Cybersecurity for manufacturers: Staying in control of CNC machines

By Heather Johnson / Hartwig, Inc. | Sep 10, 2017

The days of manufacturing in dark, dingy shops, where the processes were mostly manual are long gone. With advancing technology, manufacturing equipment has become highly technologically advanced systems and cells focused around CNC (Computer Numerical Controlled) machine tools. Engineers write detailed programs for the machine to run in order to cut parts and communicate with robotic accessories in order to automate the processes.

As technology continues to advance at a daunting pace, the Industrial Internet of Things (IIoT) and Industrie 4.0 continue to lead great progress in manufacturing, merging the virtual and physical worlds in manufacturing (Majstorovic, et al., 2015). However, these advancements have also created an environment where it is imperative that manufacturers become aware of the cybersecurity risks that come with this territory.

Advanced CNC controls that communicate with machine tools allow for incredible accuracy making parts, and when incorporating automation in the programs, shops can run lights-out manufacturing and make parts 24/7, while only needing a minimal shift of operators present if the machines have an issue. This means much higher levels of productivity, faster cycle times, and lower amounts of raw material waste, all of which contribute to high return on investment on the equipment and profitability for the manufacturer.

The controls store their part programs on the network, calling them to the machine when being used and sending them back when finished. Using these advanced controls on the machine tools means allowing the machines to connect to the manufacturer's network, and when connecting any device to a company's network, security should be a primary concern. As sophisticated hackers continuously look for new ways to penetrate networks for various reasons, manufacturing equipment has now become a way for them to sneak in.

A machine connected to the network that has not been secured is an open door invitation for hackers onto the network. For instance, once on the network, they could deploy ransomware, locking up a company's data until a ransom is paid. Another malicious route a hacker could take would be to corrupt the part programs in order to cause defects (Wells, et al., 2014). Furthermore, industrial espionage could motivate hackers to steal the programs used to make proprietary parts (Wells, et al., 2014).

"IIoT systems are susceptible to cyber-attacks," explains Brad Klippstein, controls product specialist for Okuma America Corporation. "Plain and simple. They are trying to get user IDs, passwords and financials, or control of devices to deploy denial of service attacks against other networks."

According to Tim Francis, IT manager of the largest machine tool distributor in the Midwest, the first thing manufacturers need to do is put a next generation firewall between the machine tool and the network. This up-to date-firewall scans for viruses, knowing the signatures of different viruses. This should be a manufacturer's primary focus of security before other options (Francis, 2017).

A strong firewall is also what Jacob Hendrickson, the IT manager of a small job shop, relies on amongst other security protocols. The network's firewall is a main line of protection, while also utilizing RADIUS authentication. RADIUS is an authentication method to authorize access to the network, which looks at a security group and allows or denies access. If you are going to allow wireless access of your network by a machine tool, using RADIUS would be a beneficial security measure (Hendrickson, 2017).

Manufacturers also rely heavily on the machine builders to provide secure ways to connect their machines and devices with better firewall settings to block against potential security risks, according to Klippstein.

Okuma's IT department provides customers a list of nine things to consider before connecting their machine tools to their network in order to ensure no malicious hackers can gain access:

1. Firewall settings: As mentioned before, firewall settings should be at the forefront of a manufacturer's mind. When integrating the firewall settings to the machine tool, consider different things about the device such as what ports it will connect to and what type of information packets will be sent or received. For instance, a manufacturer could have all the machines use port 80 and all other devices on port 90, then setting different rules for each port. Additionally, if manufacturers want to collect machining data, firewall access can be limited to ports 5000-5003 to extract data via MTConnect.

2. Keep all software patches current.

3. Change all default passwords on routers and managed switches.

4. Turn off automatic updates, and then only apply them individually.

5. Put your CNCs on a Virtual Local Area Network (VLAN): Manufacturers can lock down the equipment on a VLAN in a way that is separate from your primary network. This prevents access to PLCs that run many machine tool subsystems. These controllers might be easily overlooked by IT, therefore leading to software that is not updated very frequently. This software is more susceptible to viruses and should never have open access to the Internet. Your VLAN also should have no access to the public Internet.

6. Update older operating systems to Windows 7.

7. Manage connections to and from machines with a gateway: By putting the machine on a gateway, with two interfaces acting like a managed switch, the machine can remain on a network separate from the employee network while also allowing the machine-monitoring service to have real-time access to machine data. One network interface communicates with the locked-down machine's VLAN. The other network interface communicates only with the machine-monitoring service. This protects the machines from communicating, even indirectly, with anything but the monitoring service.

8. For wireless networks, use WPA wireless encryption: One should never use a wireless network without encryption. While WEP (wireless encryption protocol) is easy to hack, the newer alternative, WPA (Wi-Fi protected access), is not. However, given the right tools and time, anything can be hacked. Therefore, any highly sensitive data should never be accessible from a wireless connection. For added protection with connected devices (USB Wi-Fi adaptors), an Okuma software engineer created an intuitive application that disables USB ports or turns the USB hubs into power-source-only devices. The user decides how the USB hubs should operate. This application can easily be downloaded directly to an Okuma machine control.

9. Install a Windows anti-virus protection service.

Cyber-security in manufacturing is not a hypothetical concern; hackers are targeting this equipment. Below is an example of blocked attacks on Okuma America Corporation within a 24 hour time frame, all of which must be prevented from getting through and infecting their systems. Whatever the motive of the hackers, protecting the organization from them by securing CNC controls is necessary before serious damage can be inflicted.

Heather Johnson is project coordinator at Hartwig. Reach her at

References: Francis, Tim. (2017, June 26). [Interview]; Hendrickson, Jacob. (2017, June 29). [Interview]; Klippstein, Brad. (2017, June 20). [Interview]; Majstorovic, V., Macuzic, J., Sibalija, T., & Zivkovic, S. (2015). Cyber-physical manufacturing systems - manufacturing metrology aspects. Proceedings in Manufacturing Systems, 10(1), 9-14; Wells, L. J., Camelio, J. A., Williams, C. B., & White, J. (2014). Cyber-physical security challenges in manufacturing systems. Manufacturing Letters, 2, 74-77.