Sabotage & Subterfuge: Hacking Industrial Robots

INDUSTRY 4.0 IS COMING

The sage words below are an excerpt from a Nov 1, 2017 Blog by Danny Bradbury - see https://sector.ca/sabotage-and-subterfuge-hacking-industrial-robots/. I include this entry today because I want to take a closer look at the promised connected world of the Industry 4.0 platform, so that we all remember to address the cyber security issues along the way to the promised land of true Manufacturing Automation.

--------------------------------  

Isaac Asimov’s three laws of robotics are safe, sensible rules. First laid out in 1942, rule number one prevents a robot from harming a human being. The second forces it to obey orders given it by people, except where such orders would conflict with the first law. Finally, it must protect its own existence as long as such protection does not conflict with the First or Second Law.

Those are some pretty sound, sensible rules – and Stefano Zanero has persuaded industrial robots to break all of them.

Zanero, an associate professor at Italian university Politecnico di Milano, will explain how in his talk at SecTor later this month. He has found flaws in industrial robots and developed theoretical attacks that could dramatically affect corporate users, and worse.

“I was taking coffee with a colleague that works on robotics, and was looking at their labs. While we were talking, I was going through all the research that I had read in the last few years. I realized that I had not seen anybody look into one of these things,” he says. That’s not surprising. “Not everybody has an €80,000 robot sitting above their lab.”

Zanero did. Robotics is a key research area at the Politecnico di Milano, so he set to work investigating several robots’ underlying security protections. He found some common flaws.

“Most of the components in the robot were relatively weak. They were not designed to withstand hacking attacks,” he says.

In one of the robots he investigated, he found a default user that couldn’t be disabled, and a default password that couldn’t be changed. “When you compromise the first Internet-facing component, all the other components are basically also yours,” he explains. Those components all download the firmware from the first, compromised component without checking code signatures.

BREAKING LAW NUMBER TWO

In compromising this software, an attacker is able to violate Asimov’s second law by giving it new instructions that its original programmers didn’t intend.

Industrial control systems built to this level of security are not meant to be Internet facing, he adds, and yet the move towards ‘Industry 4.0’ – an increasingly connected factory environment in which robots and other industrial systems are accessible via IoT-based networks – is increasingly putting them there. Many industrial robots today are a browser away from the Internet or in some cases directly connected, he warns.

What could he make a robot do with these vulnerabilities? He came up with several possibilities. The first was the introduction of micro-defects.

“If you get control of a robot, you can introduce in a subtle way a lot of micro-defects into the parts being manufactured. These defects would be too small to be perceived,” he says. “Since the robot isn’t designed with this attack model in mind, there is absolutely no way for the people programming the robot to realise that it has been put off centre and miscalibrated.”

A slight offset in a welding algorithm could produce a structural flaw that could have significant implications for product safety. Imagine a production line altered to produce unsafe automotive components. A year after the attack, the attacker could make the flaw known and force a product recall, costing the victim millions and trashing their brand. Worse still would be not making the flaw known, waiting instead until road accidents started happening.

GOODBYE, LAW NUMBER THREE

“The second big area of concern is that using the same manipulations, you can actually make a robot destroy itself,” says Zanero.

There goes Asimov’s third law, and with it, your factory’s profit. Production lines have a high downtime cost, running into thousands of dollars per minute. Robots are also custom-configured and difficult to source, making them difficult to replace.

This also raises the possibility of ransomware, says Zanero. An attacker could incapacitate a robot and then demand a ransom payment to set it going again. That would change the attacker’s business model from industrial sabotage to pure profit.

VIOLATING THE MOST IMPORTANT LAW OF ALL

Another possibility is that the robot could be programmed to violate the first law, harming a human directly. This would admittedly be difficult for an attacker to do. Robots working alongside humans are tightly monitored and designed not to make movements that could harm their coworkers. Nevertheless, there is scope for abuse, Zanero says.

“Even if the robot moves slowly and doesn’t really harm you by moving, if the point of the tool is toward you, it could harm you,” he says. Robots are programmed to keep pointy things away from people. “They are super good at that. There is a lot of safety around that, but it is software, not hardware,” he points out, adding that an attacker could change that software.

To its credit, the industrial robot vendor that Zanero’s team contacted about the flaws was responsive and quick to react. It thanked the team and patched the bug in its products, which is an encouraging sign. Nevertheless, there is more work for the robotics industry to do.

“We have tested one specific robot, and then we tested others just to see if our architectural considerations would generalize,” he says. “And they did.”

Manufacturing Today - Walking IMTS 2012 in Chicago

Well I just got back from the International Manufacturing Technology Show (IMTS 2012) in Chicago. What a spectacular show with over 1900 exhibitors, miles of isle ways, every building used at McCormick and a great crowd of people. IMTS comes around once every two years on the even year, and the last one was just before the financial meltdown that no one seemed to see coming in Sept 2010. This week over 100,000 manufacturing people came to see what was new, and where they could improve their operations.

My observations are as follows:

1.    Manufacturers are gearing up these days for "re-shoring," where jobs subcontracted to China and other low-cost "off-shore" countries are coming back. As such, they need to seek out new technologies to stay competitive and nimble. The use of technology, automation and the greater leveraging of information technology is clearly evident. From small inverted hexapod mini-assembly machines at the Fanuc FA booth in the South Hall, to the half dozen folks selling tooling vending machines in the West Hall, we see a drive to automate everything.

2.    The East Hall was filled with software technology providers that are focusing on Overall Equipment Effectiveness (OEE), real-time machine monitoring, energy management, CAD/CAM and better MES/ERP integration. A common theme was the adoption of MTConnect, but today it has more software applications than native machine types. The complaint from these software vendors was that people know they need information, but are wondering how to get the connectivity and grappling with the user interface. From bar code readers to hand held terminals, touch screens to the leveraging of optional machine protocols - everyone knows that the last few inches is where the MTConnect movement will need to focus to gain greater traction.

3. The South Hall had spectacular million dollar booths from industry veterans such as Mazak, Makino, Hyundai, Hurco, Haas, OKUMA, Methods, MAG and so on. It is not every day that you see two story booths, bars serving alcohol, robots moving train wheels in a Flexible Manufacturing System (FMS) cell. It was a feast for the eyes and probably the most advanced display of manufacturing ever - and I have been going for 22 years!

4. The North Hall had smaller booths with EDM, grinding, saws, DNC, tool management, metal suppliers, you name it - the entire manufacturing world was represented. A sales rep from Hyd-Mech, a company in the fabricating cut-off saw business, admitted to me that IMTS is a place you have to attend, but for them they get 3 times the sales from their specialty FabTech Show in Vegas. That said, he admitted if you don't come, your customers and competitors will assume you are out of business. So IMTS is a place to be seen and catch up with the industry for sure.

5. The emerging technology area still had an MTConnect booth staffed by TAG and Institute staff members like Paul Warndorf - but this is probably the last year for it as it is 6 years old now. Some new applications using iPads were shown by Joel Neidig from ITAMCO and Ken Tock from MacKintock demonstrated their iPad and HMTL5 dynamic web-based MTConnect factory floor emulation and data feed which was impressive. John Turner and Will Sobel, two of MTConnect's main technical architects, took the time to explain to Paul Hogendoorn, an electronics entrepreneur and tech writer with Manufacturing Automation in Canada, what MTConnect's main value equation was. In short, MTConnect is an open web-centric schema that acts like a common dictionary for the manufacturing connectivity world. That means developers and users always know what and where data can be found in any MTConnect appliance and the simple, expandable common interface that will enable future plug n' play integration economies. In simple terms then, gone are the days when you were locked into poor communication options, expensive protocols for each and every machine, or heavy costs to migrate to new technologies as they came along. Once again, the industrial democracy is demonstrated at its' best here and we all benefit. The extensible open aspects of MTConnect are now using "Read/Read" to safely get dissimilar equipment talking fast. As an electronics developer, and former manufacturer himself, I think that Paul "got" the MTConnect value equation and realized that the next big hurdle is legacy connectivity.

6. It was great to connect with vibrant Diane Pepi at Methods Machine about advances in Yasnac third party products. Nexas is looking to soon supply the Yasnac J300 memory module and Methods is the Matsuura dealer in North America that focused on Yasnac controls before they stopped producing. That said, it is clear that the memory upgrade and DNC market are soon to be eclipsed by technology that makes every machine a node on the corporate network. Jim Brown from Makino pointed out that all his machines have Ethernet connectivity, but it is the old ones they worry about as more and more clients see the benefits of inter-machine inter-connectivity on all their machines Makino or not. While we waited for MAG VP Jeff Price, PJ pointed out to me late on Tuesday afternoon that all the machine monitoring solutions they sell still need better legacy connectivity. So much can be done to help operations and plant floor visibility if we can just elegantly bridge the last few inches - a theme we have heard before. With Dave Edstrom, Chair of MTConnect, calling for abstracts by Oct 1 for the next MTConnect [MC]2 Conference in April 10-12 at the Hyatt Regency Hotel in Cincinnati - this topic needs to be addressed before then.

7.   Finally the theme in the emerging technology booth was all about additive technologies. Teams converging on a trick car design in this area also highlighted that global engineering teaming and skunk works will be a future reality. Solid modeling seems to a standard  on the all the CAD/CAM software offerings in the East Hall as the world gets robots and automated handlers to reduce waste, shorten development time and save energy for better sustainability and cost control.

In summary, IMTS 2012 was for me a great eye opener as to the advanced state of manufacturing. I found the attendee mood was upbeat with serious buying on people's minds. We seem to want to do more with less, and do it faster than ever. Sophisticated electronics control systems are in almost ever single manufacturing tool these days, and the next drive will be to interconnect those islands of automation. I predict that when one looks at the cyber factory floor of the near future, they will realize that it is really one big machine with many connected parts - all connected with a shop floor nervous system.

In short, I foresee that machine tools will soon just be like USB metal printers that plug into the system, mount and run together easily in the very near future...