Machine tool builders are under ever-increasing pressure to deliver robust production equipment with complex feature sets under shorter schedules and tighter budgets. After a new tool is delivered to a customer the expectations are for short commissioning schedules with quick resolutions to issues that are found during startup and initial operation.
The increasing complexity of new manufacturing equipment often requires multiple software and PLC developers to complete the project development within aggressive schedules. It is not feasible or desirable to send the entire development team to the customer site to resolve tool issues associated with commissioning a new tool.
Rather than bringing the development team to the customer’s site, we can now bring the customer’s site to the development team. This is accomplished with commercially available remote-access hardware and software tools. These tools allow the entire development team to be available to resolve issues in real time as they are discovered on the equipment at the customer’s site.
Network and security
Ten years ago, very few production tools had network connections, and, of those that did, even a smaller number were connected to a factory network or to the Internet. Fast-forward to 2016, and the world has changed dramatically. Nearly all major PLC and robot vendors provide Ethernet connections on their controllers. All of these controllers and hence the tools containing these controllers are connected to the factory network and to the world.
Machine builders need to be aware of the security risks of this network connectivity and need to ensure their tools are network-safe. As a builder, you do not want to ship a tool to your customer that’s going to pose network security risks when connected to the factory-floor network and the Internet.
Until a few years ago, factory-floor equipment wasn’t considered a risk to cyber-attack. This all changed dramatically in 2010 with the Stuxnet worm.
The Stuxnet worm infected the uranium enrichment facility in Iran (Figure 1). Nearly a fifth of the nuclear centrifuges in the facility were compromised and destroyed. The Stuxnet worm was introduced to the plant IT network through an infected USB drive. It is suspected that this USB drive was brought into the facility by a contractor. The worm replicated itself across the plant’s Microsoft network looking for Siemens Step7 PLC software. Once the target PLC was found, the worm loaded its payload into the PLC modifying the behavior of the PLC code. The centrifuges were then spun up beyond their operating window and destroyed. While this is an extreme case, it isn’t the only known exploit of an industrial control system. The potential is there for any industrial control system on the Internet to be compromised by malicious software.
There are many other examples of cyber-attacks on manufacturing systems around the world. Attacks range from stealing information to stopping the plant-floor SCADA and PLC systems.
Fortunately, as a tool builder, there are many steps you can take to secure your equipment before you ship your tool to your customer. These steps are not very difficult and can easily be accomplished before shipment with little cost to the tool builder.
PCs in equipment
It is becoming common to see industrial PCs as part of the control system in new equipment. PCs have many vulnerabilities with regard to computer security. Here is a short list of steps you can take to make sure your PC equipment is secured before shipment. These steps need to be taken at the tool builder’s facility before shipment in order to maximize their usefulness. Remember you are not only trying to protect your equipment, you also do not want to infect your customer’s plant with viruses that may be on the equipment that you ship.
Passwords: the PC should have at least one Windows user account that is not the administration account. This account should be protected by a password and require the user to enter the password when the PC is started.
USB and Ethernet ports: PCs come with multiple USB ports and Ethernet ports. Unused ports should be disabled to prevent malicious access. USB ports are typically disabled through the PC basic input/output system (BIOS). Ethernet ports can be disabled through the PC operating system (Figure 2).
Anti-virus software: load anti-virus (AV) software on your PC. Ask your customer if it has a preference for AV software in the facility. If not, there are many good free AV software packages available, such as Avast or Bitdefender. Before you ship the PC, run a full disk scan. You would be surprised to see how often a new PC arrives with virus issues. Once the equipment is installed in your customer’s facility, you can uninstall the AV you loaded at your facility and have the customer install its preferred AV software.