IIOT systems and devices are susceptible to cyber-attacks, said Brad Klippstein, supervisor product specialist, Okuma America Corp. (Charlotte, NC). “Plain and simple, hackers are trying to get user IDs, passwords and financials or control of devices to deploy denial of service attacks against other networks.” In an article by Heather Johnson, Hartwig Inc., an Okuma distributor, Klippstein outlined Okuma’s nine-point IT recommendations that its customers should consider before connecting machine tools to their networks to guard against malicious hackers gaining access:
- When integrating firewall settings to the machine tool, consider different things about the device, such as what ports it will connect to and what type of information packets will be sent or received. For instance, a manufacturer could have all the machines use port 80 and have all other devices use port 90, then set different rules for each port.
- Keep all software patches current.
- Change all default passwords on routers and managed switches.
- Turn off automatic updates, and then only apply them individually.
- Put your CNCs on a Virtual Local Area Network (VLAN): Manufacturers can lock down the equipment on a VLAN in a way that is separate from your primary network. This prevents access to PLCs that run many machine tool subsystems. These controllers might be easily overlooked by IT, leading to software not being updated properly. This software is more susceptible to viruses and should never have open access to the Internet. Your VLAN also should have no access to the public Internet.
- Update older operating systems.
- Manage connections to and from machines with a gateway. By putting the machine on a gateway, with two interfaces acting like a managed switch, the machine can remain on a network separate from the employee network while also allowing the machine-monitoring service to have real-time access to machine data. One network interface communicates with the locked-down machine’s VLAN. The other network interface communicates only with the machine-monitoring service. This protects the machines from communicating, even indirectly, with anything but the monitoring service.
- For wireless networks, use WPA (Wi-Fi protected access) wireless encryption. Note that a wireless network should never be used without encryption. While WEP (wireless encryption protocol) is easy to hack, the newer alternative, WPA is not. However, given the right tools and time, anything can be hacked. Therefore, any highly sensitive data should never be accessible from a wireless connection.
- Install a Windows anti-virus protection service.