Wednesday 8 November 2017

Sabotage & Subterfuge: Hacking Industrial Robots

INDUSTRY 4.0 IS COMING
The sage words below are an excerpt from a Nov 1, 2017 Blog by Danny Bradbury - see https://sector.ca/sabotage-and-subterfuge-hacking-industrial-robots/. I include this entry today because I want to take a closer look at the promised connected world of the Industry 4.0 platform, so that we all remember to address the cyber security issues along the way to the promised land of true Manufacturing Automation.
--------------------------------  
Isaac Asimov’s three laws of robotics are safe, sensible rules. First laid out in 1942, rule number one prevents a robot from harming a human being. The second forces it to obey orders given it by people, except where such orders would conflict with the first law. Finally, it must protect its own existence as long as such protection does not conflict with the First or Second Law.
Those are some pretty sound, sensible rules – and Stefano Zanero has persuaded industrial robots to break all of them.
Zanero, an associate professor at Italian university Politecnico di Milano, will explain how in his talk at SecTor later this month. He has found flaws in industrial robots and developed theoretical attacks that could dramatically affect corporate users, and worse.
“I was taking coffee with a colleague that works on robotics, and was looking at their labs. While we were talking, I was going through all the research that I had read in the last few years. I realized that I had not seen anybody look into one of these things,” he says. That’s not surprising. “Not everybody has an €80,000 robot sitting above their lab.”
Zanero did. Robotics is a key research area at the Politecnico di Milano, so he set to work investigating several robots’ underlying security protections. He found some common flaws.
“Most of the components in the robot were relatively weak. They were not designed to withstand hacking attacks,” he says.
In one of the robots he investigated, he found a default user that couldn’t be disabled, and a default password that couldn’t be changed. “When you compromise the first Internet-facing component, all the other components are basically also yours,” he explains. Those components all download the firmware from the first, compromised component without checking code signatures.

BREAKING LAW NUMBER TWO

In compromising this software, an attacker is able to violate Asimov’s second law by giving it new instructions that its original programmers didn’t intend.
Industrial control systems built to this level of security are not meant to be Internet facing, he adds, and yet the move towards ‘Industry 4.0’ – an increasingly connected factory environment in which robots and other industrial systems are accessible via IoT-based networks – is increasingly putting them there. Many industrial robots today are a browser away from the Internet or in some cases directly connected, he warns.
What could he make a robot do with these vulnerabilities? He came up with several possibilities. The first was the introduction of micro-defects.
“If you get control of a robot, you can introduce in a subtle way a lot of micro-defects into the parts being manufactured. These defects would be too small to be perceived,” he says. “Since the robot isn’t designed with this attack model in mind, there is absolutely no way for the people programming the robot to realise that it has been put off centre and miscalibrated.”
A slight offset in a welding algorithm could produce a structural flaw that could have significant implications for product safety. Imagine a production line altered to produce unsafe automotive components. A year after the attack, the attacker could make the flaw known and force a product recall, costing the victim millions and trashing their brand. Worse still would be not making the flaw known, waiting instead until road accidents started happening.

GOODBYE, LAW NUMBER THREE

“The second big area of concern is that using the same manipulations, you can actually make a robot destroy itself,” says Zanero.
There goes Asimov’s third law, and with it, your factory’s profit. Production lines have a high downtime cost, running into thousands of dollars per minute. Robots are also custom-configured and difficult to source, making them difficult to replace.
This also raises the possibility of ransomware, says Zanero. An attacker could incapacitate a robot and then demand a ransom payment to set it going again. That would change the attacker’s business model from industrial sabotage to pure profit.

VIOLATING THE MOST IMPORTANT LAW OF ALL

Another possibility is that the robot could be programmed to violate the first law, harming a human directly. This would admittedly be difficult for an attacker to do. Robots working alongside humans are tightly monitored and designed not to make movements that could harm their coworkers. Nevertheless, there is scope for abuse, Zanero says.
“Even if the robot moves slowly and doesn’t really harm you by moving, if the point of the tool is toward you, it could harm you,” he says. Robots are programmed to keep pointy things away from people. “They are super good at that. There is a lot of safety around that, but it is software, not hardware,” he points out, adding that an attacker could change that software.
To its credit, the industrial robot vendor that Zanero’s team contacted about the flaws was responsive and quick to react. It thanked the team and patched the bug in its products, which is an encouraging sign. Nevertheless, there is more work for the robotics industry to do.
“We have tested one specific robot, and then we tested others just to see if our architectural considerations would generalize,” he says. “And they did.”


28 comments:

  1. Excellent article. I simply stumbled upon your website along with needed to state that i possess genuinely appreciated surfing around your website posts.

    3rd party manufacturing in india

    ReplyDelete
  2. Nise post,thank you for sharing such informative post.Also check the best Smart Manufacturing Industry 4.0

    ReplyDelete
  3. I was on searching for robot and robotics content and also best automation relevant content. And this is a great article I was searching too. Very happy to learn about the news of coming Industry 4.0. Reading your post I am really impressed with the background history and working possibility. In a word this is awesome work. I can also add a new site which I have visited recently and may be helpful for the readers and users. Please visit here

    ReplyDelete
  4. Thank you everyone ... I am very interested in IIoT and INdustry 4.0 but have been concerned that security is not adequately considered. We just filed a patent on an "Asymmetric Hardware-Based IIoT Wireless Security System" that I will be writing more about in this blog. There are so many articles to write & info to share - thank you for reading...

    ReplyDelete
  5. 2E-Steinbeis provides Solar Training for Electrical Engineers, Product Design & Manufacturing Training Courses for Mechanical Engineers, Solar Technician Training and Automotive Engineer Training with 100% Placements in Hyderabad, India.

    ReplyDelete
  6. ============================

    Good info, thank you towards the writer. It's in comprehensive in my experience right now, however in common, the actual effectiveness as well as importance is actually mind-boggling. Many thanks once again as well as best of luck!

    portable wood stove

    ReplyDelete
  7. This blog is truly useful to convey overhauled instructive undertakings over web which is truly examination. I discovered one fruitful case of this truth through this blog. I will utilize such data now.
    Agile Project Management

    ReplyDelete
  8. written content. I added new knowledge to my database for essay writing skill.
    ผ้า ขนหนู โรงแรม

    ReplyDelete
  9. I am grateful for this blog to distribute knowledge about this significant topic. Here I found different segments and now I am going to use these new instructions with new enthusiasm.
    ielts

    ReplyDelete
  10. This blog is truly useful to convey overhauled instructive undertakings over web which is truly examination. I discovered one fruitful case of this truth through this blog. I will utilize such data now.
    HPE ProLiant ML10 Gen9

    ReplyDelete
  11. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with extra information? It is extremely helpful for me. get computer help

    ReplyDelete
  12. A lot of product cabs on-line merely spin and rewrite recently composed permutations in addition barter these people since heartfelts. Many experts have strict finding salubrious writ on-line. Nonetheless, avows for your quicken, this is a man or women on the quondam. Your current guidelines generate brought about myself in order to prime function compositions. ขาย เครื่อง server

    ReplyDelete
  13. My business is therefore comfy to discover this. Here is the royal associated with mention that should be provided aparts film the actual helter-skelter untrue stories that is certainly for the strange blogs. Lenovo Storage V3700 V2 SFF Control

    ReplyDelete
  14. Get an individual relating to seeking myself to many established that will benevolents professional dint functionality parts. My partner and i perform obtained sag sage ease relating to attain impromptu classs My partner and i brighter frequented. Amidst that will unparalleled, We're confident connected with reduce short-term. ielts

    ReplyDelete
  15. Good info, thank you towards the writer. It's in comprehensive in my experience right now, however in common, the actual effectiveness as well as importance is actually mind-boggling. Many thanks once again as well as best of luck!

    portable wood stove

    ReplyDelete
  16. This blog resolved all my queries I had in my mind. Really helpful and supportive subject matter written in all the points. Hard to find such kind of blogs as descriptive and accountable to your doubts.
    กล่องกระดาษ

    ReplyDelete
  17. Graceful written content on this blog is really useful for everyone same as I got to know. Difficult to locate relevant and useful informative blog as I found this one to get more knowledge but this is really a nice one.
    เครื่อง เซิ ฟ เวอร์ ราคา

    ReplyDelete

  18. Thanks for sharing nice post now in these days QuickBooks Online Accounting software is more popular for small or medium business, QuickBooks Customer Services Phone Number usa 1-888-867-9209.
    best If you’re looking for the quickbooks Support contact number. Then this is the phone number 1-888-867-9209 usa,

    Quickbooks Support number

    ReplyDelete
  19. The site is really beneficial for everyone to know about this topic. I think if you read blog than you will get some more information from blog. This is really useful blog.
    HPE MSA1040 Dual Controller

    ReplyDelete
  20. Nice post,thank you for sharing such informative post. Also check one of the best website CNC OEE Machine Monitoring Software"

    ReplyDelete

  21. I just wanted to say thank you for sharing a great information and useful. it really necessary and timely for me at this time. I've read a lot of blogs and visit but they made me feel boring. Your article made me feel strange and fascinating it attracted me. I wanted to share this information with my friends on the social network facebook.!

    Plumbing Service Land O Lakes

    ReplyDelete
  22. Nice Blog.
    This blog has useful information.
    Have a look here Enterprise Resource Planning Software in Hyderabad. I would suggest TCERP because of its unique integrated ERP ecommerce software. Know more about ERP Software features & Modules For please contact us +91 8919439603.

    ReplyDelete
  23. JEC is the largest composites industry organization in Europe and in the world with a network of 250,000 professionals. tks industrial equipment

    ReplyDelete
  24. Thanks you for sharing this unique useful information content with us. Really awesome work. keep on blogging palletizing robot

    ReplyDelete
  25. Assembly robots are made with physical safety in mind, but hacking these machines is still frighteningly easy.

    Ashish Life Science is a reputed veterinary medicine company in India that manufactures best Indian veterinary products. The products include: antiparasitic drugs, anti-infective drugs and animal feed supplements.

    ReplyDelete
  26. Very interesting, you have done a good job and thanks for sharing such a good blog.erp software in chennai

    ReplyDelete