Connect with us

Hi, what are you looking for?


Cyber Insurance

Researchers Analyze Entry Points, Vectors for Manufacturing System Attacks

Researchers from cybersecurity firm Trend Micro and the Polytechnic University of Milan have analyzed the possible entry points and vectors for attacks targeting smart manufacturing environments, and they discovered several new vulnerabilities in the process.

Researchers from cybersecurity firm Trend Micro and the Polytechnic University of Milan have analyzed the possible entry points and vectors for attacks targeting smart manufacturing environments, and they discovered several new vulnerabilities in the process.

It’s not uncommon for traditional malware to make its way into industrial environments and in many cases they are detected by existing security solutions, but sophisticated attackers looking to target industrial organizations are more likely to launch attacks that specifically target operational technology (OT) systems to make their attack more efficient and less likely to be detected.

The Polytechnic University of Milan has a dedicated Industry 4.0 lab with manufacturing equipment that is typically deployed in real-world environments. Trend Micro teamed up with the university to see exactly how attackers could gain access to manufacturing environments and the actions they could conduct.

The study, which resulted in a 60-page report, looked at three main points of entry: engineering workstations, custom industrial internet-of-things (IIoT) devices, and manufacturing execution systems (MES).

Manufacturing system attacks

One of the most important entry points are engineering workstations, which are often connected to devices on the plant floor. Engineering workstations are used to manage PLCs and HMIs, and gaining access to workstations can be highly useful to an attacker as it allows them to access sensitive information, move laterally, or tamper with manufacturing equipment.

Researchers at Trend Micro and the Polytechnic University of Milan have shown how these engineering workstations could be compromised using a malicious industrial add-in or extension. If an attacker can convince a user within the targeted organization to install a malicious add-in, they can push arbitrary automation logic code to manufacturing equipment.

While tricking an engineer into using a malicious add-in might not sound like an easy task, the researchers have identified some vulnerabilities that could make a hacker’s job easier. For example, a security hole in ABB’s RobotStudio app store, which hosts automation logic for industrial robots made by ABB, could have allowed an attacker to bypass the vetting process and upload a malicious add-in that would become immediately available in the store. ABB released a server-side patch for this vulnerability after being notified by Trend Micro.

Advertisement. Scroll to continue reading.

Another example involves KUKA’s KUKA.Sim engineering and development software for robots and computer numerical control (CNC) devices. The issue is related to the eCatalog feature, which allows users to import 3D models made by others. The researchers discovered that the software did not include any integrity checks for data downloaded from the eCatalog and the communication between the client and the server was not encrypted, allowing a man-in-the-middle (MitM) attacker to make malicious changes to a model.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Custom IIoT devices, which allow engineers to run fully custom automation logic on manufacturing equipment, can also be a good entry point for attacks. While these custom devices have many benefits, they can rely on third-party libraries, which makes them more exposed to supply chain attacks.

If an attacker can somehow get the target to use a trojanized library or alter code directly on a development workstation, they could remotely gain full access to a plant, Trend Micro warned.

In the case of MES databases, which store work orders and templates, an attacker can simply change records in the database to cause problems. This can be done by an attacker who has gained access to the targeted organization’s network or to an unprotected MES database — this attack can also start with a compromised engineering workstation.

The researchers also looked at mobile HMIs, which can have vulnerabilities like the ones typically found in other mobile applications. There are over 170 HMI apps on Google Play and many of them have thousands and even hundreds of thousands of installs.

Vulnerabilities exist in many of these apps, but Trend Micro’s attack examples focused on Comau’s PickApp, which allows users to control their robots from a tablet or mobile phone. The application is affected by various types of flaws that can allow an attacker to take control of connected machines.

Related: Zurich Announces New Cyber Insurance for Manufacturing Industry

Related: Long Equipment Life Cycles Expose Manufacturing Industry to Attacks: Study

Related: IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.