Cybersecurity for Job Shops
Small and medium-size machining job shops can take steps to protect computerized or networked assets such as CNC machines from cyber attacks.
Managers of small and medium-size machining companies often wonder what precautions they can take to protect their computer networks from hackers and other online threats. Even with limited resources and capabilities, they should follow the following steps to create a workable cybersecurity plan.
Educate Your Workforce
A plethora of government resources are freely available and can provide a good overview of cybersecurity for manufacturing companies. A good document to start with is the National Institute of Standards and Technology (NIST) publication SP 800-82 Rev. 2 Guide to Industrial Control Systems. NIST provides other resources for shops through its Manufacturers Extension Partnership.
Another wealth of readily available information is provided by the Department of Homeland Security’s (DHS) Industrial Control System Cyber Emergency Response Team ICS-CERT program for addressing cybersecurity. DHS provides a series of online training resources that can be accessed at no charge through the ICS-CERT virtual training portal.
Assess Your Facility
Start by mapping your existing computer networks and their infrastructure in the shop. Use both the operations technology (OT) and information technology (IT) networks and their integration. Identify the components of the system and its different subcomponents. Once the map is completed, physically validate the “architecture” shown in the map. Include searches for wireless networks and access points that may not be on the map. Look for smart devices, virtual private networks (VPNs) and public access points that may be used for reporting, troubleshooting by supply-chain vendors and remote services (access and response). This search will help determine the boundaries of the system and the system resources (people, processes and technology components) it involves.
Implement Security Measures
Once you have a clear picture of system components, review vendor documentation and support systems to evaluate their cybersecurity claims and capabilities. The best place to begin this process is with your newest acquisitions.
It’s best to use vendors that offer products that have been tested and validated for their security claims. UL’s Cybersecurity Assurance Program (CAP) and its certification process based on the UL 2900 series of standards verifies the vendors’ cybersecurity claims and provides assurance that their products meet industry standards. Other basic steps should also be implemented:
- Keep system architecture drawings, network diagrams and system maps in a confidential location with secure and limited access.
- Remove any functionality, components and connections not needed for system operations.
- Check the ICS-CERT portal for products in your system that have known weaknesses and vulnerabilities. Until you can patch them, check for ways to mitigate the weaknesses.
- Take steps to prevent any circumvention of access controls that you have defined in your system. Remove or disable any remote connections that are not necessary for safe operations.
- For any wireless technology that may have addressing and naming capabilities, change the names using a nonstandard naming convention that does not indicate the nature of the technology or its location. Document and secure your naming conventions in the same location as the architecture designs and network maps.
- If you are using remote access and gateways for daily operations, ensure that the vendor’s technology uses authentication and encryption schemes that are robust and capable.
- For user accounts and credentials for your system, remove any temporary or shared accounts and their passwords. If components have credentials and accounts that you cannot change to your facility’s specifications, contact the vendor and request alternatives, or seek solutions for your own site-specific accounts.
- Develop a strict policy for visitors and the digital technology they may bring, including any kind of computer or device such as USB sticks, laptops or diagnostic tools. The parts of your system that require remote troubleshooting should be controlled by your site.
- Develop a policy for detecting and disabling malware as recommended in the ICS-CERT portal.
These preliminary steps will create a basic level of cybersecurity that can be strengthened over time. Audit these practices regularly to keep them current and effective. Revise your procurement guidelines to be sure new equipment such as CNC machines are in line with security practices. Use third-party services such as UL’s CAP to ascertain that a baseline of security is in place.
Related Content
Generating a Digital Twin in the CNC
New control technology captures critical data about a machining process and uses it to create a 3D graphical representation of the finished workpiece. This new type of digital twin helps relate machining results to machine performance, leading to better decisions on the shop floor.
Read More6 Machine Shop Essentials to Stay Competitive
If you want to streamline production and be competitive in the industry, you will need far more than a standard three-axis CNC mill or two-axis CNC lathe and a few measuring tools.
Read MoreCan ChatGPT Create Usable G-Code Programs?
Since its debut in late 2022, ChatGPT has been used in many situations, from writing stories to writing code, including G-code. But is it useful to shops? We asked a CAM expert for his thoughts.
Read MoreOrthopedic Event Discusses Manufacturing Strategies
At the seminar, representatives from multiple companies discussed strategies for making orthopedic devices accurately and efficiently.
Read MoreRead Next
IMTS 2024: Trends & Takeaways From the Modern Machine Shop Editorial Team
The Modern Machine Shop editorial team highlights their takeaways from IMTS 2024 in a video recap.
Read MoreIncreasing Productivity with Digitalization and AI
Job shops are implementing automation and digitalization into workflows to eliminate set up time and increase repeatability in production.
Read MoreInside Machineosaurus: Unique Job Shop with Dinosaur-Named CNC Machines, Four-Day Workweek & High-Precision Machining
Take a tour of Machineosaurus, a Massachusetts machine shop where every CNC machine is named after a dinosaur!
Read More