Slightly off topic, but I'm working in that field, and those high-end CNC run nothing more elaborated than windows XP.
They do ship some linux distro, but that's very seldom, much more than... windows nt4.
The CNC must be reachable from the programmers computers as well as from the remote connections that manufacturers sells as maintenance.
Needless to say, it's a nightmare for any decent CISO.
Of course the CNC manufacturers' don't make it easy nor encourage the installation of third party securing tools.
Very big companies spend a lot of time thinking on how to secure such machines on their network without touching the OS, and I've not yet heard of someone having found a simple and powerful securing policy (not involving a complex vlan implementation).
The result is that, with some hacker abilities and a known target, one could worm its way threw the CNC OS of a lot of companies who don't know nor want to secure their network.
If one fellow colleague working on the manufacturer side happen to read that comment, I would be happy to push the discussion further.
How exactly are they setting this up that it's complex? Isolated VLANs with VPN access are a routine solution to this kind of problem. A decent network engineer would probably have it done before you finish telling him what you want.
(If instead of a decent network engineer, I had to do it, I'd just be finding the password for the switch I hadn't logged into for a year. The configuration would be done about 15 minutes later.)
From my experience, there's a tremendous lack of decent network engineer in those companies (mechanical industry, family business, ...).
Devil advocate: people in charge of IT stuff there are project or support guys, almost never network engineers. Either they don't care about serious security or they simply have no clue on how they should do it. And when they outsource their IT security, they're so bad at choosing that the solution implemented is worst than doing nothing.
When I have the chance to chat with them about those subjects, the common position is almost always "we don't get why the machine manufacturer don't sells us a secured solution".
Same for medical equipment. The Windows XP EOL is a major problem because all of this kit has been "certified" to run with XP, and re-certification is costly.
There might be a market for a $50-100, two-port firewall/DMZ solution built on one of these ARM chips:
The CNC must be reachable from the programmers computers as well as from the remote connections that manufacturers sells as maintenance. Needless to say, it's a nightmare for any decent CISO.
Of course the CNC manufacturers' don't make it easy nor encourage the installation of third party securing tools. Very big companies spend a lot of time thinking on how to secure such machines on their network without touching the OS, and I've not yet heard of someone having found a simple and powerful securing policy (not involving a complex vlan implementation). The result is that, with some hacker abilities and a known target, one could worm its way threw the CNC OS of a lot of companies who don't know nor want to secure their network.
If one fellow colleague working on the manufacturer side happen to read that comment, I would be happy to push the discussion further.