“Alexa, start the TV.”

”Obtain it yourself.”

This nightmare scenario could play out an incredible number of times unless people do something to safeguard their IoT devices. The problem is worse in industrial settings even. Smart manufacturing, that’s, Industry 4.0, depends on tight integration between IT systems and OT systems. Enterprise resource planning (ERP) software has evolved into supply chain management (SCM) systems, reaching across national and organizational boundaries to assemble all types of inputs, parting out subcomponent production and development, and delivering finished products, payments, and capabilities across a worldwide canvas.

Each one of these synergies fulfills a rational business goal: optimize scarce resources across diverse sources; minimize manufacturing, shipping, and warehousing expense across regions; preserve continuity of operations by diversifying suppliers; maximize sales among multiple delivery channels. The supply chain includes not merely recycleables for manufacturing, but alternative party suppliers of components also, outsourced staff for non-core business functions, open source software to optimize development costs, and subcontractors to satisfy specialized design, assembly, testing, and distribution tasks. Each component of the supply chain can be an attack surface.

Software development is a team effort. Not because the 1970s have businesses sought out the excellent talented solo programmer whose code was beautiful, flawless, ineffable, undocumented, and impossible to keep.  Designs should be clear over the team now, and testing requires near collaboration between architects, creative designers, developers, and production. Groups identify business requirements, compose a remedy from elements sourced from publically shared libraries then. These libraries might contain additional dependencies on some other third-party code of unfamiliar provenance yet. Simplified testing depends on the standard of the shared libraries, but shared library routines could have latent (or intentionally concealed) defects that not become more active until in a vulnerable production environment. Who tests GitHub? The scope of the vulnerabilities is daunting. Tendency Micro published a written report just, “Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis,” that surveys the 4.0 attack surface.

Within the production operation, the blending of IT and OT exposes additional attack surfaces. Industrial robots give a clear illustration. Industrial robots are usually tireless, precision devices programmed to execute flawlessly exacting jobs rapidly and. What did industry perform before robots? Factories either relied on hand-built items or on non-programmable devices that needed to be retooled for just about any change in item specifications. Hand-built technologies required skilled machinists extremely, that are costly and require time and energy to deliver. See Number 1 for a good example.

Figure 1: The expense of precision

Non-programmable robots require factory down-time for retooling, an activity that can take days. Before programmable commercial robots, vehicle factories would deliver an individual body style across a number of years of creation. Programmable robots can make different configurations of components without down time. They are found in manufacturing everywhere, warehousing, distribution facilities, farming, mining, and guiding delivery vehicles soon. The supply chain will be automated.

However, the supply chain isn’t secure. The protocols industrial robots be determined by assumed the surroundings was isolated. One controller would govern the machines in a single location. Because the connection between your controller and the managed robots was hard-wired, there is no dependence on operator message or identification verification. My controller would see your robot. My controller would just hook up to my robot, therefore the text messages they exchanged needed no authentication. Each device assumed all its connections were verified externally. The safety systems assumed the network was untainted and trustworthy even. No protocols included any privacy or security controls. Industry 4 then.0 adopted wireless communications.

The move, which saved the expense of laying cable in the factory, opened those networks to eavesdropping and attacks. Every possible attack against industrial robots now could be happening. Criminals are forging commands, altering specifications, suppressing or changing error alerts, modifying output statistics, and rewriting logs. The results could be vast nearly undetectable yet. In today’s report on Rogue Robots, our Forward-looking Threat Research team, collaborating with the Politecnico di Milano (POLIMI), analyzes the number of specific attacks today’s robots face, and the potential consequences those attacks may have.

Owners and operators of programmable robots should heed the warnings of the extensive research, and consider various suggested remedies. Forewarned is forearmed.

The Rogue Robots research is here now: https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/rogue-robots-testing-industrial-robot-security.

The brand new report, Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis, is here now: https://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/internet-of-things/threats-and-consequences-a-security-analysis-of-smart-manufacturing-systems.

What do you consider? I want to below know in the comments, or @WilliamMalikTM.