Report Summary: Cyber Attacks on Smart Manufacturing Systems
Smart manufacturing systems are designed and deployed under the assumption that they will be isolated from both the outside world and the rest of the corporate network. On one hand, this does not necessarily mean that remote attackers should not be considered: Remote attackers will try alternative, indirect routes (e.g. infected automation logic or software extensions), which are possible. On the other hand, and perhaps more importantly, the closed-world assumption automatically implies that local attackers have full power: Because of the lack of isolation between the parts of a smart manufacturing system (e.g., all PLCs and machines on the same, flat network), any endpoint will trust any other endpoint and a local attacker will be able to do practically anything they want. We believe this should change.
Vulnerabilities in Smart Manufacturing Systems
Attackers are not sitting back and hoping for a high-profile, vulnerable smart manufacturing system to pop up on search engines like Shodan, ready for them to attack. We believe that unconventional attack vectors such as the ones we explore in the full report are more likely for an advanced attacker profile. This possibility is increased by the fact that smart manufacturing systems, while made of hardware, live in an ecosystem with an intricate net of interdependencies. Hardware is only one, small part of the equation. There are also other components: software, libraries, developers, business relations, and so on, including software used to develop other software, libraries sold by one company that is used by another company, system integrators who work for several factories. The report shows how this has repercussions on the types of attacks that are possible in smart manufacturing systems, such as those that involve malicious industrial add- ins and those that trojanize custom IIoT devices.
Once an attacker has landed on a smart manufacturing system, they have unique opportunities for lateral movement, some of which we believe had been unexplored until now. We found security-critical design issues in the automation logic in robots, which not only create ground for vulnerabilities (for which no automated vulnerability scanners exist yet), but also allow the implementation of malicious logic (which will pass undetected, again in the absence of scanners).
The first, main research question was, “Under which threat and attacker models are certain attacks possible, and what are the consequences?” Setting internal attackers aside, we note that external attackers will try to indirectly infect the endpoints through targeted malware. This alone is not surprising; the novel part is that some OT software may offer opportunities for targeting not only one specific person but broader categories of people who all use the same software (e.g., OT developers). This similarly holds true for software libraries used for IIoT development. This answers the second research question, “Are there any overlooked vectors that could facilitate an attacker’s getting a foothold in these systems?”
Using such attack vectors, the attacker can gain persistence using, for example, compromised automation logic (e.g., running on industrial robots). The next question follows up on this point: “What is the security impact of modern industrial software development practices, including the use of open libraries, with complex interdependencies?” Programs written in industrial development environments, which do not enforce the use of secure components (e.g., code signing, sandboxing), end up running on a manufacturing machine (e.g., robot). Similarly, IoT firmware that includes complex dependencies and a lot of “unofficial” libraries ends up monitoring or affecting the behavior of the machines. Since all of the components of a smart manufacturing plant are usually connected to the same, flat network, anything can happen. And because an attacker could really do anything to the system, the consequences are difficult to estimate.
The final question was, “What is the cybersecurity awareness level of the technical personnel who engineer, program, and operate in smart manufacturing environments?” Our survey and our analysis of online community discussion groups confirm that people working in OT environments consider security as an “add-on” rather than a process.
A smart manufacturing system does not exist in a vacuum: It is a complex ecosystem of machines, components, and people that can be taken advantage of by threat actors to launch both conventional and unconventional attacks. By shedding light on the different attack vectors that need to be focused on, especially the unconventional ones, we hope that this report will increase awareness levels, particularly of individuals who are involved in operating smart manufacturing systems.
With more than a decade of research experience in the cybersecurity field, Federico Maggi is specialized in doing threat and security analysis on virtually any system. Federico has analyzed web applications, network protocols and devices, embedded systems, radio-frequency control systems, industrial robots, cars, and mobile devices. He also has experience on defensive technology and research, through building machine learning-based tools for intrusion and fraud detection.
Marcello Pogliani holds a PhD in Information Technology from Politecnico di Milano with a dissertation on the security of manufacturing systems. He is affiliated with the NECST Laboratory of the same university, where he works with the Computer Security group. Marcello’s current research interests revolve around the security of cyber-physical systems. He is also generally interested in broader system-, web- and network- security issues.