Trend Micro identifies security risks faced by CNC machines across Industry 4.0 deployments

In its latest research, Trend Micro discloses security deficits in the relatively novel Industry 4.0 technologies that empower companies to optimize many aspects of manufacturing, including industrial machinery such as computer numerical control (CNC) machines. These CNC machines play a crucial role in production plants and constitute a critical asset for organizations globally, as they are programmed to execute repetitive tasks to improve productivity while reducing costs.

“We rarely found common security mechanisms like resource access control and management, which are nowadays deployed everywhere in traditional computers and servers, on the tested CNC machines,” Marco Balduzzi, a Trend Micro researcher, wrote in the research report. “As a result, modern CNC installations could become victims of attacks like damage, denial of service (DoS), hijacking, and theft of intellectual property.”

The cybersecurity firm conducted the tests on CNC controllers from four vendors selected for their worldwide reach and extensive market experience or for developing technologies used across the manufacturing sector.

Trend Micro demonstrated all these attacks in practice. For instance, it simulated an attack in which a malicious user targets a production line to steal intellectual property (in the form of production code) or sabotages production. In another scenario, a cybercriminal takes control of the manufacturing process to introduce microdefects that pass the QA process, eventually resulting in economic or reputational loss for the manufacturer.

Given the significance of its findings, Trend Micro took appropriate precautions before publishing its research. Specifically, it worked closely with the vendors to raise its concerns and suggest measures for mitigation. In addition, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the Cybersecurity and Infrastructure Security Agency (CISA) also provided Trend Micro with invaluable assistance as a liaison during its discussion with these vendors. 

“As part of our thorough disclosure process, we reached out to the affected vendors in a timely manner, contacting the first back in November 2021,” according to Balduzzi. “Since then, all of the vendors have taken steps to provide their end users with more secure solutions by improving their documentation, their communication with their respective machine manufacturers, or bettering their security posture by patching vulnerabilities and adding more security features to their offerings. We shared with these vendors the findings from our research, through which we identified various attack classes.”

Trend Micro said that the tools used by CNC machines are measured for their geometry, such as their length and radius, to make sure these tools are suited to producing a specific piece. These measurements are taken by human operators or are done automatically during a CNC machine’s tuning phase. However, tampering with these measurements is one way in which malicious actors could cause damage to the machine itself, its parts, or the piece it’s working on. 

Balduzzi found that all four CNC controller vendors that were part of this research were susceptible to this kind of attack. “In one attack scenario, we created a 3D-printed plastic tool to demonstrate how a CNC machine’s tool could crash against the raw piece it’s working on because of negative overflow, after we set the CNC controller’s wear value to –10 mm,” he wrote. 

Trend Micro research found that attackers attempt to drive down a manufacturer’s efficiency by sabotaging its production process. The largest potential attacks came from the denial-of-service (DoS) category, which included triggering custom alarms, changing the tool geometry, and ransomware.  

“False alarms are another way malicious actors could disrupt the manufacturing process. CNC machines have built-in alarms that warn of faulty conditions in hardware, but they can also be configured with custom alarms for errors in software,” the research report said. “When these alarms are set off, the CNC machine stops operating and needs a human operator’s intervention to continue. An attacker who has infiltrated a connected factory could trigger these software-related alarms, abruptly interrupting production. CNC controllers from two vendors involved in this research were exposed to this attack.”

Balduzzi warned that malicious actors could mount different kinds of attacks, including DoS, by simply altering a tool’s geometry. “For example, an attacker could configure a vertical milling machine’s wear parameter to be more than the length of the tool itself, which would instruct the mill to operate in midair, unable to touch the piece. Our tests revealed that CNC controllers from all four vendors that we tested were exposed to this kind of attack.”

Trend Micro said that not even CNC machines are immune to ransomware attacks. “In one scenario, malicious actors could lock down a CNC machine or encrypt its files, effectively stopping production until the manufacturer meets their demands. Attackers could carry out a ransomware attack by using an unauthenticated network share to access a CNC machine’s files, abusing a malicious application to make operating system calls, or planting a script in a machine to lock its screen. Our results showed that machines from three of the four controller vendors that we tested were at risk of ransomware attacks.”

The research report said that attackers seeking to control the production process could do so by hijacking a CNC controller. They could do this by changing the tool geometry and hijacking parametric programs.

Trend Micro said that a malicious actor with extensive knowledge of the manufacturing process could seize control of a CNC controller to misconfigure its tool geometry in a way that would lead to micro-defects in produced pieces. Another way a hacker could introduce defects in pieces is by hijacking a CNC controller’s parametric program. To do this, an attacker would need to set a program’s variables to an arbitrary value, which would alter the pieces in a way that would fail to meet product specifications.

The research report identified that given the wealth of data in CNC controllers that might attract the attention of malicious actors, who could attempt to access this information by various means. They may use attacks that include theft of program code, and theft of production information. 

“The programs used to maneuver CNC machines are among a manufacturer’s most sensitive intellectual property, as these contain the details of how to make a specific part,” Balduzzi wrote. “Attackers could remotely access a program that a CNC controller is running by way of an unprotected network that the CNC controller is connected to, or by installing a malicious application in the machine’s controller. And because they’re written in G-code and are not compiled, these programs are easy to reverse-engineer,” he adds. 

CNC controllers contain valuable information that help manufacturers cut down costs and remotely track their production processes, the research report said. “This includes what work programs, tools, and production rates are involved in the manufacturing of a specific piece. An attacker, for example, could extract all this data from a CNC controller using dedicated calls that require no authentication or have any resource access controls. We were able to conduct this kind of attack on CNC controllers from all four vendors that we tested.”

To thwart the threats that come with digitizing production lines, Trend Micro suggested that the companies install industrial intrusion prevention and detection systems (IPS/IDSs), which can help manufacturers detect malicious activity in their networks by monitoring traffic in real time. Additionally, segmenting networks, which can effectively limit access privileges to only users who need them, like end users and operators of CNC machines. Standard security technologies like virtual local area networks (VLANs) and firewalls go a long way toward lessening the exposure of CNC machines’ interfaces from unauthorized access.

The report also recommends keeping the software, services, and applications that CNC machines use up to date with the latest patches, which helps deter malicious actors from exploiting vulnerabilities. It also suggests correctly configuring CNC machines according to the controller vendor’s guidelines and advisories, such as its recommendations regarding enabling encryption and authentication where applicable.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.