New research that looks at security threats facing robots in industrial settings finds that software running on these machines often is outdated; may be based on vulnerable operating systems and libraries; and often has weak authentication systems with default, unchangeable credentials.

In addition, "tens of thousands of industrial devices" reside on public IP addresses, further increasing the risk that an attacker may access and hack them.

A robot-welded seam on a production line could be compromised by a hacker.Vulnerabilities appear widespread and extend to robotic systems used in aerospace, automotive, electronics, food and beverage, and plastics industries, among others.

And, although robust standards have been developed in North America and the European Union to deal with human/robot safety, the research team found few equivalent standards related to cyber security.

The International Federation of Robotics forecasts that by 2018, some 1.3 million industrial robot units will be used in factories globally. The total market value for these systems could top $30 billion.

The research into robot cyber security was done by Politecnico di Milano (POLIMI) and the Trend Micro Forward-Looking Threat Research (FTR) team. It analyzes the impact of system-specific attacks and demonstrates attack scenarios on industrial robots in a laboratory environment.

Most robot systems were designed and built to address safety around humans, says Mark Nunnikhoven, vice president of Cloud Research at Trend Micro. Relatively little attention has been paid to cyber security. In essence, most robots are fully connected computers with few safeguards against attack.

Attack Scenarios

Nunnikhoven says that an attacker could gain control of a robot welder and introduce a defect so small that it goes unnoticed, but compromises the weld's integrity. Not only would the defect be all but impossible to see, but data from the rogue robot would signal no trouble. In this way an attacker could introduce a defect that could lead to widespread product failure.

Mark NunnikhovenIn another scenario, the researchers say that an attacker who introduces microdefects into a production chain may be able to keep track of which products are affected and then demand a ransom to reveal which product batches were affected.

(Read "How Big of an Impact do Robots Have on Jobs and Wages?")

Vulnerabilities in protocols and software that run industrial robots are widely known, the report says. And almost all industry sectors are potentially at risk.

Robot Laws

The Industry 4.0 revolution means that as improvements in the way industrial robots work and communicate increase their complexity and interconnectedness, the industrial robots sector unlocks a broader "attack surface."

The analysis suggests that industrial robots should follow three fundamental laws:

• Accurately “read” from the physical world through sensors and “write” (that is, perform actions) through motors and tools
• Refuse to execute self-damaging control logic, and,
• Echo one of the “Laws of Robotics” devised by Isaac Asimov to never harm humans.

By combining the set of vulnerabilities on a real, standard robot installed in a laboratory, the research team demonstrated how remote attackers can violate these laws up to the point where they can alter or introduce minor defects in the manufactured product, physically damage the robot, steal industrial secrets, or injure humans. We then considered some threat scenarios on how attackers

The authors says that while industrial devices are designed according to physical security and safety standards in order to work in rough conditions with extreme temperature ranges, vibrations, and electromagnetic noise, the ubiquity and flexibility demanded by Industry 4.0 means that industrial devices are designed to be flexible, easy to deploy, and to not necessarily require any special security or IT skills.

"These opposing design requirements," the authors say, "make producers very prone to introducing software bugs."