Industrial plant robots frequently connected to the 'net without authentication Industrial robots are frequently exposed to the internet, creating a security risk in the process, according to new research from Trend Micro. Of the 83,000 robots researchers found exposed to the public internet, 5,000 had no authentication in place to guard against possible hack attacks. A report by security researchers at …
We had a robotic picker that ran on some version of Windows that looked like Windows of old (Vista? 7?). It was often blighted by demands to upgrade to W10, random advertising, etc.
The only saving grace is that it utterly sucked and would drop more than it correctly placed, so most of the time it was just sitting unused wasting electricity. Gone now.
Anon because my employer's tech guys might be reading...
That's okay, at least the robot picker is paid for. A hu-man worker would be getting a salary to sit around using electricity. We can't have that. He might buy some medicine, or use his knowledge of Fortran to receive a secret payment from NASA while no one is looking. :P
Seriously, this problem with the insecure Internet connected robots is quite easily cured by applying a small amount of blockchain, just a taste, not too much now. Then we add a bit of quantum AI stick it on a secure public virtual cloud, observe all with our VR glasses, then we render it in Rose Gold®, a registered trademark of the Apple okay, then let IBM's Watson stir the pot, he takes a taste, gives it a thumb's up, and all is forgiven. Amen. And Luke, and Leia, and the little gay robots lived happily ever after. The end.
"Five years ago all this would have come as a nasty shock ..."
Ten years ago, I was asking why a very large site HVAC system was connected to the internet and I was told that it made it easier for the supplier to monitor it and issue corrective commands if anything went wrong. One of the supplier enginners told me that, "just for curiosity", he'd checked if he could still access a pumping station in Spain that he'd worked on a few years previously. He said that he could, from his own home, but that he'd logged out before testing if he could change its operating parameters.
The situation seemed to be normal then and is probably still regarded as normal among many 'cultures' now.
Seriously WTF?
Who in their right minds would think this is a good idea?
The answer is probably they thought it was a convenient idea, which is of course much better.
Backed up with a big dose of "Well no on knows it's there and if they find it they won't realize it's a big old robot that lift half a tonne and swing it through several metres so where's the harm?"
"Robbie removed the thin cover..."
...let's do it properly, shall we... ;)
"I've kept all my protective films intact" Roberta purred, "I've been waiting for someone like you to peel them off my faceplate...". There was an almost imperceptible quiver in the cool evening air all over her condensation-covered chassis as her servos warmed to nominal operating temperature, their high-frequency chopped currents coupling as a subtle hum into Robbie's sensor loops. With his induction-hardened main shaft at end of stroke the tremendous pressure of the hot hydraulic fluid was quickly growing out of spec, his bypass valves straining to redirect the flow...
So that is what are we doing wrong, not connecting the tooling to the internet </sarc>
All the computer controlled tooling in the factories we oversee are on an internal net with the servers, switches etc., in a locked section of the computer room. It requires two people with keys to unlock that section, one of my people and one of their security people. Even the office network only gets switched to the internet at set times and that is generally to allow the remote backups to run.
"So why has it taken so long for anyone to draw attention it?"
"People" have been drawing attention to it, as you rightly suggest, over a number of years and even (more recently) a number of reasonably well publicised incidents.
E.g. Wasn't there a recent US court case involving a robot and a fatality, reported here (with an extended discussion) and presumably elsewhere?
https://www.theregister.co.uk/2017/03/11/autobot_makers_sued_over_technicians_death/
Any more news on this case since then?
It won't be the only such incident, there'll be more until something changes in the way these things are done.
Robots and related semi-realtime systems (SCADA etc) aren't shiny sexy IT toys, especially when they have safety-related roles, and they shouldn't have revenue to be made from anti-virus and devops training and such.
Robot hardware might need to be agile, safety related software development probably shouldn't be Agile, and desktop-centric OSes and toolsets may or may not be appropriate as the runtime environment for the control systems in question. But try telling that to management, and it's probably a career-limiting move.
"Management" generally aren't listening. Yet.
"E.g. Wasn't there a recent US court case involving a robot and a fatality, reported here (with an extended discussion) and presumably elsewhere?"
I don't recall that hacking was involved in that particular incident.
But - it was exactly the type of action that could be caused by someone hacking in to the control.
To be fair, any such incident is supposed to be impossible as robots having people in dangerously close proximity are supposed to be locked out and de-powered at hardware level and by no means controllable online. Which is not to say "normal" production couldn't be screwed with, but this should not be relevant to accidents...
"robots having people in dangerously close proximity are supposed to be locked out and de-powered at hardware level"
That's fine by me, but I suspect it's considered a rather dated approach in some places e.g. in the rarefied atmosphere of the management offices and boardrooms, where consequences are things that other people pay for.
This from page 6 of the Trend Micro report quoted in the article:
"Industrial robots are traditionally designed to operate in a cage, physically separated from where humans work. However, vendors are introducing various models of collaborative robots (co-bots) that are able to work in physical proximity to humans (e.g., ABB’s YuMi, FANUC’s CR-35iA, 13 and various models by Universal Robots; see Figure 3)."
[Fwiw: ABB's YuMi isn't a classical ABB production-line robot; it's a little bit bigger than some of the tabletop robots I've seen used as toys or for training. Can't comment on the others mentioned.]
So you buy a robot so you dont have to pay for someone's wages only to discover to run it securely you have to employ someone who will be as expensive as the staff you have replaced!
We live in a post capitalist world because the capitalists have got all the money but refuse to invest in the post that holds their world up.
Air gap
Air gap
And glue in the USB ports
My boss thinks I'm crazy , but one servo lag parameter changed... and you get the example in the video.
Actually a fun example would be changing the speed parameters for when the machine puts a thread in a hole, so instead of the efficent cutting it normally does, it "pulls" on the thread thus weakening the thread structure.... sounds tiny does'nt it....... but that thread is designed to take 50 lbs of force but now it couldn't manage 10 lbs.... and your brakes fall apart at 80mph when you press the pedal....
"Nice factory you got here. Be a shame if one of those 'bots was to go crazy and start wacking people with some of the metal it's supposed to be working on. What you need is some sort of protection against that happening..."
Not just violent pranksters looking to cause trouble.
Legal note.
This is extortion, not blackmail. Extortion is where you threaten to do (or not do) something to someone directly. Blackmail is where you threaten to reveal (or not) something to a third party.
When robotics and other embedded systems were first implemented, the Internet didn't exist beyond Usenet and mostly computer geeks and engineers were the only ones on the net.
I wrote some embedded systems over 25 years ago and networking wasn't even an issue. Today those same systems are connected to a pc/server that connects to the web.
So a lot of the infrastructure is ripe for security threats.
Sadly I can actually believe that.
Eliminate the "annual service visit" and allow continuous monitoring. Even better (for PHB) you can eliminate the light on the front panel that says "request service call. Machine needs attention" as well.
In fact while we're at it we can do remote updates in case we need to upgrade (or rather the customer pays for an upgrade) to the software. No authentication needed as no one else knows what it's for or even if it's on the net.
All at the minor cost of creating yet another gaping wide door into the machines core software.
The road to Hell is not paved with good intentions. It's paved with "convenience."
"Industrial robots are frequently exposed to the internet, creating a security risk .. a hacker might be able to alter the control system .. Five years ago all this would have come as a nasty shock"
Only if you've been in a coma since 2003 or 1997.
"There is simply no way, as this report shows, to stop cybercriminals from finding ways into manufacturing plants and other industrial facilities via the Internet.
There is you fucking retard, don't connect your industrial facilities to the Internet.
"don't connect your industrial facilities to the Internet."
Respect stupid! Stupid exists, Stupid is always there,... waiting. The person you least expect is capable of becoming Stupid.
Encrypt everything, use strong keys, limit the access. Set up your robots so they can't interact with people, then airgap everything. Physically control access to everything, and you still have to check everything for stupid. Cause stupid has a laptop/mobile phone, and then all your hard work is on the Internet. Hell, stupid may even be paid to do it (probably not though)
Saw a few months ago stupid with RDP server, user name and password the same on the Internet. cause it would save their accountant a bit of time.
It was only their orders,client history, and council approvals that got encrypted.
Good Luck! Against Stupid..... we all need it!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
