We Can’t Replace Our CNC Machine Because the Software Is Too Old: Managing Legacy Equipment on Modern Networks

Your CNC machine cost $800,000 when you bought it fifteen years ago. It still runs perfectly, producing parts to exact specifications day after day. The problem? It’s running on Windows XP, hasn’t been updated in years, and your IT security audit just flagged it as a critical vulnerability.

The vendor says they can’t support it anymore. Upgrading the software would require replacing the entire control system at a cost that makes buying a new machine look reasonable. But the machine works. You’re getting ROI from it. The parts it produces are good.

So now you’re stuck between a rock and a hard place: keep running vulnerable legacy equipment or spend hundreds of thousands of dollars replacing something that isn’t actually broken.

This isn’t unique to CNC machines. We see this with everything from injection molding machines to laser cutters to automated assembly equipment. And while there’s no perfect solution, there are strategies to manage legacy CNC machine network security without breaking the bank.

Why Legacy Equipment Creates Security Problems

The security issues with older manufacturing equipment aren’t always obvious. The machine itself might be mechanically sound and functionally perfect. But from an IT security perspective, it’s a liability.

• Outdated operating systems. That Windows XP system isn’t getting security patches anymore. Any vulnerability discovered today will never be fixed. Attackers know this and specifically target older systems.
• Obsolete control software. The CNC control software might have security flaws that were acceptable when it was designed, but are glaring weaknesses today. No username requirements. No encryption. Default passwords that can’t be changed.
• No security features. Modern industrial equipment often includes security capabilities: encrypted communications, authentication, and audit logging. Equipment from 10+ years ago was designed when “security” meant a key lock on the cabinet.
• Connectivity requirements. Even if the machine was originally standalone, you probably need it connected to your network now. Maybe you’re uploading programs from a CAD system. Maybe you’re pulling production data for your MES. Maybe technicians need remote access for troubleshooting.

The combination of vulnerable systems and network connectivity creates risk. Not theoretical risk, real risk that ransomware or other malware could reach these systems and disrupt production.

The Math That Makes Replacement Difficult

From a pure security perspective, the answer is simple: replace the vulnerable equipment. But the economics rarely work out that way.

Let’s say your CNC machine is fully depreciated. It’s mechanically sound and will run for another 10 years. To replace it with a modern equivalent would cost $600,000-900,000.

Alternatively, you could potentially upgrade just the control system for $150,000-250,000. But then you need to:

• Take the machine down for an extended period during installation
• Retrain operators on the new interface
• Re-prove all your existing programs
• Deal with the inevitable bugs and issues that come with any major upgrade
• Hope that the retrofit doesn’t introduce mechanical or electrical problems

Neither option is attractive when the machine currently works fine. But leaving it connected to your network with known vulnerabilities isn’t attractive either.

Strategy 1: Network Isolation

The most straightforward approach is to isolate legacy equipment on its own network segment that has very limited connectivity to the rest of your infrastructure.

This doesn’t mean completely disconnecting it. It means creating a separate network zone with strict firewall rules about what can communicate with what.

What this looks like in practice:

• Legacy CNC machines go on their own VLAN
• Firewall rules allow only specific, necessary communications (like receiving program files from a designated workstation)
• No internet access for these machines
• No general network access from other systems
• Monitoring is in place to detect any unexpected network traffic

The advantages:

• Relatively low cost to implement
• Doesn’t require replacing equipment or upgrading control systems
• Significantly reduces attack surface
• Can be done without taking machines out of production

The limitations:

• Makes remote access more complicated
• May require changes to how files are transferred or data is collected
• Requires ongoing discipline to maintain the isolation (not creating exceptions that bypass security)

Strategy 2: Jump Boxes and Controlled Access

If your legacy equipment needs regular access for programming, data collection, or monitoring, a jump box approach can provide that access while maintaining security.

A jump box is a hardened computer that sits between your general network and the legacy equipment network. Users connect to the jump box first, then access the legacy equipment from there.

How this works:

• The jump box runs current, patched software
• It has security software, logging, and monitoring
• All access to legacy equipment goes through it
• The jump box can filter and inspect traffic
• You can enforce authentication and access control at the jump box level, even if the legacy equipment doesn’t support it

The advantages:

• Provides secure access without modifying legacy equipment
• Creates an audit trail of who accessed what and when
• Can use modern authentication methods even with old systems
• Relatively cost-effective compared to replacement

The limitations:

• Adds a step for operators and programmers
• Requires maintaining an additional system
• Doesn’t eliminate all risk, just reduces it

Strategy 3: Air Gap with Controlled Transfers

For equipment that doesn’t need constant connectivity, an air gap with controlled file transfer can provide good security.

The approach:

• Legacy equipment has no network connection at all
• Programs and updates are transferred via USB or other removable media
• The media is scanned and checked on a secure workstation before use
• Data extraction happens through controlled export processes

The advantages:

• Maximum security can’t attack what you can’t reach
• No ongoing network infrastructure costs
• Simple to understand and maintain

The limitations:

• Doesn’t work for equipment that needs real-time data collection
• Manual file transfer is time-consuming and error-prone
• Removable media can itself introduce malware
• Makes remote support difficult or impossible

Strategy 4: Virtual Patching and Deep Packet Inspection

For critical legacy equipment that needs more connectivity, network-based security can provide protection that the equipment itself lacks.

What this involves:

• Industrial firewalls with deep packet inspection
• Virtual patching that blocks known exploits at the network level
• Intrusion detection systems watch for unusual behavior
• Network-based antivirus and malware scanning

The advantages:

• Protects without modifying legacy equipment
• Can detect and block attacks in real-time
• Works even with equipment that can’t run security software itself

The limitations:

• More expensive than simple network segmentation
• Requires specialized industrial security equipment and expertise
• Can introduce latency or connectivity issues if not configured properly
• Doesn’t protect against all threats, particularly insider threats or physical access

The Practical Approach: Defense in Depth

The reality is that no single approach completely solves the legacy equipment security problem. The best strategy uses multiple layers:

• Layer 1: Network Segmentation. Isolate legacy equipment from your general network and from the internet.
• Layer 2: Access Control: Control and monitor who can access these systems and how. Use jump boxes or VPN with strong authentication.
• Layer 3: Monitoring Watch for unusual network activity, unauthorized access attempts, or changes to system configuration.
• Layer 4: Backup and Recovery. Have a plan to recover if something does go wrong. This might mean having spare parts on hand or documented procedures to reinstall control software.
• Layer 5: Physical Security Don’t overlook physical access. If someone can walk up to the machine with a USB drive, network security doesn’t help much.

Making the Business Case

If you’re trying to get budget for securing legacy equipment, focus on the cost of not doing it:

• Production downtime. If ransomware hits your legacy equipment, how long would you be down? What’s that cost per hour?
• Replacement under duress. If equipment fails due to a security incident, you’ll need to replace it immediately, likely at premium prices with extended lead times and rushed installation.
• Compliance and insurance. Depending on your industry and customers, having unpatched, vulnerable systems might create compliance issues or affect insurance coverage.
• Cascade effects. A security incident that starts with legacy equipment might not stay contained. It could spread to other systems and cause broader disruption.

The cost of implementing reasonable security measures, even if it’s $50,000 to properly segment and secure your legacy equipment, is usually a fraction of the cost of a single significant incident.

When Replacement Does Make Sense

Sometimes the right answer is to bite the bullet and replace or upgrade the equipment. Consider this when:

• The equipment requires constant connectivity that makes isolation impractical. If operators need to access the system constantly from various locations and you can’t effectively control that access, the security challenges may be insurmountable.
• The vendor is completely unsupportive. If the equipment vendor won’t work with you on security issues and won’t provide any guidance on securing their systems, you’re on your own in ways that might not be sustainable.
• The business requirements have changed. If you need capabilities that the old equipment simply can’t provide (better data collection, integration with new systems, etc.), retrofitting might cost as much as replacing.
• The risk is genuinely critical. In some industries or applications, the consequences of a security incident are severe enough that running vulnerable equipment just isn’t acceptable.

Moving Forward

If you’re dealing with legacy CNC machine network security issues, start with a realistic assessment:

• What connectivity does this equipment actually need?
• What are the specific vulnerabilities?
• What’s the cost of a security incident affecting this equipment?
• What’s the replacement or upgrade cost?
• What security measures are practical, given your budget and operational constraints?

The goal isn’t perfect security; that’s not achievable with legacy equipment. The goal is acceptable risk at a reasonable cost. For many manufacturers, partnering with a manufacturing IT services provider experienced in legacy industrial environments is the most practical way to work through this assessment without disrupting operations. That typically means network segmentation, controlled access, monitoring, and good backup procedures.

You might be running this equipment for another decade. Making it as secure as practically possible, even if it can’t be perfectly secure, is worth the investment.