McAfee Embedded Control Helps Amada Protect its Sheet Metal Processing Machinery

All our products ship with McAfee Embedded Control as standard
How is Amada currently making use of McAfee Embedded Control?

All Amada Windows-equipped sheet metal processing machinery ships with McAfee Embedded Control (MEC) whitelisting antivirus software as standard.1 We shipped approximately 1,500 machines equipped with MEC domestically and internationally in the six months starting January 2011.

We are also going the extra mile and offering an after-sale MEC implementation service for machines without MEC shipped before December 2010.

At Amada, the stable operation of our customer's machines is vitally important to us, so we hold that our products should ship with sufficient security measures.

User benefits of machines equipped with MEC
What has been the effect of equipping Amada sheet metal processing machinery with MEC?

Equipping MEC as standard lets us guarantee convenience to our factory users. They don’t need to worry about previously time-consuming viruses on long-life sheet metal processing machinery. There's no effort involved. Even if they forget about antivirus software operation, they’ll be fine.

We compared the characteristics of MEC as a whitelisting antivirus with blacklisting, to show why MEC is more suitable for sheet metal processing machinery.

1Proportion of models with MEC as standard: some models are not yet equipped with MEC due to the need to balance the timing of model updates.

Product Comparison Blacklisting Whitelisting
Embedded systems using built-in or legacy OS* X
Assuming you can implement latest antivirus on latest OS, there are support restrictions for legacy or built-in OS in the long term.

Does not need virus signatures to protect, can be used for long-term support of built-in and legacy OS.
Impact on performance of embedded systems with limited hardware resources X
System load increases during virus signatures update or scanning, concern for performance degradation of active applications.

No scanning, whitelist checking takes place when application starts, prevents virus execution with low overheads.
Requirements on user to manage the system X
Virus signatures update and scans must be carried out daily, confirmation takes up operating man-hours.
☑No operational demands on the user after registering applications in the whitelist.

* “Legacy OS” - OS no longer supported by the vendor.

Blacklisting antivirus puts the burden on the user to implement the latest antivirus software, update virus signatures and run scans, which makes it unsuited to long-life sheet metal processing machinery with limited hardware resources.

Whitelisting antivirus allows only authorised programs to run so viruses, as unauthorised programs, are not allowed to execute. This is far more suited to environments where only certain programs are operated, such as sheet metal processing machinery.

How does whitelisting antivirus protect a system from viruses?
Question to McAfee. Please give us a simple explanation of how whitelisting antivirus works.

Blacklisting, the most common antivirus method, works by finding malicious viruses (if it's black, don't let it through). McAfee Embedded Control whitelisting antivirus works by only allowing legitimate programs to run (if it's white, let it through).

A virus cannot infect the system environment just by entering it, it infects when it is executed. So if only legitimate programs are allowed to run, viruses cannot execute.

How are executing programs identified as authorised (white)?
The user registers programs as authorised (white) in advance. Then whenever a new program is run in the environment, it is identified as a registered and authorised (white) program or not, and execution is allowed or denied. The process in more detail is as follows.

  1. Prepare a clean image: First, create and prepare a 'clean' master disk containing only authorised programs which do not contain viruses, in other words applications that are safe to run.
  2. Create whitelist and register: Next, install MEC on this master disk and perform a scan to register the authorised (white) programs on the MEC whitelist. There's no complicated programming or parameter settings.
  3. Start whitelist virus protection: Deploy the master image with MEC into the environment and activate the MEC functionality. From now on the resident MEC module hooks into programs before they run, checks what is registered on the whitelist, and determines if the program is authorised or not (if it is white or black, if it is registered on the list or not). White programs are allowed to execute, black programs are denied.
  4. Update whitelist: The whitelist must be updated if applications are updated or added. The MEC whitelist can be automatically updated with authorised update services which distribute updates with digital signature security, via Windows Update, etc. but only when a manager or authorised user approves the update (temporarily unlocks MEC).

    Whitelisting removes the need for virus signatures to detect new 'black' programs which appear on a daily basis. And there is also no need to spend management man-hours updating virus signatures or running virus scans.

“You don't need to look after it.” “You can use it on an old OS too.” “It doesn't interfere with manufacturing activities.”
What are the merits of whitelisting from Amada's point of view?

“Whitelisting suits sheet metal processing machinery.”

Mr Naoto Okada
AMNC Automation Software Development Department

I believe the merits of whitelisting from the point of view of Amada's customers (factory users) are as follows.

Merit 1: No additional antivirus management requirements - you don't need to look after it
With blacklisting, you are not protected against the latest viruses unless you continually update the virus signatures (or the version of the antivirus software itself). This complicated antivirus management does not fit in with the production environment of the factory floor. Whitelisting does away with this antivirus management and allows everyone in the factory to concentrate on production activities.

Merit 2: Antivirus does not interfere with sheet metal processing machinery operation
With blacklisting, resident virus checking or download of virus signatures can start while the sheet metal processing machinery is under high operating load, hindering the machine's operation. With whitelisting, checking only takes place when a program runs so there is no such interference.

Merit 3: Allows long-term software use
As I see it, the life expectancy of a software product is 2-3 years. It moves in a cycle of continuously updating to the latest technology, constantly updating to the latest version, and urgently applying patches where something is missing. But once sheet metal processing machinery is purchased, it can be used for many years. The thinking here is that safety comes first, mature technology is best, and that the machinery will continue to be used so long as it still works.

Whitelisting, as explained by McAfee, allows continuous and stable use of a legacy OS. Whitelisting antivirus is suited to the values of the manufacturing industry.

Even if you say the customer doesn't have to look after the sheet metal processing machinery, Amada might update its machine control program during the five or ten years it is in use. How is the whitelist updated in this case?

MEC offers a number of whitelist update methods, and at Amada we use the digital signature security method.

We provide all applications installed on Amada equipment, so the entire series is signed by Amada. Further, we are putting a policy in place which will allow updates for our signed applications to be pre-registered in the whitelist.

This will allow service personnel to follow the same update process as before, but in the background MEC will check digital signatures, prevent unauthorised programs from entering the system, and update only our software. Basically, providing MEC means we don't have to impose additional tasks on our service personnel and our customers have no concerns about security being lowered during software updates.

Why Amada is improving security for sheet metal processing machinery
Tell us why Amada is so serious about improving security for sheet metal processing machinery.

“As sheet metal processing machinery becomes networked, it needs better security.”

Mr Go Iwano
AMNC Automation Software Development Department

Broadly speaking, sheet metal processing machinery became increasingly computerised and networked after around 1995, making it much more convenient and productive. After that, maybe around 2004, the threat of viruses came to light as a side-effect of computerisation and networking and Amada started to concentrate on the security of its products.

Sheet metal processing machinery was previously operated by button or lever, with no computer involved. (There was no need to worry about computer security for sheet metal processing machinery at that time.)

In the 1990s, the problem of how to retain the know-how of experienced technicians who were about to retire from the factories came to the fore. One solution was to create a database with the innate knowledge of those experienced technicians and to use that database (program) for easy and highquality manufacturing, so we concentrated on that.

Computerisation first took hold in the research and development department, followed by digitisation for design drawings thanks to CAD. To keep up with these developments, sheet metal processing machinery needed an interface to accept data, and the control systems of sheet metal processing machines were equipped with computers (Windows).

The manufacturing industry became more and more computerised. Interconnected 'networked' sheet metal processing machinery soon became the norm, and it provided great increases in productivity and convenience inside factories.

However, as networking increased inside factories there was also an increased security risk of viruses entering factories through data sharing via the internet or USB memory devices, and the need for increased security in factories became clear.

One example of problems caused by viruses in a factory that I have heard of is where a virus enters the factory via USB, then the virus itself sends attacking packets over the network in order to infect other machines, network performance deteriorates and system performance is affected.

Feeling the limitations of blacklisting countermeasures
How did Amada first respond to these security issues?
In the beginning, we recommended that our customers use blacklisting antivirus software as a countermeasure. Specifically, the process was as follows.

  1. We tested commercially available blacklisting antivirus software to confirm that it ran stably on our sheet metal processing machinery.
  2. We notified our customers that software we had tested was “Amada's recommended antivirus software”.
  3. Our customers purchased that antivirus software, installed it and used it.

But this method of using blacklisting antivirus software, as I've said previously, has the disadvantage that it takes up management man-hours for the customer (factory user). Further, we had the problem that as a new version of the blacklisting antivirus software was released every 1-2 years, and every time a new version came out we had to test it, we had to expend a lot of effort on testing.

We searched for a good method that could be used in place of blacklisting in order to circumvent these problems. As we searched, we found out about McAfee Embedded Control through a business contact. We understood from his explanation that whitelisting was perfectly suited to sheet metal processing machinery, and we started actively investigating it.

We tried to use the OS's basic functionality
Did you investigate other methods besides whitelisting?
We used to use the Enhanced Write Filter as a virus countermeasure in machines equipped with Windows Embedded. The filter function could be used to return the disk to its former state (a blank slate every time) when the machine was powered off and on again, even if a virus wrote to the disk.

But with this method, even if the machine could be returned to its previous state by being powered off and on again, viruses would remain active so long as the machine was switched on and could even infect other machines. Sheet metal processing machines by their very nature are in operation for long periods of time, so it's not unusual to have one switched on for six months at a time. So, using this method, a virus could be active for six months. Due to these and other problems, we searched for another countermeasure. That was when we started to investigate whitelisting.

At that time the only whitelisting products were MEC and a product from another company. We investigated both products and compared them, and MEC was superior in terms of specifications, functionality and performance, so we adopted it and that decided our basic policy. Afterwards, we carried out testing on all of Amada's Windowsequipped products. Whenever problems arose during the testing process, McAfee made corrections and amendments for us.

After about 12 months of testing, we confirmed that MEC satisfied our product requirements, and in October 2010 we decided to provide it as standard on our products.

In the six months between the first products shipping in January 2011 and now, we have achieved the guaranteed security without effort for our customers that I mentioned at the beginning.

Future expectations
What are you expecting from McAfee in the future?

“We expect continuous technical support and superior product capability.”

Mr Naoyasu Narita, Manager
AMNC Automation Software Development Department

By equipping Amada's products with MEC we have provided a countermeasure for our customers against the security threats which form the dark side of computerisation, without imposing additional effort on them. Amada will continue to develop products that provide both convenience and security for our customers. We hope that McAfee will continue to help us increase the security of our sheet metal processing machinery through its superior product capability and technical support. We look forward to continued collaboration with McAfee.

Amada

 

Customer profile

Amada is a typical Japanese comprehensive manufacturer of metalworking machinery and devices. Providing products globally with over 50% of sales coming from overseas locations in North America, Europe, China, and South-east Asia

 

 

Industry

Manufacturing

 

 

IT environment

Sheet Metal Machinery Industry is more computerized. Interconnected 'networked' sheet metal processing machinery is the norm, and it provides great increases in productivity and convenience inside factories

 

 

Challenges

Unauthorized software changes on production devices. Frequent, costly OS patching, Traditional AV solution is resource intensive

 

 

McAfee solution

  • McAfee Embedded Control

 

 

Results

  • Protects Amada machinery and allows for long-term software use