Over the past few years, researchers with the Polytechnic University of Milan and IT security company Trend Micro’s forward-looking threat research team have been looking at the challenges of securing industrial robots and what makes industrial robots vulnerable to cyber attack. As part of our focus on robotics this month, Industrial Cyber talked with researchers Marcello Pogliani and Federico Maggi about their predictions around industrial robot security in the new year.
Q. How will industrial robots change OT environments in 2021?
A. Industrial robots have been playing a key role in manufacturing for decades, because of their flexibility. Now that programming robots has become easier and easier, industrial robots confirm their role in being the heart of smart manufacturing and so-called Industry 4.0 paradigm shift.
The simple fact that a simple robotic arm can mount a wide array of manipulators (e.g., pliers, laser engraver or cutter, welding arc) make them a powerful assistant for any human task (e.g., pick and place) and a replacement for the most safety-hazardous ones (e.g., welding, lifting heavy loads, handling chemicals or biohazard items). There’s no doubt about whether a robot or a human should be used in certain tasks. The key questions revolve around the where, when and how to invest resources (e.g., training humans to program robots vs. deploying robots).
Looking back at the past decade, 2021 and the coming years will see an increased adoption and prolific development of software to program such robots.
Q. What are the biggest challenges facing industrial robot security in 2021?
A. It took decades for the non-IT software development industry to reach the point we’re enjoying now. Large, modern software development pipelines have tools to automate everything from testing—including security testing—to deployment, in a completely streamlined process in which the most common security bugs are caught immediately. IT software developers have grown a lot w.r.t. security awareness, which is something we cannot say about OT software developers: many of them are still “hiding” behind the “everything is airgapped so there’s nothing to worry about” mindset, which is not where the market and technology trends are heading. So, education is a big challenge on our list.
This is exacerbated by the fact that software for OT devices cannot count on solid foundations like we have, for instance, on modern mobile devices (i.e., managed and memory-safe programming languages). Industrial robots have legacy roots and many avenues for memory corruption vulnerabilities.
It will take at least another decade for the OT software development industry to reach a similar maturity level. To be honest, the pace at which industrial robotics software—the code that embodies the automation routines (i.e., what the robot does)—is designed and released would not justify a similar effort. But that’s where the OT market is driving to: easing OT software development means shorter development-deployment cycles, which will mean that software will go into production faster (because the market will demand so). That in turn means that security bugs will slip through the cracks if proper automated and manual security checks are not in place like we have for IT software development.
Q. How can operations better safeguard industrial robots in the new year?
A. Knowing what software is running on each machine, including robots, is a good start. Refrain from jumping to the hottest security solution, because security does not start from installing a shiny box: security is a process, and a good process needs good data. The lifeblood of industrial automation are not the machines, but the software that drives them. That’s the data needed to design and bootstrap a good security process around OT environments. Of course designing networks so that they’re well segmented is important, but that’s now considered a fundamental. The next big challenge is to keep track of the OT software landscape, because we already know how to secure networks.