Industrial Automation Robots are facing Many Risks from Legacy Programming Languages
Published on : Thursday 06-08-2020
Secure programming is a process of implementing software codes which is protected from all kinds of known vulnerabilities, cyber-attacks or anything that can cause harm to the software or the system. If you are working with Industrial environment, you will wonder by latest studies by leading research organizations.
Check this video published by Trend Micro on 4th August 2020. Just click this below snapshot of video, to watch entire video.
Report published by cybersecurity firm Trend Micro in partnership with Researchers at the Polytechnic University of Milan, states lots of information regarding the same. Below is a snap shot of the report -
" To create an assembly line in a factory, for example, enterprises have no choice but to rely on custom, proprietary, or even legacy programming languages.
Each vendor has its own ecosystem, but we cannot blame the developers for writing unsecure code. It is understandably very difficult for them to implement strong security measures within automation routines.
Based on the languages that we reviewed, it appears that they have not been designed with an active-attacker model in mind. Some lack features, such as cryptographic functions, that are essential to implementing modern security measures. The platforms offered by some vendors do implement a few security mechanisms, most of which are “bolt on” and do not integrate well with the programming environment. As a result, while the operating system may have security features such as authentication and access control, the programming layer is a “black box” with no fine-grained security control. This leaves it open to attackers.
It is impractical to fix these design flaws because legacy programming environments cannot be easily replaced. Not only have they become critical for current industrial automation, but the strong technology lock-in makes every switch very expensive. Consequently, despite the existence of newer alternatives, the big players behind the leading platforms still dominate the market. Switching away from their platforms is simply uneconomical.
Industrial automation programs, scripts, or task programs rely on a legacy technology that drives current and future smart factories. They are the routines that govern the automatic movements of industrial robots and similar programmable machines. They are written by field experts using vendor-specific programming languages, which we refer to as “industrial robot programming languages” (“IRPLs”), or simply “legacy languages.”
Like any engineering artifact, task programs could contain unsecure code. Vulnerabilities — programming errors introduced by mistake, leaving a system vulnerable to attack — could be present in them. Alternatively, they could contain malicious functionalities, which are essentially code written for malicious purposes (for example, taking over a factory for extortion-based attacks). "
What are different issues identified by researchers?
The researchers did analysis of programming languages from different vendors such as ABB, Comau, Denso, Fanuc, Kawasaki, Kuka, Mitsubishi, and Universal Robots, which can be used to create custom applications that enable industrial robots to carry out complex automation routines.
They looked at 100 open source automation programs developed with these languages and discovered vulnerabilities in many of them, including flaws that could allow a hacker to control or disrupt a robot.
Researchers found an open source app written for Kuka robots was affected by a vulnerability that could have been exploited to spoof network packets and control the robot’s movements, potentially causing physical damage or disrupting the production process if safety systems were not deployed or configured properly.
Researchers also caught an vulnerability which was related to affected a web server created in ABB’s Rapid language. Cybercriminals with access to the network hosting the targeted robot controller could have exploited the security hole to obtain sensitive information, including intellectual property, without even authentication. ABB removed the vulnerable app from its RobotStudio store after being they received an alert.
In addition to above open cybersecurity vulnerabilities in the apps implemented with the analyzed programming languages, researchers discovered design flaws which can be exploited to hide malicious functionality in industrial robots and even create self-spreading malware. It is real risk to industry.
What is solution to avoid such vulnerabilities?
In short, secure coding practice must be followed while designing or implementing code for Industry. That code can be any web service, web application, mobile app or any automation programs, scripts, or task programs. Many industries do periodic security code reviews of their software codes as key part of overall Cybersecurity audit or assessment. There are many vulnerabilities which are not easy to identify from other techniques than Security Code Reviews.
If Industry or Industrial Robots are not cybersecured it will not only impact security of organization’s valuable assets but also it will cause less productivity and also can hamper reputation of organization.
Shekhar Ashok Pawar is CEO of GrassDew IT Solutions Pvt Ltd which is primarily focused on Cybersecurity Assessment & Audits, IT Consulting, Customised Software Development and Software Products. With more than 15 years of international experience, he is CISA, CEH, CHFI, MCP, Blockchain Developer, Dip Cyber Laws, CMMi Level 5 ATM & ISO 27001 LA. He is also certified H/W & S/W expert for Mobile Phones, Computers and CCTV cameras. He did Executive Management (SJMSOM, IIT-Bombay), after Engineering in Electronics & Telecommunications, Mumbai. He is also certified for "Digital Signal Processor & Applications" by Analog Devices - DSP Learning Center, IIT Madras.
He is lead contributor to GrassDewPanther @ LinkedIn which is focused on sharing global cyber threats and related news. Shekhar's recent book “Air Team Theory: Understanding 10 Types of Team Mates and Best Practices to Succeed” was published in January 2020 and is a hot-seller on Amazon.