Great – A Lecture On Security -_-
Dealing with network security is about as fun as going to the dentist. It is this balancing act of opening things up enough to be productive while minimizing the potential for catastrophe. As somebody who started their career in IT, I can appreciate how stressful and thankless maintaining that balance can be. “What do you mean I can’t install an application myself?”, “what is this dual-factor garbage?”, “I can do whatever I want to my home PC, and I never got hacked.” But when things hit the fan, IT are the ones frantically rebuilding servers while half the office asks for an ETA every 10 minutes.
There is often an understandable knowledge gap for IT when it comes to production equipment. The hardware is proprietary and not documented for the IT audience. It was likely installed by a machine builder that primarily coordinated with the operations folks. But at some point, IT may have been given a simple request to drop an ethernet line for some monitoring software or something like that – and here is where a knowledge gap can become very dangerous.
A Shocking Example
It was not until I began work on Harmoni that I had the opportunity to deep-dive into what can be done with machine data. We use it primarily to track state history (running, stopped, error) to align that with labor transactions. One of our first connections was to a FANUC CNC controller and we found that, in order to get the data we wanted, we had to enable FANUC FOCAS. No problem, in fact, in our training unit that was the default setting:
In order to get data off this machine, we purchased a developer library and were soon able to record everything we could imagine into our database. Current state, offsets, programs, you name it. Interestingly, though, our connection to FOCAS involved no credentials at all – all that we needed was the IP address and port number. What’s more, this library allowed us not only to READ but also to WRITE very important information to the controller. For example, let’s say I wanted to randomly change a tool offset – I just need a few lines of code:
static class Program {
static ushort _handle = 0; // Handle to communicate with Fanuc
static void Main(string[] args) {
Focas1.cnc_allclibhndl3("192.168.1.110", 8193, 6, out _handle); // Connect to the CNC using IP and port
Focas1.cnc_wrtofs(_handle, 1, 3, 8, 103000); // Sets Tool 1 Offset To 103
Focas1.cnc_freelibhndl(_handle);
}
}
Since I had a trainer to play with, I tested this out and was able to make this offset change mid-cycle. That is the sort of change that could cause an incredibly expensive tool crash or silently introduce defects in critical components. Access to read the program and offset data could allow for IP theft from a competitor. The possibilities are alarming.
Defensive Measures
If your machines need to be on a network for monitoring or program loading, put them onto their own network. The vast majority of malware is introduced by unsuspecting users opening an email or website that infects their computer. There is probably no reason the AP clerk needs to be on the same network as the production machines. Separate them out and give yourself one less point of vulnerability. With Harmoni, we take this a step further by acting as a firewall for each machine.
Turn off what you don’t need. Talk to the machine builder and find out what the exposed interfaces are and whether they can safely be disabled. If you are not using something like FANUC FOCAS for monitoring, disable it.
Closing
Hopefully, this post has shed some light on a topic that didn’t have your attention before. In a world where there is some sort of new vulnerability every day, it is easy to get fatigued to keep up with these sorts of things. But our supply chain has increasingly become a target for bad actors to disrupt. And as we have learned to restrict end-user behavior to mitigate risk, so should we protect the machines that keep the lights on.
Until next time,
Adam
About the Author: Adam Ellis
