Posts

Ransomware on CNC Machines
, ,

Building Resistance into Aged CNC Machines

How CNC program transfers can overcome the vulnerabilities of SMB1 for greater security and efficiency

It took mere hours. In May of 2017, a devastating ransomware cryptoworm called WannaCry impacted more than 200,000 computers across 150 countries, ultimately amassing over $4 billion in damages. Only months later, a variation of this worm spread to 10,000 machines in Apple’s single supplier of SoC components for iPads and iPhones, causing a production stoppage for a full day and shipment delays among its major tech customer base. The original worm was halted, but IT services management company Cloudflare asserts that WannaCry attacks continue today.

Ransomware on CNC Machines

The ransomware cryptoworm WannaCry notably affected TSMC, which manufactures processors and other silicon chips for major technology companies such as Qualcomm, AMD and Apple, due to a Windows SMB1 server vulnerability.

Starting with SMB1

What happened to the National Health Service (NHS), FedEx, Taiwan Semiconductor Manufacturing Company (TSMC) and so many others? The WannaCry worm exploited “vulnerabilities in the Windows SMB v1 server to remotely compromise systems, encrypt files and spread to other hosts,” explains a fact sheet from the National Cybersecurity and Communications Integration Center (NCCIC). While patches have since been issued by Microsoft, the software company admits there are still instances in which manufacturers may need to run SMB1:

    1. Your company is running XP or Windows Server 2003 under a custom support agreement
    2. You have old management software that demands admins browse via the “network,” also known as the “network neighborhood” master browser list
    3. You run old multi-function printers with antiquated firmware in order to “scan to share”

For manufacturers experiencing such cases, there are workarounds. SMB1 could be disabled on every system connected to the network, recommends the NCCIC. You can block port 445 (Samba). You can verify that there isn’t any unexpected SMB1 network traffic. You can isolate vulnerable embedded systems. But these options may not necessarily be viable for efficient and protected CNC file transfers among aged equipment.

Transfer CNC Programs on SMB1 Machines

Manufacturers can struggle to disable SMB1 on every machine and still transfer CNC programs efficiently, effectively and securely.

Simplifying Network Setups

An alternate route is to simplify network setups altogether. A modern DNC software, like Predator Secure DNC, enables you to remove Windows shares, corporate domains, workgroups, homegroups, Microsoft SMB, CFS, FTP, DNS, WINS, NETBUI and IPX/SPX within shop floor VLANs, WANs or subnets for DNC or file transfers. This can be especially useful for manufacturers running older CNC equipment with Windows-based controls that lack compatibility with newer operating systems. It can also alleviate the need for system upgrades and service packs to maintain the older versions of Windows.

The original WannaCry worm was halted, but Cloudflare asserts that WannaCry attacks continue today.

In other cases, controllers like Haas classic controllers can be upgraded to another SMB version by contacting the machine tool builder or segmenting the network to address CNC machines that are not upgradable or do not run a Windows operating system. The point is, regardless of your SMB1-dependent machinery environment, you can reduce your ransomware risk while gaining the latest benefits in efficiency and productivity.

An experienced manufacturing integrator possesses the technical expertise to properly assess, assign and execute custom solutions for your company. Contact Shop Floor Automations to understand your full scope of SMB1 options today.

Ethernet CNC connectivity
,

Overcoming the Risks of Outdated Windows-based CNC Machines

Over the years, Windows-based CNC machines, robots, CMMs, test stands and other manufacturing equipment have proven popular, largely due to their Ethernet-based networking using the corporate network. But as Windows operating systems (OS) reach the end of their lifecycle, Microsoft technical assistance, software updates or security fixes no longer become available. The options, then, for manufacturers needing Ethernet CNC file transfers and running CNCs with Windows 2000, 2003 or older OS are limited: upgrading to a newer Windows OS can be cost prohibitive and involve a lack of support from the equipment manufacturer; or there’s no upgrade path available, thereby necessitating that the whole machine be replaced. 

The IT Imperative

To protect manufacturers from security risks associated with OS lifecycle completions, IT departments have led the initiative to remove older Windows OSs from corporate domains and discontinue support, while eliminating the use of FTP or Windows shares on untrusted VLANs altogether. This movement often relegates manufacturing operations to isolate a PC from the corporate network and go back to manually loading files through portable media – which presents its own set of security risks. TechAdvisory.org reports that 25 percent of malware is spread today through USB devices. Even the United States Computer Emergency Readiness Team (US-CERT) recommends banning portable media devices from the workplace. And for manufacturers subject to CMMC 2.0, the continued use of removeable media devices may involve severe restrictions or nonacceptance altogether.

Manufacturers needing Ethernet CNC file transfers and running CNCs on older Windows operating systems have limited, cost-efficient options. 

All of this leads to a collision course of lost productivity for the shop floor and some major challenges for IT, as programmers struggle to minimize time spent physically transferring files to equipment and maintain accurate version control and IT strives to minimize risk. The good news is that there are other Ethernet CNC file transfer options available than the common scenario above.

Ethernet CNC file transfers

CNC machines running on outdated operating systems lead to a collision course of lost productivity for the shop floor, as programmers struggle to minimize time spent physically transferring files to equipment and maintain accurate version control, and some major challenges for IT as it strives to minimize risk.

Fortified Ethernet Connectivity

A modern DNC networking system, for one, allows manufacturers to still take advantage of Windows 95 and newer OS, Ethernet as well as your existing network infrastructure, all while removing them from your corporate domain and eliminating the use of FTP, unsecure USB, Windows Administrator access and more. This secure version of DNC software, like Predator Secure DNC software, still enables you to transfer your CNC programs, CNC variables, offsets, parameters, PLC registers and other production data to and from your manufacturing equipment – but adds a layer of security with automatic authentication, encryption and data compression.

Machine tools with an RS232 connection, or those with an option for it, can be connected to Predator Secure DNC to avoid connectivity risks. You’ll need knowledge of your CNC machine’s communication parameters, including baud rate, data bits, stop bits and parity settings or the network connection, such as FTP, FileShare, etc. Consult with an expert manufacturing integrator to explore any other prerequisites to connect your CNC machines through a next-generation DNC networking system.