Safe injection molding machines in the era of remote access
21.05.2020
The protective measures dictated by the COVID-19 pandemic force companies to limit the number of persons present on the production floor to an absolute minimum. To ensure fully automatic and efficient production in spite of this, an ideal solution is to combine a small number of workers on site with colleagues working from home offices via remote access to the machinery. More and more companies are discovering and increasingly using the option of accessing machines from outside the corporate premises. Many machine control systems, though, were not yet laid out for this type of utilization at the time they were developed and are consequently susceptible to malware infestation and misuse through cyber attacks.
However, the latest generation of WITTMANN BATTENFELD injection molding machines with B8 control and WITTMANN 4.0 option has been developed for safe remote access with the help of an optimized firewall and many extra safety features, and thus offers a high level of cyber security.
The WITTMANN 4.0 option extends the UNILOG B8 machine control system by a separate production cell control system (the WITTMANN 4.0 Router), which performs various communication tasks as well as protective functions. One of these functions is the external firewall, which has been optimized for operation with injection molding machines.
In this way, the WITTMANN 4.0 Router shields the machine’s control system from the outside world. Unlike office PCs, injection molding machine control systems cannot normally be upgraded automatically to the latest operating system software and be equipped with the most recent security patches. An update would first have to go through an elaborate, time-consuming verification process carried out by the manufacturer. As a result, malware can in the meantime exploit security gaps in the operating systems of machine control systems which are already known but not yet closed. One possible scenario is the misuse of machine control systems for denial-of-service (DoS) attacks, which in the worst case will cause control system failure and thus production standstill.
The WITTMANN 4.0 Firewall has been optimized for the typical use of an injection molding production cell (restrictive firewall). As standard, virtually all ports are closed, which are not dedicated to essential external communication of the injection molding machine and the appliances connected with it. The expressly permitted communication processes are also subject to continuous plausibility testing (intrusion detection). If the communication volume exceeds the typical volume of data to be expected, this could point to a DoS attack, which is then stopped by immediate counteraction.
Another security aspect is the aggregation of the OPC-UA servers of the injection molding machine and the auxiliary appliances in the WITTMANN 4.0 Router. So, the communication between an external data client and the actual appliance or the injection molding machine within the production cell takes place exclusively via an aggregation server in the WITTMANN 4.0 Router. All requests from external clients are dealt with directly inside the router without being passed on to the physical appliances. This is a further security feature.
The WITTMANN 4.0 Router is equipped with a secure boot process which allows automatic updating of the operating system as long as the respective update has a certificate from WITTMANN. This prevents the installation of fake updates in the hardware which could be capable of circumventing all kinds of security installations.
It must be expected that machines will increasingly need to be accessible from outside in future. This makes it all the more important to have secure access to the entire production cells, such as the access provided by the WITTMANN BATTENFELD UNILOG B8 control system in combination with the WITTMANN 4.0 Router.