Exploring cybersecurity issues with a CNC controller
“specific, measurable, achievable, relevant, and timebound.”
DIFFERENT KINDS OF SMART
The smartphone itself can be a valuable tool. Yes, it lets the woodworker take photos instead of making lists and drawings. But the apps it can use expand the toolbox in all kinds of other ways. There are apps that can measure, draw, design, change colors in a photo, show a portfolio, locate inventory and tools, track team members and jobs, do complex calculations such as roof pitch or turning segments, convert units of measurement, identify species, and even turn the phone into a short level or a flashlight.
Wagner Meters (wagnermeters.com) has a free app called WoodH2O that can calculate the equilibrium moisture content in a specific location. EMC is the level at which wood neither takes on nor loses moisture when exposed to air. Knowing that can help a woodworker avoid wood movement that can result in splits, warps, shrinkage or expansion. The app offers info and links about moisture content challenges. Wagner offers a number of apps that can link a phone to sensors in various situations, such as kilns and lumber racks.
Rockler (rockler.com) carries a line of Nova Voyager drill presses that have an onboard computer and digital controls. The computer features DVR (Digital Variable Reluctance) technology, which automatically adjusts and maintains the speed and power of the machine based on resistance. That, coupled with the fact that the Voyager’s motor has no belts or pulleys, results in a machine that is incredibly smooth and quiet. The computer also optimizes efficiency so that the motor only draws as much power as is needed.
Of course, not all smart tools have onboard electronics. Some are just smart in the old-fashioned meaning of the word. They take a basic tool and add a little something that makes it much more usable, accurate, or flexible. Saw guidance is a good example. Systems such as the TrackSawGuide from Milescraft (milescraft.com) can take pretty much any brand of circular saw and turn freehand cuts into
‘smart’ results that can save a lot of time and frustration.
Pretty much all of the portable saw manufacturers have some version of the track saw and overall, these are excellent systems that bring unprecedented accuracy to a basic tool. Milwaukee (milwaukeetool.com) was slow to join the herd, and only introduced its version last year. The M18 Fuel is a 6-1/2” plunge saw that comes alone or in a kit with a track, battery, charger and tote. What elevates this and other leading brands from the basic aftermarket kits that
convert any old saw into a tracked unit are smart technologies such as the company’s Redlink Plus, which ensures maximum performance and protection from overload, overheating, and over-discharge. The saw itself has variable speed, and a very smooth plunge action.
Milwaukee has also brought some smart technology to its batteries, most recently adding a six-pack sequential charger (item 48-59-1806) to help avoid downtime on the jobsite.
Speaking of saws, the new Striebig Standard S vertical panel saw from Colonial Saw (csaw.com) is a very smart machine that can be upgraded with the Comfort premium package that adds auto-locking support rollers, digital measuring for the Y-axis with motorized fine adjustment, pneumatic carriage clamping, and a laser cut line guide for horizontal cuts.
MEASURING AND MARKING
The T32261 is a smart caliper from Grizzly Industrial (grizzly.com) that can connect to most Bluetooth-enabled devices such as smartphones, tablets, and computers. Simply press the data button to output measurement data to most writeable programs and apps. It can measure up to 6” (150 mm), which is perfect for highly accurate readings on mold
ings, stiles and rails, turnings, mortises and other onsite details. The extra-large LCD readout can switch between inches, millimeters, and fractional displays with just the push of a button.
Woodcraft Supply (woodcraft.com) and other catalog houses carry the Sjöberg Smart Vise, which lets a woodworker add a premium two-bar screw vise to any surface such as a table or workbench. Reasonably priced, it can add the option of shop stability to a jobsite location.
Another smart-in-the-old-fashioned-way device has been introduced by True Position Tools (truepositiontools.com). Called the Cabinet Plumbing Jig, it lets an installer accurately locate pipes that lie behind kitchen bases and other units. What’s clever here is that it lets the woodworker mark where drains and feeds need to come through the back of the cabinet without having to use a tape measure, eyeball, or even educated guesses. The jig won a Visionary Award at AWFS 2023.
Red House Tools (redhousetools.com) offers a range of miter saw stations called EZ-Wings that convert the portable tool into a very precise machine. It can support very long work, but breaks down to fit in a carrying bag. There are all kinds of clever T-track accessories, and the stations’ precision adjustment lets the operator dial in the wings to be a seamless extension of the existing miter saw platform.
Even small smart improvements can make life easier. For example, Maksiwa’s new Platinum sliding panel saw (maksiwa.com) has added a digital rip fence readout with micro adjustment that can mean the difference between good and perfect.
SATA’s new nozzle finder app (sata.com) makes it easy to select the right nozzle for the SATAjet X 5500 gun. There is a large variety of very precisely calibrated X nozzles that can adapt the coating process to various circumstances.
After participating in a recent webinar on cybersecurity, sponsored by Association of Woodworking & Furnishings Suppliers, I started thinking about the security of my school’s CNC router controllers.
I teach at a community college with a robust CNC curriculum. We have three controllers, with two running Windows and one running Linux operating systems. They are connected to the school’s computer network, which is managed by the school’s IT department.
If there are problems, the IT Department will take the lead in resolving the issues. And that’s important because a school environment presents unique risks. Students often take G-code to the controller on their USB thumb drive, for example, which could contain malicious software. But the IT department is on top of that, configuring the computers so only it can install software.
So, while the cybersecurity risks are under control at the school, I do not have the same confidence with respect to my personal shop and CNC router. I suspect my situation is similar to many small- and mid-sized shops that do not have the benefit of an IT department.
My shop’s CNC router controller does not run anti-virus software nor does it receive regular operating system or application updates to address cybersecurity vulnerabilities. These are ‘red flags’, according to the webinar’s experts, and certainly not best practices for general purpose computers. I’ve made some recent changes to minimize the risks.
Step one was to minimize the pathways for malevolent software to access my controller. It’s now disconnected from my network and I’m using a dedicated USB thumb drive to transfer G-code. On the computers used for design work, I now use a Virtual Private Network (VPN) to connect over the internet. I have installed and run antivirus software. My network uses a firewall and I have a browser extension that warns me when sites appear to have malevolent features. I use Multi-Factor Authentication whenever it is available. And I take advantage of cybersecurity training and use that knowledge to avoid phishing emails and texts. But other dangers lurk:
REMOTE ACCESS
It is common for CNC providers to have authorized command of a controller on a service call over the internet to the controller. While this is an incredibly effective way to fix whatever problem you’re having, it also presents a serious vulnerability that needs to be carefully managed. This requires that the controller be connected to the network.
Remote access is made possible by software that’s loaded onto your controller. It’s a gateway to typing commands, uploading and downloading files, and pretty much anything else.
The first line of defense, as mentioned earlier, is to leave the network cable unplugged. However, to enable remote support, I must plug that cable in and allow the controller to attach to the network.
The second line is to leave that software turned off except when you can authorize and monitor what is being done. That is easier said than done. The remote access software installed by my controller’s manufacturer is capable of “unattended access” and it appears to me that it may be “on” in the background all the time. I have not enabled “unattended access” and do not plan to do that.
When a technician I know from the manufacturer asks for remote access, I must give them an ID and password. When we are done working with the controller, I terminate the session. I also unplug the network cable. It would be bad practice to leave that virtual network door open.
LOCAL ACCESS
It would be a mistake to pay close attention to guarding against risks involved with remote access and then ignore the risks associated with local access. The IT professionals call these measures access control, which is managing who can do what on a computer.
A very old form of access control is a locked door. We can be careful about who has physical access to the controller. This is also useful and necessary with respect to all the other assets in the shop. A padlock on a main power disconnect is another way to limit access to those who are authorized. We have padlocks on the main power disconnects for the CNC routers at the school along with lists documenting who is authorized to check out the keys.
Some controllers use passwords to manage access to the controller, but many do not. Some controllers have passwords or other means to determine who can perform advanced tasks. This is analogous to “Administrator” permissions on a Windows PC. These may be created by the machine’s OEM for use by its service personnel.
For example, my controller has a “Run/Setup” mode key. In Run, changes made by an operator are not persistent and are reset the next time the controller is powered up. Setup is used by trained personnel to make permanent changes to the configuration of the controller. If you leave the controller in Run mode and remove the key, this will prevent unauthorized changes to the controller.
Once upon a time, wireless routers and modems shipped with default usernames and passwords. A common combination was the username ADMIN and password ADMIN. The manufacturer advised and assumed that the user would change the username and password. Often, that did not happen. It is important to establish unique passwords where recommended.
BACK IT UP
If all else fails and I am subject to a successful cybersecurity attack, what then? The most useful asset at that moment is likely to be the fact that all my eggs were not in the same basket. That is the value of backups. Back
ups are copies of computer data. Ideally, I will have backups from different points in time. In addition, I will have backups on different devices and stored in separate locations.
Backups for personal computers and servers are a bit different than for a controller. For personal computers and servers there are many backup software and hardware solutions that will keep copies of files on an external hard disk. There are also services that will periodically store copies of files to the Cloud. These approaches offer protection in case of computer hardware failure, such as a hard disk drive crash. They also offer protection in the event of a disaster like a fire or flood.
Backing up a controller may be a proprietary process developed by the manufacturer. These backups are often used when making changes to a controller’s configuration to enable a “roll back” to a prior configuration when the changes result in undesired behaviors.
If controller backups are made to a removable device such as a USB thumb drive, they can be stored in a different location. I’m unaware of an automated backup process for controllers.
MANAGING RISKS
Woodworking and woodshops involve many risks and hazards. Sharp tools, machinery, airborne dust, toxic chemicals, and so on. As we incorporate computers into our business and our processes, we are taking on cybersecurity risks. As with all the other risks we have been accustomed to dealing with, we can manage the risks if we learn how to minimize and mitigate them. As with all those other risks, we ignore them at our peril.
If I were running a business, I would want to discuss cybersecurity coverage with my insurance agent. To be proactive, I would also look into companies that provide cybersecurity services for a fee. These companies assess a client’s existing cybersecurity posture, recommend best practices, and assist in implementing those best practices. They can also help in the event of a cybersecurity breach.
Ted Bruning is a part-time instructor in the Fine Woodworking program at Red Rocks Community College.
“I suspect my situation is similar to many small- and mid-sized shops that do not have the benefit of an IT department.”