Rogue Automation: Vulnerable and Malicious Code in Industrial Programming

  /  ICS Security   /  Cybersecurity   /  Rogue Automation: Vulnerable and Malicious Code in Industrial Programming
robots in a car factory

Rogue Automation: Vulnerable and Malicious Code in Industrial Programming

In this White Paper, previously unknown design flaws that malicious actors could exploit to hide malicious functionalities in industrial programming for robots and other automated manufacturing machines are revealed. Since these flaws are difficult to fix, enterprises that deploy vulnerable machines could face serious consequences. An attacker could exploit them to become persistent within a smart factory, silently alter the quality of products, halt a manufacturing line, or perform some other malicious activity.

Industrial Programming Vulnerability

The research was set in motion a few years ago, when we stumbled upon something we had never seen before: a store that distributed software for heavy industrial machines in the form of apps. We downloaded some of these apps and reverse-engineered them to understand how they worked. What we were looking at was something quite different from any software or programming language we were familiar with. The code was written in one of the many proprietary programming languages used to automate industrial machines, the types of robots typically used to assemble cars, process food, and produce pharmaceutical items, among other industrial purposes. The most notable part of our investigation is that we found a vulnerability in one of these apps.

The vulnerable app was a full-fledged web server, running on the bare-metal computer of the controller of the industrial robot on which it was installed. It was written in a custom, proprietary programming language. Although designed many decades ago, languages such as this are still in use today to run critical automation tasks. And although these custom languages are expected to have some form of networking functionalities, we were surprised to see that they had enough features to create a working web server.

While the IT software development industry has been dealing with the consequences of unsecure programming for many decades, the industrial automation world might be unprepared to detect and prevent the exploitation of the issues that were found in this research. It is believed that, given the pace of IT/OT convergence, the automation engineering industry should start embracing and establishing secure coding practices. It is highly likely to face in 10 years the same challenges that the IT software development industry is facing today.

Sponsored by