Trend Micro: Analysis of Security Issues in Computer Numerical Control Machines

Trend Micro researchers have analyzed computer numerical control (CNC) products from several manufacturers for vulnerabilities to various cyberthreats. The machines were found to be vulnerable to attacks that could cause physical damage, denial-of-service attacks, hijacking, and data theft. Trend Micro will present its findings in a paper, The Security Risks Faced by CNC Machines in Industry 4.0, at the Security Week 2022 ICS Security Conference this week.

Note

• CNC machines are driven by computers with full operating systems. They are designed to last a long time, with that same OS. But that doesn’t mean they are secure enough to be on your network, let alone able to reach the Internet. Isolate (segment) and monitor them, apply patches when released. Only apply supported patches to avoid “bricking” a very expensive device. Don’t expect security improvements in a newer model, the OS supplied is selected for its ability to run the CNC machine, not security.
• Purpose-built machines should be easier to secure than more flexible general-purpose machines. Unfortunately, that is not the result we see. This results in part from the fact that these systems are built by those expert in the purpose but naive about security, in part because they incorporate general purpose components.

Read more in

• The Security Risks Faced by CNC Machines in Industry 4.0 (PDF)
• Uncovering Security Weak Spots in Industry 4.0 CNC Machines
• CNC Machines Vulnerable to Hijacking, Data Theft, Damaging Cyberattacks