the plant floor.

The network worked great, but this all happened long before the invention of the world-wide web. So there was no thought given to making the computer network or the CNC machines in the plant secure from outside mischief.

Unfortunately, it looks as though CNC security hasn't progressed much past that in my friend's 1980s network. At least that is the impression you might get from a recent report by researchers at cyber security software company Trend Micro and CNC integrator Celada. Researchers hailing from these firms studied security measures in widely used metal-working machine controls made by Haas Automation, Heidenhain, Fanuc, and Okuma as being representative of the field. Overall, researchers concluded that security seems to have a low priority for controller makers. In that regard, they identified about 15 ways of attacking Haas, Heidenhain, and Okuma controllers, and 10 ways of messing up Fanuc controllers.

Generally, researchers found that common security mechanisms deployed in ordinary computers and servers were absent on CNC installations. One basic problem they discovered was that many of the machines obeyed any command they were given without checking to see whether the command issuer was legitimate. (Interestingly, this shortcoming is also common in HVAC networks.) Fanuc controllers do have protocol authentication, but only as an option that end users must enable.

Machine controllers also typically lacked resource access controls which thwart the installation of malicious applications. Without such measures, there's nothing to prevent CNC machines from being loaded with open-source code hiding harmful functions around legitimate ones.

Some CNC security problems are basic to the point of being humorous. For example, Heidenhain provides a default OEM password for all its controllers. The company leaves it up to the machine manufacturer to change the password. Moreover, the password is weak (six digits) and stored on a file system that an attacker can get to.

There were also troubling issues specific to different brands of controllers. For example, Haas controllers were susceptible to unauthorized modification of their firmware. The version of Linux running on Heidenhain machines was unpatched and affected by multiple vulnerabilities. Ditto for the Okuma controller which ran an unpatched version of Windows.

The kind of potential havoc Trend Micro and Celada foresee arising from such security problems ranges from the machining of bad parts to endangerment of machine operators. They envision attackers potentially gaining control of parametric programs to modify the tool geometry so it introduces microdefects in the work piece or fooling operators into using a tool past it's point of exhaustion. In one case, they found controllers could be hacked so nothing happened when the operator pressed the pause button.

It is clear that attackers would have to know their way around a CNC machine quite well to carry out some of the scenarios security researchers envision. That probably rules out pranks pulled by juvenile delinquents. More worrying is the possibility of sabotage by state-sponsored hackers.

Before Stuxnet ruined almost one-fifth of Iran's nuclear centrifuges in 2010, few people worried about malware in factories. Let's hope it doesn't take a similar event to get the attention of companies making CNC controllers. DW