Industrial Robots Are A Security Weak Link

Industrial robots used in factories and warehouses that are connected to the internet are not secure, leaving companies open to cyber-attacks and costly damages.

That's the word coming from a study conducted by global security software company Trend Micro and Polytechnic University of Milan, the largest technical university in Italy.
"The industrial robot, it's not ready for the world it's living in," said Mark Nunnikhoven, vice president of cloud research at Trend Micro. "The reality is these things are being connected in more and more places. There are a lot of attacks that could happen in that environment."

The study looked at Internet security vulnerabilities that could involve industrial robots used on manufacturing lines in areas such as the automobile and aerospace industries. The robots, which generally look like large mechanical arms, are used to move heavy objects, weld seams and fit pieces together. The machines also can be found moving and stacking crates in warehouses.

The issue is taking on greater significance as the use of robots grows in factories around the world. The International Federation of Robotics, in its World Robotics Report, said that 2.6 million industrial robots will be deployed worldwide by 2019, an increase of about 1 million since 2015. While companies are careful to ensure that industrial robots are safe to work near people, they're often not set up for cybersecurity. But these robots, according to Nunnikhoven, are increasingly being linked to company networks and the Internet.

As long as there are proper security precautions, analysts said these robots can be connected to the Internet. They need cyber-security basics such as user names and passwords, two-factor authentication, encryption and hardware-based biometric authentication.
"I'm shocked that anyone would consider attaching anything to the internet without making sure it was secured," said Dan Olds, an analyst with OrionX. "This applies to everything from home thermostats to big robotic arms. Everything attached to the Internet is vulnerable to hacking."

Patrick Moorhead, an analyst with Moor Insights & Strategy, said he was surprised that enterprises would forgo security on anything connected to the internet.
"The only thing I could attribute this to would be ignorance and maybe a way to save a few dollars here and there," he said. "This could be incredibly dangerous. To protect the security of robots there should be protection all the way from the robot to the network to the data center. Data should be protected at rest and in flight. This means a secure chain of command, end to end, using encryption every step of the way as well as hardware-based biometric authentication all the way through the chain."

Mike Gennert, a professor and director of the Robotics Engineering Program at Worcester Polytechnic Institute, said unsecured robots are the result of IT departments having to work with a new technology.
“It’s a whole other level of complexity in our systems,” Gennert said. “In the past, when you had a robot on a factory floor, it wasn’t part of a network that the outside world could view. There was a limited ability for malicious actors to connect with your robot. Now all these devices are on the internet and they’re all exposed.”
That means that companies will need to make sure there are IT managers, or even C-level executives, who can oversee robotics, making sure the technology is supporting the company’s business strategy while also making sure the machines are secure.

One challenge for companies will be to find people who have experience in both robotics and security. “There will be a few folks, but it will be a hot market because not many students study both robotics and security,” Gennert said. “Those that do both will be able to write their own ticket.”

Until companies can effectively combine robotics with security, robots may be an easy entryway for a hacker into a company's networks.

Nunnikhoven said there’s no direct evidence that hackers have taken advantage of these exploits. There aren’t proper monitoring systems in place to know if the systems have been exploited, he said.
Malicious hackers could get into a robot's controller system and make adjustments to its actions, which could create a dangerous situation in the factory or could enable the robots to build unsafe products on the production line.
Hackers also could gain access to the programming used to make the company's products, or they could use the robot as a jumping off point to hack into other enterprise systems. Companies could fall victim to ransomware or sabotage.
"This is dangerous in several ways," said Olds. "The first is pretty obvious, a hacker gets control of a robot and uses it to destroy company products or to hurt a human operator."

How the Research was Done

"We looked at cybersecurity because the robots are being connected to larger networks and the internet itself," he said. "During our research, the team found more than 83,000 of these robots exposed to the Internet."
Trend Micro got that number by running searches for about two weeks on Shodan, ZoomEye and Censys, search services that index data from Internet-wide scans, looking for things like web cams, routers, servers and devices on the Internet of Things. They then zeroed in on the industrial routers and robots that responded to their queries.
If the industrial robots responded, that meant they were not only connected to the Internet but they were exposed. If secured, the robots wouldn’t be directly accessible from an unauthenticated random IP address querying them.

The robots’ responses also gave researchers the software version they were running, along with their manufacturer.
The study found industrial robots from five different vendors, like ABB Robotics, FANUC FTP, Yaskawa, Kawasaki E Controller and Mitsubishi FTP, and 12 of their brands of industrial robots. More than 80,000 of them are working in factories around the world.

Nunnikhoven said it’s unclear how many companies are operating these robots, but more than 10,000 of the machines are running in the US. The US, followed by Australia and Japan, were the three countries with the highest number of exposed industrial robots.
“It reflects the US take on manufacturing,” said Nunnikhoven. “There’s a resurgence in trying to get smarter factories, and smarter factories would tend to have more industrial robots in play.”

According to the study, of the more than 83,000 exposed industrial robots, 59 had known vulnerabilities and more than 5,100 had no authentication.

So why would a company link an industrial robot working on a manufacturing line to the internet? Company IT managers might want internet access to robots so they could remotely adjust the robot's programming or check the status of their factory lines.
“There is some logic to it, but a lot of warning flags too,” Nunnikhoven said. “People tend to look at the positive and the possibilities, and they don’t look at the risks. They say, ‘Hey, we can query from one central location or get status from manufacturing lines in real time, even though we’re manufacturing from the other side of the planet. This exposes you to significant risks.”

Nunnikhoven said the researchers worked in isolation -- as opposed to a robot operating on a live factory floor. He said the researchers were able to hack into an industrial robot used for welding that had been set up like many typically are in factory situations. Once they had hacked in, the researchers were able to alter the robot’s configuration so it was no longer welding in a straight line.
“The robot has to be extremely precise,” Nunnikhoven explained. “Say, a robotic arm is doing a weld on a car line. It has to be very accurate to ensure the car chassis is strong enough to withstand impact and meet safety regulations. If they add a curve in the weld, that’s a defect and that could be catastrophic when that car hits the road.”

Computerworld

You Might Also Read:

Around Half Of Human Jobs Can Be Automated Now:

UK Thinks Robots And AI Will Lift Economic Growth:

Ethics of Drones, Remote Weapons and Robots:

 

« Data Breaches & The Internet of Things
Cyber Crime Drives Up The Cost Of Insurance »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Digital Shadows

Digital Shadows

Digital Shadows is a cyber threat intelligence company that helps clients discover sensitive data exposed through social media, cloud services and mobile devices

ShmooCon

ShmooCon

ShmooCon is an annual east coast hacker convention offering three days of demonstrations and discussions of critical infosec issues.

BeOne Development

BeOne Development

BeOne Development provide innovative training and learning solutions for information security and compliance.

Dubex

Dubex

Dubex is Denmark's leading business-oriented IT security specialist.

Electric Imp

Electric Imp

Electric Imp offers an innovative and powerful Internet of Things platform that securely connects devices with advanced cloud computing resources.

Vicarius

Vicarius

Vicarius’ mission is to revolutionize vulnerability management from problem detection to proactive problem resolution.

National Cyber Security Centre (NCSC) - Switzerland

National Cyber Security Centre (NCSC) - Switzerland

The National Cyber Security Centre is Swizerland's competence centre for cybersecurity and the first contact point for businesses, public administrations, and the public for cyber issues.

Envelop Risk

Envelop Risk

Envelop Risk is a global specialty cyber insurance firm, combining decades of insurance industry expertise with sophisticated cyber and artificial intelligence-based analytics.

Selectron Systems

Selectron Systems

Selectron offers system solutions for automation in rail vehicles and support in dealing with your railway cyber security challenges.

7layers

7layers

7layers has established itself as one of the world’s leading test house groups for mobile devices and the growing number of wireless devices, modules and chipsets.

Midwest Cyber Security Alliance (MCSA)

Midwest Cyber Security Alliance (MCSA)

Midwest Cyber Security Alliance is a nonprofit, nonpartisan collaboration of individuals, businesses, government entities, and professionals advocating for more effective cyber security solutions.

risk3sixty

risk3sixty

Risk3sixty are information and cyber risk management craftsmen helping build business-first security and compliance programs.

Transatlantic Cyber Security Business Network

Transatlantic Cyber Security Business Network

The Transatlantic Cyber Security Business Network is a coalition of UK and US cyber security companies which facilitates collaboration to help address critical cyber security challenges.

Nokod Security

Nokod Security

Nokod Security delivers an application security platform for low-code / no-code custom applications and Robotic Process Automation (RPA).

OpenAI

OpenAI

OpenAI is an AI research and deployment company dedicated to ensuring that general-purpose artificial intelligence benefits all of humanity.

Nova Microsystems

Nova Microsystems

Nova's mission is to revolutionize cybersecurity through continuous data analysis and dynamic AI-driven encryption.