Security Experts:

Industrial Robotics - Are You Increasing Your Cybersecurity Risk?

There’s nothing fundamentally novel about the use of robots in industrial environments. For nearly half a century, they’ve been changing the way that we manufacture products and deal with risk in hazardous environments. From automotive assembly lines to mines, robots have been helping to boost productivity and safety for decades. According to a report from the International Federation of Robotics, sales of industrial robots are rising at around 30% a year, and by much more in some sectors. Many workplaces are changing radically as a result, but are manufacturers and end customers placing enough emphasis on the cybersecurity of their new employees?

Driving change in the industrial environment

Right now, falling costs and common programming platforms are helping to accelerate the proliferation of general-purpose robots in all sectors. They’re an integral part of Industry 4.0 and the Industrial Internet of Things (IIoT), able to change output depending on sophisticated triggers. Growth in their use will continue for the foreseeable future: the more widely they are used, the more use cases are found.

Industrial Robot in Factory: Industry 4.0It’s this level of connectivity that should give cause for concern. Business owners who can utilize artificial intelligence (AI) and machine learning to adapt their robots’ behavior based on real-time analytics from the production line can clearly use that to their advantage. The better integrated into the network a robot is, the more effectively it can be deployed and redeployed as required.

There is a lot of industry attention at the moment to the physical safety of robots in the workplace, especially when they share space with human co-workers. A new standard is set to be published this year governing when robots should shut down (if approached by a human, for example) and when they are allowed to restart their process.

The cyber risk, however, has not had the same level of attention, and although awareness is growing, there is still much to be done. 

Historical challenges with industrial robots

Part of the reason that industrial robots have fallen in price is because there are common platforms for development. The Robot Operating System (ROS), for example, is a software stack that powers robots everywhere from mineshafts to the International Space Station. 

ROS was first introduced in 2007 and the latest version, ROS2, has been built with security in mind from the ground up. The challenge is that ROS2 is still very new, and only appeared in a stable form last year, so is not yet widely deployed. ROS1, on the other hand, wasn’t designed to be cybersecure and utilises many out-of-date protocols and tools for remote access and control.

There are many ways that ROS1 systems can be secured, but the attack surface for an industrial robot is broad. As with many technologies, firmware for embedded components are often not kept up-to-date to protect against known vulnerabilities, and likewise documented weaknesses in the communications protocols or underlying network are not addressed.

Alternatives to ROS are even harder to benchmark, since they are often based around proprietary code developed for productivity and speed to market rather than cybersecurity.

The increased risks that autonomous production brings

So far, there have been no known cyberattacks on industrial robots that have hit the headlines. That’s to be celebrated, but the truth is that part of the reason is that robots haven’t been an attractive target for hackers. It’s expensive to get hold of examples in order to develop attacks, and there haven’t been enough industrial robots in the field to make it worth their while. 

That is changing. As costs come down and the number of robots in use increases, they become a more tempting target. Researchers have repeatedly shown proof of concept (POC) attacks in which they have been able to take over well-known robots, including well-known semi-autonomous ones, or infect them with ransomware. 

It goes without saying that the potential for physical harm, or at the very least significant business disruption, from a compromised robot is great.

Our security concerns shouldn’t slow the growth of industrial robot use, however. Like any other product or technology there are well known and proven processes which can help to improve the state of cybersecurity in the field. Mitigation of risk is all about planning: the principles of “secure by design” mean ensuring security is addressed from the early stages of the design phase and continue as a key consideration at every stage of the development process to ensure a cyber resilient end product. 

Potential purchasers should define clear security requirements as part of their procurement language and conduct a thorough assessment of any new robots that they seek to deploy. It’s likely that this will require the skills of an independent third party; these independent tests should be conducted to ensure that robots and systems are appropriately hardened against attack before they are integrated into production environments, and that staff are appropriately trained to understand the risks associated with their behaviour.

Vendors, meanwhile, should adopt the “secure development life cycle”  best practices, and ensure they are providing end users with cyber resilient products to be implemented in their business-critical production environments. Not only should cybersecurity be a priority when designing and building robots, but clear roadmaps for managing upgrades and patches should be well documented and regularly updated.

Robots promise to increase productivity and reduce risk for many organisations. By deploying them with cybersecurity in mind we can ensure that they don’t run the danger of introducing the same negative effects into their environment.

Learn More at SecurityWeek's ICS Cyber Security Conference

view counter
Jalal Bouhdada is Founder and Principal ICS Security Consultant for Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. Jalal has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission providers, water utilities, petro chemical plants and oil refineries He holds a B.S degree in Security Assurance from Amsterdam University of Applied Sciences and is an active member of the Industrial Internet Consortium (IIC), ISA99, NEN, CIGRE and other professional societies.