Cybersecurity threats to manufacturing systems and industrial robots are growing as these systems become increasingly automated, networked, and internet-connected. The Stuxnet attack on Iranian nuclear facilities in 2007 showed how industrial control systems could be targeted, while a 2014 attack on a German steel mill caused physical damage by manipulating a blast furnace. As robots take over more manufacturing tasks, their broad attack surfaces and connections to enterprise networks introduce new risks. Standards and regulations have not kept up, but basic security practices around segmentation, access control, monitoring, and secure development can help prevent threats.

1. Cybersecurity Threats in Manufacturing
Systems and Robotics
October 14, 2017
Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, C|ND, FITSP-A
ISSA Colorado Springs – Mini-Seminar Series

2. Cybersecurity Threats in Manufacturing Systems and Robotics

3. The Boston Consulting Group (BCG), who conducts ongoing research on
the impact of advanced-manufacturing technologies, estimates that
the portion of tasks performed by robots in manufacturing will
increase from 10% to 25% worldwide by 2025.

4. Robots Taking Over
• Robots used in manufacturing:
– Phones
– Cars
– Computers
– Air plane parts
– Pharmaceuticals
– Electronics
– And so much more……

5. Robots Taking Over - Advantages
• Robots used in manufacturing:
– Increase in productivity
– Robots = CAPEX
– Humans = OPEX
• Decrease in human labor costs
– Payroll
– Taxes
– Benefits
– Vacation time
– Periodic breaks

6. Robots Taking Over - Advantages
• Robots used in manufacturing:
– Increase in efficiency
– Precision manufacturing
– Increase in productivity
– Can work in extreme environments
• Hot and cold
• Class 100 ppsi rooms
• Repetitive tasks
– Reduction in insurance costs
– Minimizes safety issues

7. Iranian Nuclear Program -
2007
• Stuxnet – Advanced Persistence Threat
(APT) sophisticated digital weapon the U.S. and
Israel launched against control systems in Iran in
late 2007 or early 2008
– Purpose was to sabotage centrifuges at a uranium
enrichment plant
– Created to only damage the intended industrial control
system that was targeted
– Set back the Iranian nuclear program which was the
end goal

8. German Steel Mill - 2014
• Attackers hacked a German steel mill and
modified industrial control systems to manipulate
a blast furnace so that it could not be properly
shut down. This resulted in “massive” damage.
– Gained access through the business network after
launching a spear-phishing attack
– Attackers had extensive knowledge regarding
industry control systems

9. A TrendLabs Research Paper
• Rogue Robots: Testing
the Limits of an Industrial
Robot’s Security
– By Federico Maggi Trend
Micro Forward-Looking
Threat Research
– Davide Quarta, Marcello
Pogliani,
– Mario Polino,
– Andrea M. Zanchettin,
– and
– Stefano Zanero Politecnico
di Milano

10. Rogue Robots: Testing the Limits of
an Industrial Robot’s Security
• Broad Attack Surface In all of their forms, robots are ultimately complex cyberphysical
systems (CPSs) that include multiple mechanical actuators, controllers, sensors, and
human interaction devices.
• In this context, the growing integration of computerized monitoring of physical
production processes leads to robots that are interconnected with other robots and
external services.
• In the Industry 4.0 vision, an enterprise management system can track and
automatically place an order to suppliers any part needed to complete a scheduled
production as well as reconfigure robotized production lines and receive updates on
their operational status.
• Nowadays, industrial robots are connected to computer networks primarily for
programming and maintenance purposes, but we can already see some emphasis on
richer and complex programming to integrate robots with the factory IT ecosystem.
– For example, ABB exposes a so-called Robot Web Service, which allows
external software or devices to “speak” with the robot controller by means of
HTTP requests.
– Easy-to-use application programming interfaces (APIs) allow robots to be
controlled via smartphones.
– In fact, robot app stores are becoming increasingly available for both consumer
and industrial robots.

11. German Steel Mill - 2014

12. Industry Groups Working
Issues
• Some industry groups are attempting to
generate guidelines for certifying the security
of IoT products but are not necessarily
focused on robots or manufacturing systems.
– IoT Security Foundation and the
– Open Connectivity Foundation.
• The problem is twofold.
1. There are no security standards for developing
anything that connects to the Internet
2. There is no regulatory authority that governs the
Internet

13. Prevention
• Many manufacturing systems can avoid or minimize
the risks altogether by implementing some basic (and
common) best practices:
– Unless you need to, do not connect anything to the
internet
– Separate or segment the production network from the
business network.
– Ensure the code written for the manufacturing systems is
developed securely and scanned for vulnerabilities.
– Set up a security architecture like you would on the
business network.
• IDS/IPS
• Firewall
• Antivirus

14. Prevention
– Have a sound process for change and configuration
management
– Develop the systems with security “baked in”
– Conduct assessments to test the networks and systems
resiliency
• Vulnerability assessments
• Penetration assessments
• CM audits
– Have logins for all industrial control systems and use strong
identification and authentication procedures

15. Prevention
– Users should be identified and assigned roles based on
what their job function
• Machine Operator
• Systems Engineer
• Software Developer
• Systems/Network Administrator
• Production Manager
– Physical security considerations
• Lock areas where production computer are stored.
• Restrict the introduction of removable media under CM
– Backup all production system configurations and
software
– Plan, develop and implement an incident response
program specifically for the production systems

16. Resources/References
• Industrial robots that build cars can be easily hacked (https://www.recode.net/2017/5/3/15521520/industrial-robots-
build-cars-hacked-security)
• IoT Security Foundation (https://www.iotsecurityfoundation.org/join/)
• Die Lage der IT-Sicherheit in Deutschland 2014 (https://www.wired.com/wp-
content/uploads/2015/01/Lagebericht2014.pdf)
• A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever
https://www.wired.com/2015/01/german-steel-mill-hack-destruction/
• Manufacturers prepare to battle rogue robots http://www.csbj.com/2017/09/15/manufacturers-prepare-to-battle-
rogue-robots/
• Can Robots + Humans = The Ideal Workforce in Manufacturing? http://cerasis.com/2015/07/27/robots-and-
humans/
Robotics: Taking Over or Complimenting Manufacturing? - Posted on May 4, 2015 at 9:50
AMhttp://www.nola.com/careeradvice/2015/05/robotics_taking_over_or_compli.html
• A Chip Is Born: Inside a State-of-the-Art Clean Room - AUTHOR: JON SNYDER.JON SNYDER GEAR October
19, 2010 https://www.wired.com/2010/10/inside-a-state-of-the-art-cleanroom/
• Rogue Robots: Testing the Limits of an Industrial Robot’s Security
https://documents.trendmicro.com/assets/wp/wp-industrial-robot-security.pdf