Background
In an effort to enhance the output and precision of manufacturing products, as well as their capacity to operate in challenging surroundings, robots have become indispensable assets in contemporary manufacturing facilities. Typically, these factories utilize both conventional industrial robots and collaborative robots (co-bots), due to their diverse features such as flexibility, safety, and advanced sensing abilities [1][2].
- Traditional industrial robot:
This type of robot is designed for autonomous manufacturing processes, exhibiting the capability of high-volume, high-precision, and high-speed production. However, the rapid movement of their robotic arms poses a safety hazard to human operators, necessitating the implementation of protective measures, such as enclosures, to maintain a safe distance between human workers and the robot’s operational area. For example, the automotive industry relies heavily on traditional industrial robots for welding, given the stringent precision requirements of the final product. Moreover, these robots are also well-suited to execute operations that pose a risk to human operators, such as painting and metal stamping, within a car manufacturing facility.In a pharmaceutical manufacturing plant, once the drug production process has been completed, the final product must be packaged and dispatched to the customer. Given that the packaged containers are relatively heavy, traditional industrial robots are ideal for handling them, thereby reducing the potential risks for worker injury.
- Collaborative robots:
These are designed to operate in close proximity to human operators and are equipped with force and power limitations to prevent injury. Unlike traditional industrial robots, co-bots are better suited for low-volume, high-variability production or tasks that require human interaction. For instance, in the automobile manufacturing industry, co-bots can aid in the assembly of lightweight components (such as seats or handles) to minimize human errors and can be equipped with visual systems to carry out automated inspections and detect subtle imperfections that may go unnoticed by the human eye.In pharmaceutical manufacturing facilities, various routine tasks such as sorting medication bottles, dosing, and capping can be facilitated with the assistance of co-bots, resulting in a faster and more consistent production process. Furthermore, errors in drug inspection can have severe ramifications for patients, making co-bots equipped with visual systems ideal for ensuring defect-free drugs. Additionally, co-bots possess the ability to learn and adapt on-the-job, unlike traditional industrial robots that can only be reprogrammed by skilled engineers. Factory personnel can easily retrain the co-bot by guiding the robotic arm along the desired path, whereas significant modifications to the production process with traditional robots require extensive engineering efforts.
Figure 1. System Architecture of the Application of Robots in Modernized Factories
As shown in Figure 1, in modern automotive, pharmaceutical, and other manufacturing facilities, the use of robots enhances production efficiency. Factory operators can control the robots’ functions by issuing instructions to the controller via the pendant or workstation in the robot network. These instructions may include executing programs, adjusting parameters, and more. The controller, in turn, implements the instructions by operating the robot’s arm or end effector. The controller also receives data from the robot, which is analyzed and adjusted in real-time by the operator using the pendant or workstation. In addition to direct control, programmers can also optimize robot performance through Off-line Programming (OLP) on the Engineer Workstation (EWS). This involves compiling optimal results offline using a 3D model in a simulator, followed by uploading the program to the actual robots for implementation.
The Attack Surfaces of Robots in Modern Factory
In highly networked modern factories and complex robots’ operating modes, attackers have the opportunity to use more diverse methods to carry out cyberattacks on robots, particularly in the case of manufacturers who do not take product cybersecurity issues seriously. This complacency creates opportunities for attackers that break into a factory to easily compromise these devices. When robots are successfully attacked, in addition to directly causing the factory to halt the manufacture of products, this tampering will also affect the safety of people’s lives due to the nature of close cooperation between co-bots and humans. With this in mind, using past and current robotics cybersecurity literature and research as reference, we will analyze the following potential attack scenarios for robots.
Figure 2. Potential Attack Scenarios for Robots
1. The controller lacks an appropriate authentication method, making it vulnerable to attacks
Shown as number 1 in Figure 2, the controller has not implemented an adequate authentication mode, making it vulnerable to attacks. To allow for ease of use, the controller often enables remote connection services, such as FTP or Web, or APIs provided by the manufacturer. However, these services are often not secured with appropriate credentials and can thus be accessed remotely without authentication by attackers who have obtained the manufacturer’s released tools or API usage methods. This can result in the upload of malicious configuration files or codes to the Controller, causing the robotic arm or end effector to execute malicious commands and disrupting the accuracy of the manufacturing process [3].
Additionally, some manufacturers control the robot mode (“manual” or “automatic”) using a pendant device, and the pendant does not verify the signature of the boot image when downloading it from the host. If the controller is compromised, the attacker can upload malicious files to the pendant through the controller, which can display an incorrect user interface. In scenarios where humans and co-bots work in close proximity, if the operator trusts the mode displayed on the pendant (“manual” mode) and performs actions near the robot, there is a risk of human injury.
Considering the above-mentioned attack vectors, we also ran this scenario using a simulator. If the attacker is able to record the contents of the control command, they can write a program code to remotely disconnect the operator, causing a denial of service. This vulnerability was reported by TXOne Networks through ICS-CERT and was published in the ICS Advisory [4].
2. Control Station uses risky data exchange standards, giving attackers the opportunity to remotely block the normal operations of the robot
Shown as Number 2 in Figure 2, Robot Operating System (ROS) is a specialized application development framework designed for robots, commonly used in the field of automated control such as drones, industrial robots, unmanned vehicles, and self-driving cars. Previous research has found that cybersecurity was not a priority in early versions of ROS, making it easy for attackers to perform FIN-ACK DoS, man-in-the-middle, or vulnerability attacks as long as they have access to the Control Station where ROS is deployed [5]. However, with the adoption of Data Distribution Service (DDS) as the data exchange standard in ROS 2, the publish-subscribe communication mode is now characterized by reliability, high efficiency, real-time performance, interoperability, and is expected to become the main trend in factories. Yet, our joint research with other teams [6] uncovered 13 new vulnerabilities in the standard that could lead to denial of service or buffer overflow conditions if exploited [7]. For instance, in a factory utilizing DDS for data exchange with robots, attackers could send specially crafted packets to perform amplification attacks on any device, thus disrupting its service and preventing the factory from operating.
3. Some pendants use wireless technology to implement safety functions, affording attackers the opportunity to prevent operators from issuing emergency stop commands
Illustrated as number 3 in Figure 2, to address the issues of mobility and cable placement, an increasing number of manufacturers are opting for Wireless Teach Pendant (WiTP) technology (such as COMAU) and providing operators with safety features, such as the ability to trigger the emergency stop (e-stop) button through the WiTP. However, this architecture also presents more opportunities for attackers to target robots. For instance, attackers can use man-in-the-middle attacks to prevent legitimate operators from issuing emergency stop commands during emergencies, posing a serious threat to the safety of factory workers.
4. If the cybersecurity flaws in the OLP are not properly addressed, then attackers will have the potential to penetrate the EWS, thereby exposing the entire plant to potential threats
Shown as number 4 in Figure 2, the OLP is a method for programming robots. This method is separate from the actual robot, and a 3D model in a simulator is utilized for offline editing to help developers create the optimal path for specific tasks within the EWS, which can then be uploaded for the robot to execute. Our research found that the majority of these OLP programs developed by different manufacturers are lacking in cybersecurity. For instance, we discovered that these programs contain vulnerabilities such as directory traversal, which could allow attackers to remotely access sensitive data from the EWS. This threat has been reported to the manufacturer and is currently being addressed by them.
Figure 3. Sample of FANUC OLP
5. Specific vendors provide online software extension platforms, which give program developers the opportunity to mistakenly download malicious extensions in EWS
Shown as number 5 in Figure 2. Some manufacturers offer online software extension platforms to help program developers speed up their program-writing process. These platforms work like an app store, where developers can upload or download extension packages relevant to their needs. While the uploaded programs undergo review, research has shown that there are vulnerabilities in the review process, allowing malicious users to bypass it and go on to download and execute potentially harmful programs. This can result in the infiltration of the factory network by attackers and poses major threats to the operations [8].
6. When factories fail to check the sources of robot programs, attackers are able to insert malicious programs into the controller through supply chain attacks
Shown as number 6 in Figure 2. The programs that robots run are usually written by system integrators. However, in most cases, the factory does not carry out cybersecurity checks on the programs that they deploy. If the system integrator is compromised by an attacker, the attacker has the opportunity to insert malicious programs into the controller. Past research has revealed that attackers can design droppers that can automatically download malicious programs on devices of brands that support dynamic code loading, such as ABB, Comau, Denso, or Fanuc. This way, attackers can secretly deploy malicious programs in the controller, making it difficult for factory personnel to detect that the robot has been taken over by an attacker [9].
Given the above-mentioned potential attacks on robots, it is challenging to rely on a single cybersecurity solution for modern factories. Therefore, it is suggested that the factory builds a visualized central management platform for controlling cybersecurity. This platform can monitor the factory’s state at all times and prevent malicious programs from executing on robots.
Reference
[1] Jean-marc Buchert,“Cobot vs Industrial Robot: Differences and Comparison”, Man plus Machines, Oct 6, 2021, Accessed Jan 19, 2023
[2] Robots Done Right Article, “Cobots for Automotive Manufacturing”, Robots Done Right, Accessed Jan 19, 2023
[3] Trend Micro Security News, “Rogue Robots”, Trend Micro, May 3 2017, Accessed Jan 19, 2023
[4] ICS-CERT Advisories, “HIWIN Robot System Software (HRSS)”, CISA, Oct 6 2022, Accessed Jan 19, 2023
[5] Quanyan Zhu, Stefan Rass, Bernhard Dieber, Victor Mayoral Vilches, “An Introduction to Robot System Cybersecurity”, Alias Robotics, Sep 13 2021, Accessed Jan 19, 2023
[6] Federico Maggi, Erik Boasson, Mars Cheng, Patrick Kuo, Chizuru Toyama, Victor Mayoral Vilches, Rainer Vosseler, Ta-Lun Yen, “Defending the Supply Chain: Why the DDS Protocol is Critical in Industrial and Software Systems”, Trend Micro, Jan 27 2022, Accessed Jan 19, 2023
[7] ICS-CERT Advisories, “Multiple Data Distribution Service (DDS) Implementations”, CISA, Feb 1, 2022, Accessed Jan 19, 2023
[8] Federico Maggi, Marco Balduzzi, Rainer Vosseler, Martin Rösler, Walter Quadrini, Giacomo Tavola, Marcello Pogliani, Davide Quarta, Stefano Zanero, “Smart Factory Security: A Case Study on a Modular Smart Manufacturing System”, ScienceDirect, Feb 20, 2021, Accessed Jan 19, 2023
[9] Federico Maggi, Marcello Pogliani, “Rogue Automation”, Trend Micro, Aug 4 2020, Accessed Jan 19, 2023
