The research puts the spotlight on the security and vulnerability of industrial robots. The Industry 4.0 revolution calls for industrial robots to increase their complexity and interconnectedness exposing them as part of the attacker surface.
In Trend Micro’s analysis, researchers discovered different ways that make industrial robots vulnerable – from the usage of outdated software and weak authentication, to exposure due to the usage of public IPs.
Using the findings, it demonstrated how remote attackers can alter or introduce minor defects in the manufactured product, physically damage the robot, steal industry secrets, or injure humans.
These classes include:
- Altering the controller’s parameter. Attacker alter the control system so the robot moves unexpectedly or inaccurately, at the attacker’s will.
- Tampering with calibration parameters. The attacker changes the calibration to make the robot move unexpectedly or inaccurately.
- Tampering with the production logic. The attacker manipulates the program executed by the robot to introduce defects in the workpiece.
- Altering the user-perceived robot state. The attacker manipulates the status information so the operator is not aware of the true status of the robot.
- Altering the robot state. The attacker manipulates the true robot status so the operator loses control or can get injured.
While all this sounds a little like Asimov’s i-Robot, Trend Micro was able to exploit all five weaknesses. For example, a robot could be altered to produce faulty goods, and ransom demands follow to identify those robots or goods. Or a robot could even kill someone.
Trend Micro says industrial robot standards must consider cyber security threats the same way ICS and automotive sector standards have evolved to mitigate them. Network defenders must fully understand the unique position that industrial robots have in terms of securing them.
Robots have a very long lifetime, which means vendors must be able to provide security updates to all currently deployed versions, which they may not always be able to do. Furthermore, customers may be worried by downtimes or potential regressions carried by software updates and thus refrain from timely patching their systems.
The technical paper is here.