Rogue robots aren’t the stuff of science fiction anymore — they’re a real risk, and one that Colorado Springs manufacturers must face as the industry becomes more connected.
Many manufacturers are underestimating the damage hackers can do to — and through — connected robotic systems, according to Shawn Murray, cybersecurity engineer and chief academic officer with Springs-based Murray Security Services & Consulting.
Cybersecurity needs to be front-and-center as manufacturers upgrade to more automation and robotics, he said.
“Depending on how old the organization is, traditional manufacturing is not considering the aspects related to cyber attacks,” he said. “What if I was to break into your system and steal a portion of your code or … encrypt your entire system? Now you can’t even do production, because I’ve locked you out of your own environment.
“It’s not until something like that happens, that you’re going to start getting people worried about this kind of thing. Some are doing it correctly, but I would say there are many that are not.”
Murray said leadership at many manufacturing companies is several generations deep, and a productivity- and business-oriented focus tends to win out over any focus on critical security systems associated with robotics or the manufacturing process.
“The attitude [is] ‘Well that’s ridiculous, that couldn’t happen to me. Nobody can hack this system because it’s a different code that’s used,’” he said.
“Well, if it’s attached to your business network, a skilled actor or a state actor — say the Chinese, the Iranians, Russians — they’re going to be able to figure it out,” he said. “There’s a lot of risk out there.”
By 2019, about 2.6 million industrial robots will be operating in factories worldwide, according to the International Federation of Robotics, with robots playing a key role in “industry 4.0,” characterized by automation trends and smart factories.
The IFR expects the annual supply of industrial robots to North America to increase an average of 5-10 percent each year between 2016 and 2019.
A recent report from enterprise data security company Trend Micro and Polytechnic University of Milan looked at how malevolent hackers can compromise industrial robots — either as an act of sabotage, or in ransomware schemes.
“Rogue Robots: Testing the Limits of an Industrial Robot’s Security” found the increased complexity and interconnectedness of industrial robots has opened a “broader attack surface” for hackers.
“Industrial robots — originally conceived to be isolated — have evolved and are now exposed to corporate networks and the internet,” the report says. “In industrial devices, the impact of a single, simple software vulnerability can already have serious consequences. Depending on the actual setup and security posture of the targeted smart factory, attackers could trigger attacks that could amount to massive financial damage to the company in question or at worst, even affect critical goods.”
According to the report, cybersecurity is becoming especially urgent as more industrial robots are connected to computer networks and designed to work alongside humans.
Industrial robots must follow three fundamental laws: accurately “read” from the physical world through sensors and perform actions through motors and tools; refuse to execute self-damaging control logic; and most importantly, never harm humans.
Safety is a real concern, according to Murray.
“Some robots humans aren’t allowed to be around — you have safety areas around them, and you’re not allowed to break those barriers,” he said. “What if the specification on that [robotic] arm is changed, and it comes outside that barrier?”
While many Springs manufacturers don’t currently rely on connected robots, that’s changing.
Tony Feltman, president and owner of Spire Manufacturing Solutions, said more and more local manufacturers will move to greater automation and more robotics to stay competitive during the next three to four years.
Colorado Springs — along with the rest of the United States — “skipped a few generations of new introduction of manufacturing technology” due to a period of offshoring, he said.
“We as the United States and/or Colorado Springs didn’t keep up with technology, and now it’s a big leap,” he said. “Now you really don’t have a choice if you want to stay competitive: you either retire, sell your business or integrate the technology.”
Once manufacturers connect those industrial robots to the internet to enable real-time monitoring, diagnostics and other efficiencies, cybersecurity becomes critical, Feltman said.
Cybersecurity as strategy
Cybersecurity must be part of every manufacturer’s strategy for updating production with industrial robots, Murray said.
“Part of the strategy should be to have a senior cyber engineer baking it in. That’s one of the things we preach: Design the security into the solution that you’re developing, so that you’re not having to do it after a breach when you’ve spent a whole bunch of money trying to recover from a hack or malware,” he said. “Invest it now instead of later, because the cost of doing it later is going to also include the loss of business, the loss of reputation, the loss of production. All of those will add up, and you have to do it anyway.”
Murray shared the basics for protecting manufacturing and robotics systems and networks, including:
• Don’t connect a robotic network to the internet unless it’s really necessary.
• Segment the production network from the business network, and use defense-in-depth strategies to protect them.
• Make sure rogue systems or robots can be isolated from others on the production line remotely.
• Create identification and dual-factor authentication procedures for production systems, robots and the networks they operate on.
• Make sure the operating system includes malware protection unique to the computing environment.
• Ensure only authorized and documented changes can be made to the production environment, including software changes, hardware changes and configuration changes.