Computer numerical controls (CNCs) are machines used to produce products in a factory setting. They have been in use for many years, and in the last decade, their use has become more widespread due to increased connectivity. This increased connectivity has made them more software-dependent and therefore more vulnerable to attacks. This vulnerability is due to the heterogeneity of technologies used in factories and the lack of awareness amongst users of how to best secure these systems.
This three-part blog series explores the risks associated with CNC machines. We performed a security evaluation on four representative vendors and analysed technological developments that satisfy the Industry 4.0 paradigm while conducting practical attacks against real-world installations.
For our research, we picked vendors that are:
- Are geographically distributed (that is, with headquarters and subsidiaries spread across the world) and resell on a global scale.
- Have been on the market for decades.
- Have a large, estimated size, for example, with a total annual revenue of at least a billion US dollars.
- Use technologies widely adopted in the domain and present in different manufacturing sectors.
Understanding numerical control machines
A machine tool is a device that uses cutting tools to remove material from a workpiece. This process, called machining, results in the desired geometry of the workpiece. Machining is a subtractive process, meaning that the material is removed from the original geometry to create the desired shape.
Numerical control (NC) is a technology that allows machines to be controlled by computers. This technology has revolutionised machine tools, making them more accurate and allowing for greater flexibility in their use. NC machine tools are now widely used in production systems and can be used on other types of machines, such as lasers and bending machines.
To facilitate the understanding of what we discovered in our research, we introduce some basic concepts related to the use of machine tools:
- Numerical control. The NC is the most critical element of the machine, as it controls the entire process. This system includes visual programming functions to speed up the setup of production cycles. Additionally, the NC is always equipped with a human-machine interface (HMI) to facilitate operator interaction with control.
- Programming. Initially developed in the 1950s, G-code (aka RS-274) is the predominant programming language in the world of machine tools. It is presented as a series of instructions initialised by a letter address, which follow one another on successive lines separated by paragraph breaks; each of these lines is called a “block.” Each letter address specifies the type of movement or function called by the user in that part of the program.
- Parametric programming. Parametric programming is a way to make programs that are adjustable to different values. This is done by using variables that the user can input, and then the program will change based on those values. This is used in machine tools to help with things like feedback and closed-loop controls between production systems.
- Single step. This allows for running the work program one line of code at a time. In this way, the operator can check the correspondence of executed code to the best possible working conditions and determine if intervention by modification is necessary.
- Feed hold. The “feed hold” function is mainly used to check the correct execution of complex features by inspecting the work area before proceeding with further steps in the process. In fact, chips coming from the removal of the material being processed could be deposited in work areas or on measuring probes, potentially invalidating the measurements, or inducing defects downstream of the machining if they are not removed.
- Tools. The machining process is a manufacturing technique that uses an element called a tool to remove excess material from a raw piece. The tool cutting is made possible by the relative speed between the manufacturing part and the cutting tool edge, also known as the cutting speed or surface speed. In addition to this parameter, the feed rate (speed of tool moving along workpiece) also affects chip removal process. Many types of tools are available depending on the type of processing needed.
For all vendors that we included in our research scope, we conducted an equal evaluation of their machines:
- The “Industry 4.0–ready” technologies are interfaces and related protocols used by machines in smart environments to transmit information outwards, towards centralised systems like production data for better management or cost reduction; they also enable remote management such that an operator can change the executed program without needing local access.
- We identified potential vulnerabilities in the exposed services using automated scanners like Nessus. These included known or misconfigurations that could pose as dangerous, which we ignored to focus on domain-specific abuse cases for CNC interfaces instead.
- We then went deep into the CNC-specific technologies previously identified, by analysing the risks of abuses and conducting practical attacks on the controllers. For this, we developed attack tools that exploited the weaknesses we identified in the domain-specific interfaces with the aid of proprietary APIs we got access to.
- We collected evidence of our concerns and collaborated with vendors to suggest mitigations. All evidence came from tests we conducted on real-world installations, but we also used simulators for preliminary testing or when the machines were not immediately available.
Now that we have established a better understanding of numerical control machines and their basic concepts, we will further explore the vendors we chose for this research in part two of the series. There, we’ll discuss how we evaluated vendors and what we discovered during our research.