Robot Wars: Cyber Risk in Industrial Robots
With more than a million robots in factories worldwide, most operators don’t realise the risk from hackers, warns Amethyst’s Ross Thomson
In July 2015, one hundred luminaries signed a letter demanding that the world’s governments take action to prevent a robot apocalypse. Among the signatories were Elon Musk and Professor Stephen Hawking, who predicts robots will take over the world within a century.
Rapid progress with artificial intelligence (Ai) and the Internet of things (IoT) have raised fears of nightmare scenarios that were until recently consigned to the genre of science fiction. What prompted the protest letter is the spectre of robot soldiers. Rather than obey legendary sci-fi writer Isaac Asimov’s first law of robotics - do no harm to humans - these autonomous killing machines running on AI would be programmed to do precisely the opposite to whoever fits their software’s parameters for an enemy.
The race to develop such killing machines is underway, and a similar open letter again sought to draw attention to the issue in August 2017. Yet while the prospect of robot wars may have fired public imagination, right now there is already a real and present robot danger among us, and it is on an epic scale.
In factories around the world, often enormous robots power away making everything from cars to airline parts. Increasingly, these are connected to the internet, and due to a lack of awareness and preparedness among their operators, highly vulnerable to hackers.
The number of robots in smart factories worldwide now tops a million, but due to lack of awareness, most operators haven’t tackled the threat. Many firms believe hackers only want personal or financial data, but there is a credible risk to industrial robots. That risk is growing as robots, like other devices, are increasingly connected to wider networks and the internet. This gives hackers more ways in, and the consequences are potentially disastrous.
In one example, attackers locked up a robotic assembly plant in Mexico and demanded a ransom from the operators. There is also a safety risk for human factory operatives if a robot were to be hacked. Lack of awareness and preparedness for a cyber-attack extends to robot makers. In one, experiment researchers hacked a robotic arm and forced it to mis-perform, compelling its manufacturer to plug the security hole, but industrial robot manufacturers have more work to do to beef up protection against hackers.
The threat might come from disgruntled employees, criminals, recreational hackers or nation states.
One kind of attack would inject faults or defects in the production process, or lock it down completely as in the Mexican incident, leading to loss of production and revenue. If defective products make it to market, they can cause reputational damage, a potential advantage that could motivate an attack by unscrupulous competitors.
By manipulating safety protocols, hackers could cause the robot to injure human operators, or to damage itself or the factory environment. Alternatively, attackers might attempt to steal sensitive data from the machines themselves or the wider company network through remote access.
So how easy is it to hack a robot? Ease of access to the software varies, making an inside job more likely in some scenarios. Firmware may be freely available online or retrievable from used robot CPUs, and some manufacturers allow programmers to access code in a simulation environment, creating a potential practice ground for would-be robot hackers.
Hackers have other ways to infiltrate, other than via the internet. They may attack from within the factory, for example connecting to the robot directly through a USB port, or physically accessing its computer controller directly or via remote service.
Once they have penetrated the system, they can potentially alter the controller’s parameters, tamper with calibration programmes or production logic and alter the robot’s perceived state, (for example, to show it is idle when it is not) or its actual state, causing loss of control.
How big a risk?
The scale of the threat could be enormous. It’s estimated there will be 1.3 million robots in factories worldwide by next year (2018) and that 12% jobs will have been taken over by automated systems within a decade and a half. Robots are operating across almost all industrial sectors, from car manufacturing to aviation and food processing.
The UK’s National Cyber Security Centre has highlighted hacking of robotic, unmanned and autonomous systems as a subject for attention, both by itself and by the intelligence organisation GCHQ.
A survey of robotic engineers by Italian academics found three quarters had never properly checked cyber security in their infrastructure, a third of robots were internet accessible and half of respondents didn’t see a realistic cyber security threat. To make matters worse, industrial robots often have weak authentication protocols and outdated software running on vulnerable operating systems
Operators need to take the necessary precautions
Operators of industrial robots should conduct a professional review of cyber security risks, have an incident response plan in place in case of a security breach and ensure that software is regularly updated, especially with security patches. The security review should look at what data robots hold and how they are potentially connected to sensitive data elsewhere on the network.
Considering the risk to production, people and facilities, it must be taken seriously from board level to operational level. An internet-connected robot should be treated with the same security precautions as any computer on the network, including setting long, complex passwords rather than relying on manufacturers’ default. There is a temptation to neglect updates because they may cause production downtime, but it needs to be given a higher priority.
Operators must make security a key factor when sourcing new industrial robots, selecting a manufacturer that shows commitment to the issue and provides frequent software updates with security patches.
Limiting who has access to robots and segmenting machines from networks where possible can also reduce risk.
Ultimately, one of the most effective precautions is also one of the most prosaic, and may comfort those who fear their jobs will be stolen by robots. It’s hard to imagine a time when we dare leave robots to get on with it, so until and unless that day comes, we need humans to keep watch on robots at work.