Computer numerical control (CNC) machines are largely used in production plants and constitute a critical asset for organizations globally. The main benefit of CNC machines such as automated drills, lathes, and mills is that they are programmed to execute repetitive tasks with the goal of improving the production while reducing the costs.
The strong push dictated by Industry 4.0 led to the introduction of technologies for the wide connectivity of industrial equipment. As a result, modern CNCs resemble more full-fledged systems than mechanical machines, offering numerous networking services for smart connectivity.
This research explored the risks associated with the strong technological development observed in the domain of CNC machines. We performed an empirical evaluation of four representative controller manufacturers, by analyzing the technologies introduced to satisfy the needs of Industry 4.0, and by conducting a series of practical attacks against real-world CNC installations. Our findings revealed that malicious users could abuse of such technologies to conduct attacks like denial-of-service, damage, hijacking or theft of intellectual property.
We demonstrate all these attacks in practice. For example, we simulated an attack in which a malicious user targets a production line to steal intellectual property (in the form of production code) or sabotages the production. In another scenario, a cybercriminal takes control of the manufacturing process to introduce microdefects that pass the QA process, eventually resulting in economical or reputational loss for the manufacturer.
Given the importance of our findings, we took appropriate precautions before publishing our research. Specifically, we closely worked with the vendors to raise our concerns and suggest measures for mitigation. This talk wants to be an opportunity to raise awareness in a domain in which, unfortunately, security is not yet a primary driver.