Industrial plant robots frequently connected to the 'net without authentication
Putting the ID in IoT
Industrial robots are frequently exposed to the internet, creating a security risk in the process, according to new research from Trend Micro.
Of the 83,000 robots researchers found exposed to the public internet, 5,000 had no authentication in place to guard against possible hack attacks.
A report by security researchers at Trend Micro and computer scientists at the Politecnico di Milano (POLIMI) in Italy highlights five attack types (such as altering the robot's state) which violate the three standard requirements of industrial robots: safety, integrity and accuracy.
For example, a hacker might be able to alter the control system so that the robot moves unexpectedly or inaccurately, at the attacker’s will.
The report (PDF) also uncovered 63 vulnerabilities in these systems.
"The software running on industrial robots is outdated; based on vulnerable OSs and libraries, sometimes relying on obsolete or cryptographic libraries; and have weak authentication systems with default, unchangeable credentials," the researchers report.
These flaws, if left unaddressed, create a mechanism for hackers to infiltrate, steal or disrupt industrial control plants. The scope of possible attacks include disrupting the operation of plants through to planting ransomware. Robots sometimes store sensitive data (eg, source code or information about production schedules and volumes) and this information might be snatched from vulnerable, internet-exposed systems.
Industrial robots are used in many aspects of manufacturing and beyond, from making cars to food production and packaging.
More details of the research are due to be published at the upcoming Institute of Electrical and Electronics Engineers (IEEE) Symposium on Security and Privacy in San Jose, USA, later this month.
Five years ago all this would have come as a nasty shock but these days the security shortcomings of industrial plants are likely to be viewed as a sub-set of the wider IoT problem.
Mocana CTO Dean Weber commented: "The ease by which attackers can make their way into industrial systems underscores the need to secure devices at their core, by embedding defence in the hardware and firmware used to operate things like robotic arms.
"There is simply no way, as this report shows, to stop cybercriminals from finding ways into manufacturing plants and other industrial facilities via the Internet. There, are, however, ways to stop intruders from taking control of devices they find," he added. ®
Sponsored: Becoming a Pragmatic Security Leader