Exploring cybersecurity issues with a CNC controller

After participating in a recent webinar on cybersecurity, sponsored by Association of Woodworking & Furnishings Suppliers, I started thinking about the security of my school’s CNC router controllers.

I teach at a community college with a robust CNC curriculum. We have three controllers, with two running Windows and one running Linux operating systems. They are connected to the school’s computer network, which is managed by the school’s IT department.

If there are problems, the IT Department will take the lead in resolving the issues. And that’s important because a school environment presents unique risks. Students often take G-code to the controller on their USB thumb drive, for example, which could contain malicious software. But the IT department is on top of that, configuring the computers so only it can install software.

So, while the cybersecurity risks are under control at the school, I do not have the same confidence with respect to my personal shop and CNC router. I suspect my situation is similar to many small- and mid-sized shops that do not have the benefit of an IT department.

My shop’s CNC router controller does not run anti-virus software nor does it receive regular operating system or application updates to address cybersecurity vulnerabilities. These are ‘red flags’, according to the webinar’s experts, and certainly not best practices for general purpose computers. I’ve made some recent changes to minimize the risks.

Step one was to minimize the pathways for malevolent software to access my controller. It’s now disconnected from my network and I’m using a dedicated USB thumb drive to transfer G-code. On the computers used for design work, I now use a Virtual Private Network (VPN) to connect over the internet. I have installed and run anti-virus software. My network uses a firewall and I have a browser extension that warns me when sites appear to have malevolent features. I use Multi-Factor Authentication whenever it is available. And I take advantage of cybersecurity training and use that knowledge to avoid phishing emails and texts. But other dangers lurk:

It is common for CNC providers to have authorized command of a controller on a service call over the internet to the controller. While this is an incredibly effective way to fix whatever problem you’re having, it also presents a serious vulnerability that needs to be carefully managed. This requires that the controller be connected to the network.

Remote access is made possible by software that’s loaded onto your controller. It’s a gateway to typing commands, uploading and downloading files, and pretty much anything else.

The first line of defense, as mentioned earlier, is to leave the network cable unplugged. However, to enable remote support, I must plug that cable in and allow the controller to attach to the network.

The second line is to leave that software turned off except when you can authorize and monitor what is being done. That is easier said than done. The remote access software installed by my controller’s manufacturer is capable of “unattended access” and it appears to me that it may be “on” in the background all the time. I have not enabled “unattended access” and do not plan to do that.

When a technician I know from the manufacturer asks for remote access, I must give them an ID and password. When we are done working with the controller, I terminate the session. I also unplug the network cable. It would be bad practice to leave that virtual network door open.

It would be a mistake to pay close attention to guarding against risks involved with remote access and then ignore the risks associated with local access. The IT professionals call these measures access control, which is managing who can do what on a computer.

A very old form of access control is a locked door. We can be careful about who has physical access to the controller. This is also useful and necessary with respect to all the other assets in the shop. A padlock on a main power disconnect is another way to limit access to those who are authorized. We have padlocks on the main power disconnects for the CNC routers at the school along with lists documenting who is authorized to check out the keys.

Some controllers use passwords to manage access to the controller, but many do not. Some controllers have passwords or other means to determine who can perform advanced tasks. This is analogous to “Administrator” permissions on a Windows PC. These may be created by the machine’s OEM for use by its service personnel.

For example, my controller has a “Run/Setup” mode key. In Run, changes made by an operator are not persistent and are reset the next time the controller is powered up. Setup is used by trained personnel to make permanent changes to the configuration of the controller. If you leave the controller in Run mode and remove the key, this will prevent unauthorized changes to the controller.

Once upon a time, wireless routers and modems shipped with default usernames and passwords. A common combination was the username ADMIN and password ADMIN. The manufacturer advised and assumed that the user would change the username and password. Often, that did not happen. It is important to establish unique passwords where recommended.

If all else fails and I am subject to a successful cybersecurity attack, what then? The most useful asset at that moment is likely to be the fact that all my eggs were not in the same basket. That is the value of backups. Backups are copies of computer data. Ideally, I will have backups from different points in time. In addition, I will have backups on different devices and stored in separate locations.

Backups for personal computers and servers are a bit different than for a controller. For personal computers and servers there are many backup software and hardware solutions that will keep copies of files on an external hard disk. There are also services that will periodically store copies of files to the Cloud. These approaches offer protection in case of computer hardware failure, such as a hard disk drive crash. They also offer protection in the event of a disaster like a fire or flood.

Backing up a controller may be a proprietary process developed by the manufacturer. These backups are often used when making changes to a controller’s configuration to enable a “roll back” to a prior configuration when the changes result in undesired behaviors.

If controller backups are made to a removable device such as a USB thumb drive, they can be stored in a different location. I’m unaware of an automated backup process for controllers.

Woodworking and woodshops involve many risks and hazards. Sharp tools, machinery, airborne dust, toxic chemicals, and so on. As we incorporate computers into our business and our processes, we are taking on cybersecurity risks. As with all the other risks we have been accustomed to dealing with, we can manage the risks if we learn how to minimize and mitigate them. As with all those other risks, we ignore them at our peril.

If I were running a business, I would want to discuss cybersecurity coverage with my insurance agent. To be proactive, I would also look into companies that provide cybersecurity services for a fee. These companies assess a client’s existing cybersecurity posture, recommend best practices, and assist in implementing those best practices. They can also help in the event of a cybersecurity breach.

Ted Bruning is a part-time instructor in the Fine Woodworking program at Red Rocks Community College.

This article was originally published in the March 2024 issue.