November 2007 Edition
QM Enterprise Metrology Sleuth
Sleuth foils a wily culprit, an EMS network hacker
Eddie Haskins, a CNC machine operator on the second shift
at Shifty Equipment Company, is a highly skilled,
no-nonsense sort of a guy. His daily plan is to get all of
his work done, square away his equipment, and launch himself
out the door as fast as humanly possible to hook up with his
buddies or spend some time with his girlfriend.
Recently, he was working on the horizontal mill to make
prototype engine parts for the new Trailbounder III
snowmobiles. At predetermined intervals, he also checked his
work on a nearby CMM. One evening, much to his surprise, the
CMM told him that the holes he'd been cutting were out of
spec. This couldn't be true, because the holes lined up
perfectly with ones in the same parts he made last week, and
those parts had checked out perfectly.
If
Eddie went by the book, he might have to work very late
following the company's annoying procedures for
trouble-shooting the problem. Instead, Eddie decided the
problem must be with the CMM program. Having had a little
training in that area, he got into the network, and rewrote
the master CMM program for the part by changing the nominal
data dimensions to compensate for the out-of-spec
measurements. He downloaded the modified program back to his
CMM once again, and his parts were checking out perfectly.
At the end of his shift, he was out the door in a flash.
It all hit the fan the next morning. According to
procedure, the CMM operators downloaded the master programs
they would be using to check their parts that day. It wasn't
long before several operators discovered that the prototype
engine parts they had been testing successfully all week
were being rejected. This caused a big stir, and it took
quality manager Bob Sturgess many hours of troubleshooting
to determine that the cause of the problem was a faulty CMM
program on the server.
Back at work the next evening, Eddie encountered the same
problem. His parts were not checking out using the
measurement program he thought he "fixed" the evening
before. Determined individual that he is, Eddie attempted to
log into the CMM program area on the server and "fix" the
problem again.
This time, however, the server was password-protected. No
problem – Eddie knew where one of his buddies on the day
shift – a guy with a higher level of security access –
stored his passwords. Eddie purloined the access code,
rewrote the offensive CMM program, and shot out the door on
time as usual.
For Bob, next morning was like déjà vu. After correcting
the part program again, changing the password, and
restricting network access to just a handful of trusted
people, he reported to management that someone was
corrupting measurement programs (and who knows what else) on
the EMS network.
That afternoon, an emergency meeting was convened to
address the problem. Top management, Bob, and EM Sleuth
attended. Marketing VP Fred Jones, who thinks the future of
the company depends on his Trailbounder III introduction,
went ballistic. He insisted that the security problem was
intentional, malicious, and most likely an attempt on the
part of industrial saboteurs to put Shifty Equipment out of
business.
Bob didn't think so, but he did not have the slightest
clue about what was actually going on. "But I'm sure we'll
figure it out," he offered.
"That's not good enough," retorted Fred. "We need to
attack this problem head on. We'll need better software,
custom log-in procedures with special data encryption, more
secure hardware, and around-the-clock security guards until
we get to the bottom of this."
"But that will cost us tens of thousands of dollars, I
don't have that kind of money in my budget," Sturgess
replied.
"Then maybe you should shut down that enterprise
metrology network and load your programs the old-fashioned
way. Anything wrong with that?"
"That's brilliant. Why don't we just measure everything
with hand tools too, " said Bob. "What do you think,
Sleuth?"
Sleuth looked up from the doodles on his engineering pad
and yawned. "Oh I think we can get to the bottom of this in
about a week's time with a little effort and out-of-pocket
expenses of, say, $150 or maybe $200."
The out-of-pocket expenditures were for three jump drives
loaded with the pristine versions of measurement programs in
question and issued to the three shift supervisors. They
were instructed to reload the programs on the CMMs if any
corrupted programs turned up. That way the operators were
back on track with the proven programs with little lost time
if there was a breach.
This actually happened several times until Eddie was
tracked down and confronted. It wasn't that hard. There were
only a handful of people with the access, opportunity, and
training needed to get on the network and botch things up
royally. It turned out that Eddie's CMM had a fixture with a
poorly designed spring clip that did not always engage the
part in the proper orientation for measurement. Hence, the
bad results that Eddie blamed on the program.
Sleuth spent the next week fool-proofing the enterprise
metrology network so that this sort of thing would not
happen again. Security codes were reissued. Server access
was automatically monitored so that there was a clear trail
of who made what changes on the server and when.
Sleuth also fixed it so that measurement programs are
invisible to the operators. Operators can only run
measurement routines and generate reports – not alter the
programs themselves. When a CMM operator finishes the shift,
the programs used at his device are completely erased. That
means that the most current program has to be downloaded
from the server when the next operator takes over.
Before that happens, however, the server automatically
checks the engineering database to make sure that the most
current CAD model for the part is the one used to create the
current measurement program. So parts, measurement programs,
and CAD versions all match. Finally, measurement fixtures
were fixed so that there was no way to misalign parts and
create false bad measurements or false good ones for that
matter.
"So quite a bit of good came out of this little mishap,"
thought Sleuth. "Shifty Equipment has invested a lot of time
fool-proofing manufacturing procedures. It only makes sense
to do the same with measurement systems and the enterprise
metrology network."
As for Eddie, he was given a severe reprimand. Eddie was
genuinely sorry for all the problems he'd caused. He is
still working for Shifty Equipment, but not in the quality
department.
SOS contest winner
This column was based on a suggestion from our SOS (Save Our
Sleuth) contest winner Peter Wolf, quality engineer, Briggs &
Stratton, Auburn, AL. Wolf insists on our reminding readers that the
events and people described in this column bear no resemblance to
anything or anyone within a hundred miles of Auburn. For his
efforts, he wins a TESA digital tool set.
EM Sleuth is sponsored by Wilcox Associates Inc, (www.pcdmis-ems.com),
part of the Hexagon Metrology Group and makers of PC-DMIS
measurement software. Contributors to this article include:
Don Ruggieri, senior applications engineer, Wilcox
Associates,
druggieri@wilcoxassoc.com; Rob Fabiano, Sleuth
illustrator,
rfabiano1@cox.net;
and Joel Cassola, writer,
jocas@cox.net.
Let other readers know how the application of this
story helped you perform your job better by sending your
thoughts to
Tooling@ToolingAndProduction.com.
