Just over a week ago, governments, hospitals, businesses, and homes worldwide fell victim to a massive cyber attack in which WannaCrypt – a malicious ransomware program – denied computer users access to their data unless they paid a Bitcoin ransom. Now, a new report describes how another increasingly connected technical world – that of industrial robots – may also fall prey to hackers.
In a paper titled “Rogue Robots,” experts from the global cloud security firm Trend Micro, together with researchers from the Polytechnic University of Milan in Italy, highlight ways in which hackers might potentially take unauthorized control of industrial robots.
Industrial robots – defined by the International Organization for Standardization as “automatically controlled, reprogrammable, multipurpose, manipulator, programmable in three or more axes, which can be either fixed in place or mobile for use in industrial automation applications” – are transforming manufacturing in many industries.
Many of these mechanized multi-axis “arms” carry out tasks that are dangerous for humans or do work that is repetitive. They are ideal, for example, for production runs that require high volumes of output with no errors.
Typical applications include material handling, food processing, assembly of components, arc welding, and die casting.
The report cites figures that suggest that, by 2018, there will be around 1.3 million industrial robots in factories around the world, at a total market value of US$32 billion.
The ‘fourth industrial revolution’
Industrial robots play a key role is what is being termed the fourth industrial revolution or “Industry 4.0” and the advent of the “smart factory,” where information technology meets operational technology.
In the Industry 4.0 world, industrial robots – which are essentially complex cyberphysical systems comprising an assembly of sensors, actuators, controllers, and human interface devices – are becoming increasingly connected with other robots and information systems.
In the smart factory, not only are robots connected to computer networks for programming and maintenance, but they become part of the factory’s “IT ecosystem.”
The idea is that, eventually, the overall management system will not only be able to track production and automatically place orders to suppliers for required parts, it will also be able to “reconfigure roboticized production lines and receive updates on their operational status,” notes the report.
The benefits also bring risks
The authors cite the example of ABB who have created a platform called Robot Web Services where their robots can talk to outside devices using internet protocols.
Supervisors can even control the robots using their smartphones, thanks to user-friendly application programming interfaces (APIs). “In fact,” notes the report, “robot app stores are becoming increasingly available for both consumer and industrial robots.”
However, while such progress in industrial robot systems may improve the safety, flexibility, performance, and reliability of shop floor operations, it also raises the risk of sabotage by hackers, with “consequences ranging simple compromise of controlling machines to impacting the quality or availability of the production chain.”
The report authors reveal that even a “superficial analysis” shows that some of these devices are operating with outdated software based on vulnerable operating systems and libraries. They are relying on “obsolete or otherwise broken cryptographic libraries; and have weak authentication systems with default, unchangeable credentials.”
The authors note they found some instances of industrial robots being reachable from the outside.
Examples of how hackers might interfere with industrial robots
The report highlights five ways in which hackers might interfere with industrial robots:
1 – alter the paramaters of the robot’s controllers
2 – tamper with the robot’s calibration parameters
3 – interfere with the production logic
4 – alter the robot status perceived by the operator
5 – alter the robot status itself
Such attacks could lead to safety and production problems ranging from operator injury to faulty products.
The report also considers a number of scenarios in which such acts of sabotage might be used. For instance, to deliberately cause injury, cause product to malfunction, steal sensitive data, or, as in the recent WannaCrypt cyber attack, to get companies to pay ransom in exchange for information on how to debug the robot system or recover from the attack.
It cites a study where researchers showed how a sabotage attack on a 3-D printing system produced virtually invisible defects in the propeller of a quadcopter drone that resulted in the device “literally falling from the sky.”
The report does not claim to be anything more than an exploration of the possible ways in which hackers might exploit vulnerabilities in what is still a very young industry, informed by some experimental insights.
Nevertheless, it does suggest that it is never too early to be prepared, even if the risks are at present theoretical rather than based on experience.
The report also suggests that security is a holistic issue that involves the whole IT ecosystem and all its stakeholders. It concludes:
“Ultimately, the call for security extends beyond industrial robot operators but to all players involved in
bringing these devices into production and the market. Between cybersecurity standards makers, robot
software developers, robot vendors, and network defenders, the overall objective should be to make
reliable exploitation of existing and future vulnerabilities more expensive for attacks.”