Industrial Robots Are A Security Weak Link

Industrial robots used in factories and warehouses that are connected to the internet are not secure, leaving companies open to cyber-attacks and costly damages.

That's the word coming from a study conducted by global security software company Trend Micro and Polytechnic University of Milan, the largest technical university in Italy.
"The industrial robot, it's not ready for the world it's living in," said Mark Nunnikhoven, vice president of cloud research at Trend Micro. "The reality is these things are being connected in more and more places. There are a lot of attacks that could happen in that environment."

The study looked at Internet security vulnerabilities that could involve industrial robots used on manufacturing lines in areas such as the automobile and aerospace industries. The robots, which generally look like large mechanical arms, are used to move heavy objects, weld seams and fit pieces together. The machines also can be found moving and stacking crates in warehouses.

The issue is taking on greater significance as the use of robots grows in factories around the world. The International Federation of Robotics, in its World Robotics Report, said that 2.6 million industrial robots will be deployed worldwide by 2019, an increase of about 1 million since 2015. While companies are careful to ensure that industrial robots are safe to work near people, they're often not set up for cybersecurity. But these robots, according to Nunnikhoven, are increasingly being linked to company networks and the Internet.

As long as there are proper security precautions, analysts said these robots can be connected to the Internet. They need cyber-security basics such as user names and passwords, two-factor authentication, encryption and hardware-based biometric authentication.
"I'm shocked that anyone would consider attaching anything to the internet without making sure it was secured," said Dan Olds, an analyst with OrionX. "This applies to everything from home thermostats to big robotic arms. Everything attached to the Internet is vulnerable to hacking."

Patrick Moorhead, an analyst with Moor Insights & Strategy, said he was surprised that enterprises would forgo security on anything connected to the internet.
"The only thing I could attribute this to would be ignorance and maybe a way to save a few dollars here and there," he said. "This could be incredibly dangerous. To protect the security of robots there should be protection all the way from the robot to the network to the data center. Data should be protected at rest and in flight. This means a secure chain of command, end to end, using encryption every step of the way as well as hardware-based biometric authentication all the way through the chain."

Mike Gennert, a professor and director of the Robotics Engineering Program at Worcester Polytechnic Institute, said unsecured robots are the result of IT departments having to work with a new technology.
“It’s a whole other level of complexity in our systems,” Gennert said. “In the past, when you had a robot on a factory floor, it wasn’t part of a network that the outside world could view. There was a limited ability for malicious actors to connect with your robot. Now all these devices are on the internet and they’re all exposed.”
That means that companies will need to make sure there are IT managers, or even C-level executives, who can oversee robotics, making sure the technology is supporting the company’s business strategy while also making sure the machines are secure.

One challenge for companies will be to find people who have experience in both robotics and security. “There will be a few folks, but it will be a hot market because not many students study both robotics and security,” Gennert said. “Those that do both will be able to write their own ticket.”

Until companies can effectively combine robotics with security, robots may be an easy entryway for a hacker into a company's networks.

Nunnikhoven said there’s no direct evidence that hackers have taken advantage of these exploits. There aren’t proper monitoring systems in place to know if the systems have been exploited, he said.
Malicious hackers could get into a robot's controller system and make adjustments to its actions, which could create a dangerous situation in the factory or could enable the robots to build unsafe products on the production line.
Hackers also could gain access to the programming used to make the company's products, or they could use the robot as a jumping off point to hack into other enterprise systems. Companies could fall victim to ransomware or sabotage.
"This is dangerous in several ways," said Olds. "The first is pretty obvious, a hacker gets control of a robot and uses it to destroy company products or to hurt a human operator."

How the Research was Done

"We looked at cybersecurity because the robots are being connected to larger networks and the internet itself," he said. "During our research, the team found more than 83,000 of these robots exposed to the Internet."
Trend Micro got that number by running searches for about two weeks on Shodan, ZoomEye and Censys, search services that index data from Internet-wide scans, looking for things like web cams, routers, servers and devices on the Internet of Things. They then zeroed in on the industrial routers and robots that responded to their queries.
If the industrial robots responded, that meant they were not only connected to the Internet but they were exposed. If secured, the robots wouldn’t be directly accessible from an unauthenticated random IP address querying them.

The robots’ responses also gave researchers the software version they were running, along with their manufacturer.
The study found industrial robots from five different vendors, like ABB Robotics, FANUC FTP, Yaskawa, Kawasaki E Controller and Mitsubishi FTP, and 12 of their brands of industrial robots. More than 80,000 of them are working in factories around the world.

Nunnikhoven said it’s unclear how many companies are operating these robots, but more than 10,000 of the machines are running in the US. The US, followed by Australia and Japan, were the three countries with the highest number of exposed industrial robots.
“It reflects the US take on manufacturing,” said Nunnikhoven. “There’s a resurgence in trying to get smarter factories, and smarter factories would tend to have more industrial robots in play.”

According to the study, of the more than 83,000 exposed industrial robots, 59 had known vulnerabilities and more than 5,100 had no authentication.

So why would a company link an industrial robot working on a manufacturing line to the internet? Company IT managers might want internet access to robots so they could remotely adjust the robot's programming or check the status of their factory lines.
“There is some logic to it, but a lot of warning flags too,” Nunnikhoven said. “People tend to look at the positive and the possibilities, and they don’t look at the risks. They say, ‘Hey, we can query from one central location or get status from manufacturing lines in real time, even though we’re manufacturing from the other side of the planet. This exposes you to significant risks.”

Nunnikhoven said the researchers worked in isolation -- as opposed to a robot operating on a live factory floor. He said the researchers were able to hack into an industrial robot used for welding that had been set up like many typically are in factory situations. Once they had hacked in, the researchers were able to alter the robot’s configuration so it was no longer welding in a straight line.
“The robot has to be extremely precise,” Nunnikhoven explained. “Say, a robotic arm is doing a weld on a car line. It has to be very accurate to ensure the car chassis is strong enough to withstand impact and meet safety regulations. If they add a curve in the weld, that’s a defect and that could be catastrophic when that car hits the road.”

Computerworld

You Might Also Read:

Around Half Of Human Jobs Can Be Automated Now:

UK Thinks Robots And AI Will Lift Economic Growth:

Ethics of Drones, Remote Weapons and Robots:

 

« Data Breaches & The Internet of Things
Cyber Crime Drives Up The Cost Of Insurance »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Nmap Project

Nmap Project

Nmap Project is a Free and open source tool for network discovery, administration, and security auditing.

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

Open Information Security Foundation (OISF)

Open Information Security Foundation (OISF)

OISF is a non-profit organization led by world-class security experts, programmers, and others dedicated to open source security technologies.

Quaynote Communications

Quaynote Communications

Quaynote Communications is a specialist conference and communications company focused primarily on the maritime, yachting, aviation and security industries.

Destel

Destel

Destel is a system integrator and provider of IT services focused on Advanced Network & Security Solutions.

Armorblox

Armorblox

Armorblox stops targeted email attacks such as 0-day credential phishing, payroll fraud, vendor fraud, and other threats that get past legacy security controls.

NSO Group

NSO Group

NSO Group develops technology that enables government intelligence and law enforcement agencies to prevent and investigate terrorism and crime.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

Crayonic

Crayonic

Crayonic digital identity technologies protect and guarantee the identity of people and things.

IoT M2M Council (IMC)

IoT M2M Council (IMC)

The IMC is the largest and fastest-growing trade organisation in the IoT/M2M sector.

Tetrad Digital Integrity (TDI)

Tetrad Digital Integrity (TDI)

TDI is a world-class consulting firm offering cybersecurity services to government agencies and commercial clients around the world.

QuSecure

QuSecure

QuSecure provides a software-driven security architecture that overlays your current infrastructure and provides next-generation security to protect your entire network from quantum threats.

R-Tech

R-Tech

R-Tech GmbH manages the digital start-up initiative, whose goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Cyber Law Consulting

Cyber Law Consulting

Cyber Law Consulting is a Dynamic full service legal firm which offers complete services for Cyber Law, cyberlaw, Internet Law, Data Protection Act, Cyber Security, IPR, Drafting.

Axient

Axient

Axient advances defense and civilian missions from aerospace to cyberspace with multi-domain test and analysis, mission engineering and operations, and advanced technologies.

When Group

When Group

World Health Energy Holdings, Inc. (d/b/a WHEN Group) is a High Tech Holding Company that specializes in the Cyber, Security and Telecom area.