A new report reveals that industrial robots could easily be hacked.
Instead of speculating about what will happen when robots attack humans, perhaps we should be worried about what could happen if humans attack robots.
Fleets of robots that were originally designed to be isolated in a factory are now connected to the internet and prone to hacking. Tens of thousands of industrial robots aren’t properly protected, according to a new research report by cyber security firm Trend Micro and Italian university Politecnico di Milano.
“These robots have been designed with a lot of focus on physical security, but what this research has shown is that there’s a lot to be done on the cyber-security side,” Mark Nunnikhoven, Trend Micro’s vice president of cloud research, told ZDNet.
New cloud capabilities are convenient for robot operators and hackers alike. While many companies have prioritized cyber-security for protecting data on computers or internal networks, the same vulnerability for industrial robots has been overlooked.
“It’s a pattern we’ve seen in different industries and in different verticals,” Nunnikhoven said. “Robots were designed with an original concept for their deployment and that concept and those constraints no longer hold true.”
When the first industrial robot was introduced to a General Motors assembly line in 1961, it followed a series of steps to weld car parts. It was big, strong, and potentially destructive. For this reason, industrial robots were caged so they couldn’t accidentally harm any nearby people or products. Today’s robots are more agile and precise — but what would happen if someone messed with the controls?
Robot hackers could steal trade secrets or cause operator injuries, but a more likely scenario is that state-sponsored or corporate interests would cause a manufacturing disruption. The new report reveals what could happen if a hacker altered a controller’s parameters or tampered with the production logic. Even a slight change could result in defective products.
To see how this scenario might play out, the researchers adjusted an industrial robot’s parameters to convince it that it was drawing a straight line when it was actually drawing a very slight curve. Even by introducing a two-millimeter defect, a hacker could cause an expensive manufacturing disruption. A scarier scenario is that the error would go unnoticed because an automated quality control check would confirm that the robot followed its parameters.
“But if that robot was programmed to weld something like a car chassis or a wing for an airplane, that could be an absolutely catastrophic outcome,” Nunnikhoven points out. Previous research has shown that even a small defect in a rotor can make a drone drop to the ground mid-flight.
While drones are mostly used for recreation, military missions, or infrastructure inspections, industrial robots build a wide variety of products. They are used in aerospace, automotive, pharmaceutical, and electronics manufacturing (and just about everything in between).
The report focuses on industrial robots, but the conclusions also apply to automation and the Internet of Things on a broader level.
“[Industrial robots] were intended to be used in isolation and never to be connected to the outside world and we found that it’s not true anymore,” Nunnikhoven explains. “They’re connected to both inside networks and the internet, so there’s a risk profile that hasn’t really been considered.”
“And while some of the motivations are different than our normal cyber-attacks, the consequences are significantly more real. There are definitely consequences in the physical world, and that’s something very different than what we’re used to seeing, where data is destroyed or held for ransom,” he said.
“This involves risk to real people, and real physical risks, not just financial risk or reputational risk,” he added.