By Gregory Hale
As robots become more pervasive in the manufacturing automation sector, the simple question is: How secure are they?
That is where MalCrawler Corp. comes in as they have just released a new threat research report demonstrating the ease of hacking robotic devices.
These easy-to-hack robotic devices see action in multiple industries and in manufacturing operations ranging from small to large manufacturing operations. MalCrawler officials presented their research last week at the 2018 Kaspersky Security Analyst Summit in Cancun, Mexico.
“It was shocking to find robotic controller utilized by large manufacturers open on the Internet with no or very little cybersecurity control to protect them. A simple hack could easily shut down a major production line,” said Parvez Ahmed, vice president at MalCrawler.
MalCrawler followed the “Hack Your Robot” report with a cybersecurity guide entitled, “Cybersecurity Guide for Robotics in Manufacturing.”
“We developed a cybersecurity guide for robotics in the manufacturing industry as a result of our research on hacking robots,” said Dewan Chowdhury, founder and chief executive at MalCrawler. “We realized real quick that the manufacturing sector is not up to speed regarding cybersecurity compared to other critical infrastructure. After performing security tests at manufacturing facilities, they asked us how we can protect themselves from cyber threats, so we developed a simple guide to help manufacturers protect their robotics against cyber threats.”
This no cost guide allows manufacturing operators who utilize robotics and other ICS/SCADA technology to perform a quick cybersecurity assessment of their plant operations. The recommendations, if followed, can significantly reduce cyber risk and enhance the overall cyber posture of manufacturing operators.
Click here to register to download the MalCrawler guide.
With the industry moving more toward increased connectivity and stronger automated environment, the use of robots is becoming much stronger.
The catch is, though, security for robots, both home and industrial is severely lacking, according to research released in August from IOActive.
The growth of robots continues to rise, according to the International Federation of Robotics. Unit sales of industrial robots grew 15 percent in 2015, while revenues increased 9 percent to $11 billion. In 2016 revenues in North America rose by 14 percent, to $1.8 billion. Consulting group, ABI Research, said the industry′s sales will triple by 2025.
What is at issue, however, is security. A slew of vulnerabilities, including authentication/authorization problems and bypasses, insecure transport of data and firmware update mechanisms, undocumented methods, hard-coded passwords, unencrypted storage, easily disabled human safety protections, can end up exploited to allow attackers to spy on users, hijack the robots, brick them and potentially hurt humans around them, according to the IOActive research.
Traditional industrial robots often end up used to perform duties that are dangerous or unsuitable for workers; therefore, they operate in isolation from humans and other valuable machinery.
“This is not the case with the latest generation collaborative robots, or cobots. They function with co-workers in shared workspaces while respecting safety standards. This generation of robots works hand-in-hand with humans, assisting them, rather than just performing automated, isolated operations,” said IOActive researcher Lucas Apa.
“Cobots can learn movements, ‘see’ through HD cameras, or ‘hear’ through microphones.
Along those lines, IOActive audited cobot vendors to see where they stood in terms of security.
“In accordance with IOActive’s responsible disclosure policy we contacted the vendors last January, so they have had ample time to address the vulnerabilities and inform their customers,” Apa said. “Our goal is to make cobots more secure and prevent vulnerabilities from being exploited by attackers to cause serious harm to industries, employees, and their surroundings.”
Robots usually have exposed connectivity ports that allow physically present users to fiddle with them (via special USB devices, Ethernet connections), but unfortunately there are also ways for remote attackers to interfere with the robots’ safety features (collision detection and avoidance mechanisms), which can result in serious injuries.
An attacker can chain multiple vulnerabilities, for which the researcher found over 50, in a leading cobot to remotely modify safety settings, violating applicable safety laws and, consequently, causing physical harm to the robot’s surroundings by moving it arbitrarily.
“This attack serves as an example of how dangerous these systems can be if they are hacked. Manipulating safety limits and disabling emergency buttons could directly threaten human life,” Apa said.
Numerous factory robots have weak network security, using simple combinations of username and passwords that couldn’t even be changed; others didn’t even need a password, said researchers at Trend Micro in a report published with ISSSource this past May.