Staying ahead of ICS security vulnerabilities

We all know that industrial networks, endpoints and control systems have inherent insecurities making them vulnerable to compromise through digital methods. With over 5.6 million devices being newly connected added each day in 2016 and with an estimated 21 billion going online by 2020, these growth trends will only increase the potential attack surface in industrial automation and process control environments. Katherine Brocklehurst, Director, Industrial Cybersecurity Segment Marketing, Belden says that it won’t come as a big surprise to learn that the May 2017 report, Rogue Robots: Testing the Limits of an Industrial Robot’s Security, informs us that industrial robots aren’t secure either, for many of the exact same reasons. However, what might surprise industrial firms who have robotic applications is how much cyber risk exists in their robotic ecosystem. The report was produced from research by students at Politecnico di Milano in Italy and researchers from Japanese, as well as multi-national antivirus and security company, Trend Micro. The researchers and students executed a proof-of-concept hack, by remotely controlling an ABB IRB140 robotic arm. In their test, the robot was hypothetically designing a 3D-printed rotor for a drone and they were able to remotely change the robot’s configuration file without being detected by the operator and, therefore, able to introduce a few millimeters of defective manufacture, causing catastrophic flight failure for the drone. Remote access via the internet to HMI systems and industrial controllers is a big concern and extremely disturbing, but not a new problem. What was new was proving these known scenarios of attack applied to industrial robotic components, HRI and the robotic control systems, as well as validating that robots are also insecure. A few key data points from ICS researchers at iSIGHT, show that taken to an extreme, secretly injected and unauthorized ‘micro-changes’ to any robotic system could cost companies millions in defective parts and worse, if not captured by quality assurance, test and inspection processes. Extending these further, findings also show that robotic equipment, control operators and even public safety could be at risk. Test scenarios included where humans and machines work closely together that also could cause injury to humans if safety standards or calibrations were modified. Robotics is a growing field and many sectors such as aerospace/airplanes, automobiles, pharmaceuticals, food products, chemicals and many others should consider this a security operations wake-up call.