The rogue robot is a familiar sci-fi trope: images of a compromised machine waving its arms and shouting ‘Warning! Does not compute!’ as explosions shake the polystyrene set. But what if that rogue robot were an industrial machine in an automotive, electronics, avionics, or pharmaceuticals factory? What if it were an entire smart facility?
The question chimes with the ongoing tabloid obsession with Terminators, malignant AIs, and job-stealing robots; it seems designed to stoke public fears about the rise of machine automation, a process that has been ongoing since the Eighteenth Century. And it comes – inevitably – from an enterprise cybersecurity provider with something to sell, Trend Micro.
The company has produced a detailed, 45-page report, Rogue Automation: Vulnerable and Malicious Code in Industrial Programming which at least grounds the issue in something prosaic and machine readable.
Ironically, the media’s concerns are often rooted in a binary view of society: that anything that is ‘on’ for machines must be ‘off’ for humans – as though there is a finite list of tasks in the world, more and more of which are being taken away from people. The real-world economy doesn’t work like that; it creates new jobs, new services, new companies. But are Trend Micro’s fears more justified? The short answer is: yes.
The crux of the matter isn’t so much the future as the past, explains the report: legacy code in proprietary industrial automation routines, allowing attackers to exfiltrate files from a robot and/or introduce malware:
We examined 100 open-source automation programs for robots and discovered that most of them were affected by vulnerabilities that could allow an attacker to control or disrupt a robot’s movements. Fortunately, the most critical ones — remote function execution vulnerabilities — were in demonstrator code. We hope that no one has ever used that code to teach class or, worse, derive production code.
Indeed, but the report goes onto explain that programmers in this field tend to copy and paste code, causing vulnerabilities to propagate across open-source projects, sometimes even into commercial, mission-critical products. An interesting use of “hope”, then.
The report explains:
Our findings are relevant to the modern and future factory because the flaws we found are descended from design choices made decades ago. These decisions determined the technology, techniques, and tools that are still used today to program industrial machines.
What does this mean? To create an assembly line in a factory, designers have little choice but to rely on custom, proprietary, or legacy programming languages, few of which have been designed with an active-attacker model in mind, says Trend Micro:
Some lack features, such as cryptographic functions, that are essential to implementing modern security measures. The platforms offered by some vendors do implement a few security mechanisms, most of which are ‘bolt on’ and do not integrate well with the programming environment.
As a result, while the operating system may have security features such as authentication and access control, the programming layer is a ‘black box’ with no fine-grained security control. This leaves it open to attackers.
In short, vendors have locked customers in to antiquated code, but not out of malice. The problem then becomes that it is impractical to fix these design flaws, because legacy programming environments can’t be easily ripped out and replaced in manufacturing – any more than they can in healthcare, another sector where highly regulated systems are being networked that were never designed to be.
Nick Tudor is Director of D-RisQ, a company specialising in assurance and trust systems for robotics. He tells me that it is this exposing of systems to the networked world that creates unnecessary problems:
If they are air-gapped, none at all [threats], but a big problem is if they start hooking them up to the net. Some are now considering adding 5G to these machines in various ways. The attack surface is about to get significantly larger.
Dr Adam A Stokes is Senior Lecturer (Associate Professor) at the Institute for Integrated Micro and Nano Systems at The University of Edinburgh, one of the UK’s leading robotics research centres. He tells me:
The report seems to be more about using legacy languages to hack a computer network, as opposed to hacking the robot itself. Ultimately, the robot will do whatever instruction it finds in memory, so any security risk in the computer it is connected to could result in inappropriate movement. This is particularly a problem if the robot relies on a centralised program for all sensor feedback and risk mitigation. Decentralised approaches with local control in embedded firmware is likely to be much safer.
At this point we should look at the big picture: the threat outside the factory walls, rather than lurking in the code or the bare metal. Are malicious actors actually targeting factories and other industrial systems? The answer again is: yes.
Reports published earlier this year by SonicWall, Dragos, and others, revealed that hackers are increasingly targeting the Internet of Things (IoT) and industrial control systems (ICS), including with new ransomware variants that lock up ICS functions and demand cryptocurrency payments. These came to light between December 2019 and February. Since then, the world has had other problems to contend with.
Meanwhile, Capgemini’s 2020 report Smart Factories at Scale found that one-quarter of all manufacturers have experienced a cyber-attack on their connected systems over the last year, with the impetus behind it invariably being financial.
That report got straight to the heart of the matter. While logic dictates that it is better to design something from the ground up than to retrofit ageing systems, it is a hell of a lot more expensive:
In our previous research, we estimated the cost of setting up a new greenfield factory for a top-ten auto OEM to be between $1 billion to $1.3 billion. In comparison, the cost for a brownfield setup was estimated to be between $4 million to $7.4 million per factory.
Capgemini published other findings that contrasted starkly with the economic prize on offer: only 14 percent of the 1,000 organisations surveyed by the company described their smart factory projects as successful. Scaling programmes beyond the pilot phase can be overwhelmingly complex in IT and operational technology convergence, it found, compounded by legacy systems and a lack of skills.
So what does Trend Micro believe are the solutions to the reams of ancient code that allow modern hackers to slip into industrial systems unnoticed? Rather than simply flog its wares, the company has collaborated with Robot Operating System – Industrial (ROS-Industrial), a consortium of original equipment manufacturers (OEMs) and research organisations.
Their joint recommendations are “echoed” by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the US Cybersecurity and Infrastructure Security Agency (CISA), says Trend Micro. They include:
Network segmentation: Use proper network protection devices to isolate industrial robots that need to process data coming from other networks. This should be done with a physical cable to make spoofing possible only to an attacker who is physically on site.
Secure programming: Promote secure programming guidelines among control process engineers and programmers. This minimises the attack surface exposed by legacy automation code.
Automation code management: Know and keep track of the automation code that is produced by a system integrator and runs in the factory. This type of oversight is “a fundamental prerequisite to finding, managing, and resolving vulnerabilities and other security issues”, says the company.
The other issue is this: know your attacker, who is likely to be a highly skilled individual or organisation with specific knowledge of the target facility, including the industrial platform being targeted. They are likely to have the budget to set up a lab for experimentation:
The programming environments for industrial machinery make it easy for attackers to abuse any low-level system resources, because there is no differentiation between privileged and non-privileged instructions. This is in contrast to the state of almost all modern computing systems.