Industrial Robots Gone Rogue: Staying Ahead of ICS Security Vulnerabilities
If you’re following industrial cyber security trends you know that industrial networks, endpoints and control systems typically have inherent weaknesses that make them insecure and vulnerable to compromise through digital methods. With 5.6 million newly connected devices added per day in 2016 and an estimated 21 billion online by 2020, these current growth trends only increase the potential attack surface within industrial automation and process control environments.
So, it shouldn’t come as a big surprise to learn that the May 2017 report, Rogue Robots: Testing the Limits of an Industrial Robot’s Security, tells us that industrial robots are insecure too, and for many of the same reasons. However, what might surprise industrial firms with robotic applications is how much cyber risk exists within their robotic ecosystem. This report was produced from research by students at Politecnico di Milano in Italy and researchers from Japanese, multi-national antivirus and security vendor Trend Micro.
The students and researchers executed a proof-of-concept hack, remotely controlling an ABB IRB140 robotic arm. In their illustration, the industrial robot was hypothetically designing a 3D-printed rotor for a drone and researchers were able to remotely change the robot’s configuration file without operator detection and thereby introduce a few millimeters of defective manufacture, causing catastrophic flight failure for the drone.
3D-printed drone rotor (top: non-sabotaged, bottom: sabotaged). During the attack, the robot’s arm overshot a couple of millimeters (black line) and the operator did not notice any unusual movement of the arm until close inspection of the workpiece.
The hack itself wasn’t overly surprising. Remote access through the internet to Human Machine Interface (HMI) systems and industrial controllers is a huge concern and very disturbing, but not new. What was new was proving these known attack scenarios apply to industrial robotic components, Human-Robot Interfaces (HRI) and the robotic control systems, as well as validating that sure enough, robots are insecure too.
ICS researchers at iSIGHT (acquired by FireEye) are specialists in analyzing breach data, industrial control systems and ICS vulnerabilities and had conducted a study of 15 years’ worth of disclosed vulnerabilities. Their 2016 FireEye/iSIGHT ICS Vulnerability Trend Report offered the summary chart below. A few key data points were:
- 123 vendors had vulnerabilities (many of the same seen in this robotics report)
- Approximately one-third had no fix available at the time of public disclosure (leaving customers with those products susceptible)
NOTE: In addition, it should be noted that many production environments simply cannot maintain a security-centric patch schedule given higher priorities for uptime and production.
This chart from the 2016 FireEye/iSIGHT ICS Vulnerability Trends Report shows disclosure trends and a significant jump beginning with the disclosure of Stuxnet in 2010.
Taken to an extreme, secretly injected and unauthorized “micro-changes” to robotic systems could cost companies millions in defective parts and worse – if not caught by appropriate manufacturing quality assurance, test and inspection processes. By further extension, these findings show that robotic equipment, control operators and even public safety could also be at risk.
There were test scenarios where humans and machines work closely together which could also cause human injury if calibrations or safety standards for this interaction were modified. Robotics is a growing field and many manufacturing sectors such as automobiles, pharmaceuticals, aerospace/airplanes, chemicals, food products and many others should consider this a wake-up call for the security of their operations.
Examples: Security Vulnerability Scenarios
Key weaknesses were seen in how industrial robots connect to the outside world. Many of these weaknesses and vulnerabilities have also been seen within non-robotic environments across an array of industries and critical infrastructure.
The findings were that when the robot’s main controller is compromised, there are essential services that can be exposed to the network and thereby make the robot vulnerable to attack. The researchers determined the controller computer to be the most sensitive entry point to the robot. Below is an illustration from the report of the test scenario and the types of modifications that can potentially be done without detection.
This illustration from the report shows that an attacker modifies the original program or commands in transit – lack of an integrity check on the robot’s side makes any modification accepted and executed blindly. Belden’s Industrial Cyber Security portfolio of products can detect, alarm, and in some cases block access to protect industrial systems.
Per the drawing above, the following is a sample of network services and potential security vulnerability risks that can occur without stronger ICS security. This scenario uses an FTP server which is a highly trusted repository for firmware updates and configuration changes so anything there is accepted without question if the robot needs to reboot.
There are many other vulnerabilities the researchers outline in their report and some may sound familiar because they’re often applicable to both corporate and ICS operations/plant environments, as well as environments not strictly using robotics systems.
Staying Ahead of Security Vulnerabilities: Resources and Tips
Often when a report such as this comes out, it’s difficult to choose how or where to start lowering risk and increasing security. At the end of the report, the authors provide a nice summary of suggestions, as well as prioritizations for readers to consider.
Below are a few resources for those learning about ICS security, whether your environment has robotic systems or not. These are short, easy tips for how to begin to find out what vulnerabilities and ICS security weaknesses you may have and need to resolve.
- Subscribe to Your Vendor Security Alert Notifications
Most, if not all, equipment manufacturers are the logical first contact for researchers when a vulnerability has been discovered. As illustrated with ABB in the report, fixes can usually be handled quickly when the details are provided by researchers, users or even collaboratively by other vendors. Ideally following or in parallel with a fix, most vendors issue advisories to their customers or those subscribed, often before the vulnerability is disclosed to the public. Here’s where to subscribe to Belden notifications.
Your Next Step: Consider assigning one person in the team to be responsible for monitoring all the vendors in your ICS operations environment for their security alerts. Prioritize and just start with one of your most critical asset vendors to begin and add others in priority order.
- Subscribe to the U.S. DHS ICS-CERT Advisories Notification
It’s easy to subscribe and receive timely vulnerability advisories from the Department of Homeland Security’s (DHS) Industrial Control Systems Cybersecurity Emergency Response Team. NCCIC/ICS-CERT will investigate reported findings and disclosures before public notification and assist in resolving and documenting for the ICS security community.
There is a full list of searchable ICS-CERT alerts and advisories organized by year and available for viewing or download at https://ics-cert.us-cert.gov/advisories. The ICS-CERT website itself is an excellent source of information that helps ICS security teams (whether in Operations or in IT) who want to learn to reduce their industrial cyber security risk and gain important knowledge to secure their environment.
Many previously reported vulnerabilities persist for years within industrial environments due to minimal changes within ICS operations and process control environments. As an example, ICS-CERT Advisory ICSA-12-059-01 is a 2012 ABB Robot Communications Runtime Buffer Overflow vulnerability that was updated in 2013 and has a fix from ABB available. You may say – so old – why bother? Well again, plant environments don’t change much and vulnerability trends show that many/most ICS vulnerabilities still exist even though the vendors have fixes available.
This particular one is very serious due to being granted the highest (most severe) CVSS rating of 10.00 and will give you an idea of the information available, where to look and what to investigate within your environment. These advisories can also be printed in PDF form and freely shared as needed.
Another point for consideration is that both “black hats” (bad guys) and “white hats” (good guys) have access to a wealth of online information about vendor products, manuals, product knowledgebase articles, patches and firmware upgrades, default passwords, etc. At a minimum, consider that the ICS and SCADA world is no longer as isolated and specialized as it once was and outsiders can gain insider knowledge by just online research. Dedicate resources to your own ICS security.
Your Next Step: Potentially have the same or another person subscribe to ICS-CERT Alerts and Advisories at the bottom of the Advisories page. ICS-CERT personnel are also available by phone and email to discuss your questions and any specific circumstances you may have.
This is at the bottom of the ICS-CERT Advisories main page and is where to enter your email address to subscribe to ICS-CERT Alerts and Advisories.
- Online, Self-Paced Training Modules
One last suggestion is that there are helpful ICS-CERT security training choices on their website. At the completion of the self-paced study modules at the ICS-CERT Virtual Training Portal, students receive certificates that can be provided to their management for validating the study completion, if needed.
This could be good grounding for those just beginning in the complex arena of ICS/SCADA security, vulnerabilities, mitigations and how to reduce your cyber threat risk on the plant floor, whether you’re a plant that uses robotics or not.
Your Next Step: Assign a motivated individual to complete a course of study online and provide completion certificates to get started with bringing stronger industrial cyber security skills into your organization.
The report researchers did a thorough job of outlining many of the exploitable vulnerabilities seen during their robotic systems testing. The report raises awareness that industrial robotic systems are yet another category threatened by common and specialized industrial cyber risks and that no specific industry or technology sector can ignore ICS and SCADA security any longer.
The article was written by Katherine Brocklehurst, Director of Industrial Cyber Security Marketing at Belden. Her area of responsibility covers industrial networking equipment and cyber security products across four product lines and multiple market segments. Katherine has 20 years of experience in product management and marketing in network security.
The article originally was published on Belden Blog.