an experimental security analysis of an industrial robot
play

An experimental security analysis of an Industrial Robot Controller - PowerPoint PPT Presentation

May 21, 2023 •180 likes •539 views

An experimental security analysis of an Industrial Robot Controller Davide Quarta , Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, Stefano Zanero San Jos (CA), May 22 nd , 2017 38th IEEE Symposium on Security and

  1. An experimental security analysis of an Industrial Robot Controller Davide Quarta , Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, Stefano Zanero San José (CA), May 22 nd , 2017 38th IEEE Symposium on Security and Privacy

  3. Motivation: Industry 4.0 Trends Interconnected Flexibly programmable Remotely exposed

  4. Motivation: Lack of Awareness Survey : Robot users vs. system security 50 domain experts—users interviewed: 20 answers ➢ 28%* access control policies not enforced ➢ 30% robots accessible over Internet ➢ 76% never performed a pentest ➢ > 50% not a realistic threat * some users did not answer all the questions

  5. How do we define a robot-specific attack?

  6. Requirements: Laws of Robotics ➢ I/O Accuracy ■ Read precise values ■ Issue correct/accurate commands ➢ Safety ■ Never harm humans ■ Correctly inform operator ➢ Integrity ■ No damage to the robot

  7. Requirements: Laws of Robotics ➢ I/O Accuracy ■ Read precise values ■ Issue correct/accurate commands ➢ Safety ■ Never harm humans ■ Correctly inform operator ➢ Integrity ■ No damage to the robot

  8. Requirements: Laws of Robotics ➢ I/O Accuracy ■ Read precise values ■ Issue correct/accurate commands ➢ Safety ■ Never harm humans ■ Correctly inform operator ➢ Integrity ■ No damage to the robot

  9. Requirements: Laws of Robotics ➢ I/O Accuracy ■ Read precise values ■ Issue correct/accurate commands Robot-specific Attack: ➢ Safety Digital-borne violation of any ■ Never harm humans of these requirements ■ Correctly inform operator ➢ Integrity ■ No damage to the robot

  10. 5 Robot-specific Attacks

  11. Attack 1: Control Loop Alteration !

  12. Attack 2: Tampering with Calibration Parameters

  13. Attack 3: Tampering with the Production Logic

  14. Attack 4 & 5: (Perceived) Robot State Alteration

  15. Custom Physical Protections, if any (despite regulations)

  16. From Attacks to Threat Scenarios 1) Production Plant Halting 2) Production Outcome Alteration 3) Physical Damage 4) Unauthorized Access 5) Ransom requests to disclose micro defects

  17. Case Study

  19. ARM, Windows CE .NET 3.5 VxWorks 5.x RTOS (PPC, x86) FPGAs and discrete logic

  23. USB port LAN WAN Attack surface Radio

  24. Industrial Routers

  25. Vulnerabilities a. BOF leading to RCE (ABBVU-DMRO-124641) b. BOF in FlexPendant (ABBVU-DMRO-124645) c. BOF in /command endpoint (ABBVU-DMRO-128238) d. Command Injection (ABBVU-DMRO-124642) e. Authentication bypass (ABBVU-DMRO-124644)

  26. Full Controller Exploitation

  27. Attack POCs 1) Accuracy Violation: PID parameters detuning (Attack 1) DEMO 2) Safety Violation: User-Perceived Robot State Alteration (Attack 4) 3) Integrity Violation: Control-loop alteration (Attack 1)

  28. POC 1: accuracy violation (video)

  29. Attack POCs 1) Accuracy Violation: PID parameters detuning (Attack 1) 2) Safety Violation: User-Perceived Robot State Alteration (Attack 4) 3) Integrity Violation: Control-loop alteration (Attack 1)

  30. POC 2: Safety Violation Malicious DLL Teach Pendant

  31. POC 2: Safety Violation Malicious DLL Teach Pendant

  32. Attack POCs 1) Accuracy Violation: PID parameters detuning (Attack 1) 2) Safety Violation: User-Perceived Robot State Alteration (Attack 4) 3) Integrity Violation: Control-loop alteration (Attack 1)

  33. POC 3: Integrity Violation ➢ Robot’s arm collapse on itself ➢ Motors substantially damaged Quite a risky POC! Verified with a robotics’ expert

  34. Conclusions : Future Challenges ➢ New standards, beyond safety issues ➢ Attack detection and hardening ➢ Secure collaborative robots ➢ (Detailed countermeasures in the paper)

  35. http://robosec.org Questions? Davide Quarta , Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, Stefano Zanero San José (CA), May 22 nd , 2017 38th IEEE Symposium on Security and Privacy

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Industrial Robot Outlook 1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000

Industrial Robot Outlook 1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000

Industrial Robot Outlook 1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 0 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 Traditional Robots Collaborative Robots Source: Loup

342 views • 13 slides
A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler TL;DR SECURITY ANALYSIS FINDINGS TL;DR SECURITY ANALYSIS FIN

908 views • 68 slides
Unity: A Unified Software/Hardware Framework for Rapid Prototyping of Experimental Robot

Unity: A Unified Software/Hardware Framework for Rapid Prototyping of Experimental Robot

Unity: A Unified Software/Hardware Framework for Rapid Prototyping of Experimental Robot Controllers using FPGAs Anders Blaabjerg Lange, Ulrik Pagh Schultz and Anders Stengaard Soerensen MMMI, SDU, Denmark OR why everyone in experimental

314 views • 16 slides
Acoustics 08 Experimental analysis of the acoustical behaviour of Musikverein in concert and

Acoustics 08 Experimental analysis of the acoustical behaviour of Musikverein in concert and

Acoustics 08 Experimental analysis of the acoustical behaviour of Musikverein in concert and ballet configurations A. Farina, D. E. Commins and N. Prodi (a) University of Parma, Via delle Scienze 181/A, Industrial Engineering Dept., 43100

603 views • 35 slides
Experimental Analysis Guidelines for Presenting Data 3. Examples Marco Chiarandini Results Task

Experimental Analysis Guidelines for Presenting Data 3. Examples Marco Chiarandini Results Task

Outline DM811 HEURISTICS AND LOCAL SEARCH ALGORITHMS 1. Experimental Algorithmics FOR COMBINATORIAL OPTIMZATION Definitions Performance Measures 2. Exploratory Data Analysis Lecture 13 Sample Statistics Scenarios of Analysis Experimental

737 views • 18 slides
Analysis and Control of Multi-Robot Systems Multi-Robot Localization Dr. Paolo Stegagno

Analysis and Control of Multi-Robot Systems Multi-Robot Localization Dr. Paolo Stegagno

Elective in Robotics 2011/2012 Analysis and Control of Multi-Robot Systems Multi-Robot Localization Dr. Paolo Stegagno Dipartimento di Ingegneria Informatica, Automatica e Gestionale 1 / 73 Introduction multi-robot localization :

759 views • 73 slides
Experimental Analysis Marco Chiarandini Department of Mathematics & Computer Science

Experimental Analysis Marco Chiarandini Department of Mathematics & Computer Science

DM841 D ISCRETE O PTIMIZATION Part 2 Heuristics Experimental Analysis Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Outline Outline Experimental Analysis 1. Experimental Analysis

1.38k views • 90 slides
Predictive Security Analysis Concepts, Implementation, first Results in Industrial Scenario Roland

Predictive Security Analysis Concepts, Implementation, first Results in Industrial Scenario Roland

Predictive Security Analysis Concepts, Implementation, first Results in Industrial Scenario Roland Rieke 1 Romain Giot 2 Chrystel Gaber 2 1 Fraunhofer SIT, Darmstadt, Germany Email: roland.rieke@sit.fraunhofer.de 2 France Tlcom-Orange Labs,

276 views • 25 slides
DEVELOPING INDUSTRIAL ROBOT USING POLYMERIC MATERIALS & ADAPTIVE SYSTEM CONTROL GENERAL

DEVELOPING INDUSTRIAL ROBOT USING POLYMERIC MATERIALS & ADAPTIVE SYSTEM CONTROL GENERAL

DEVELOPING INDUSTRIAL ROBOT USING POLYMERIC MATERIALS & ADAPTIVE SYSTEM CONTROL GENERAL INFORMATION: Studying and developing of an industrial robot-manipulator using polymeric materials and adaptive system control. Cybernation and

194 views • 15 slides
LIGHTER SIMPLER CHEAPER INDUSTRIAL ROBOT-MANIPULATOR polymeric materials

LIGHTER SIMPLER CHEAPER INDUSTRIAL ROBOT-MANIPULATOR polymeric materials

LIGHTER SIMPLER CHEAPER INDUSTRIAL ROBOT-MANIPULATOR polymeric materials adaptive system control WELDING / CUTTING / MACHINE TENDING BUILDING ROBOTS MAKING ROBOTS FOR TWICE LESS MONEY MAINTENANCE EASY ACCESSIBLE THAN

76 views • 7 slides
Robothlon Team competition, each team programs a robot for each event Events Robot

Robothlon Team competition, each team programs a robot for each event Events Robot

Robothlon Team competition, each team programs a robot for each event Events Robot rally - Race your robot round Robot retrieve - Fetch balls with the robot Robot rumble - Last robot moving in a ring Points

269 views • 5 slides
Analysis of Japanese Loyalty Programs Considering Liquidity, Security Efforts, and Actual

Analysis of Japanese Loyalty Programs Considering Liquidity, Security Efforts, and Actual

Analysis of Japanese Loyalty Programs Considering Liquidity, Security Efforts, and Actual Security Levels June 24, 2014 @WEIS 2014 Bongkot Jenjarrussakul, and Kanta Matsuura Institute of Industrial Science The University of Tokyo Outline

479 views • 28 slides
An Experimental Evaluation of Selective Cooperative Relaying for Industrial Wireless Sensor

An Experimental Evaluation of Selective Cooperative Relaying for Industrial Wireless Sensor

An Experimental Evaluation of Selective Cooperative Relaying for Industrial Wireless Sensor Networks Nikolaj Marchenko, Torsten Andre, G unter Brandner, Wasif Masood, and Christian Bettstetter Institute of Networked and Embedded Systems

401 views • 22 slides
WHAT WOULD TREX DO? From Experimental Design to Analysis, the TREX Approach EXPERIMENTAL DESIGN

WHAT WOULD TREX DO? From Experimental Design to Analysis, the TREX Approach EXPERIMENTAL DESIGN

Your Research Question WHAT WOULD TREX DO? From Experimental Design to Analysis, the TREX Approach EXPERIMENTAL DESIGN What are my research goals? FFPE Clinical Where are my samples coming from? Fresh Tissue/Cells How much RNA

863 views • 39 slides
Remote Teleoperation Tejas Sathe The Matrix The Papers Usability Guidelines for the Design

Remote Teleoperation Tejas Sathe The Matrix The Papers Usability Guidelines for the Design

Remote Teleoperation Tejas Sathe The Matrix The Papers Usability Guidelines for the Design of Robot Teleoperation: A Taxonomy An Experimental Analysis of Cyber Security Threats Against Teleoperated Surgical Robotics Usability

967 views • 62 slides
Retail security gate solutions Industrial security gate solutions Institutional

Retail security gate solutions Industrial security gate solutions Institutional

PHYSICAL SECURITY SOLUTIONS Quantum security gates can help you improve security quickly. Before or after a break-in. Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Office

215 views • 18 slides
Sources of Field Perturbations LLRF Lecture Part2 S. Simrock, M. Grecki ITER / DESY RF System

Sources of Field Perturbations LLRF Lecture Part2 S. Simrock, M. Grecki ITER / DESY RF System

Sources of Field Perturbations LLRF Lecture Part2 S. Simrock, M. Grecki ITER / DESY RF System Architecture S. Simrock & M. Grecki, 5 th LC School, Switzerland, 2010, LLRF & HPRF 2 Sources of Field Perturbations o Beam loading o

697 views • 21 slides
CLIC Crab Cavity and Wakefields Praveen Ambattu CLIC crab group Cockcroft Institute / Lancaster

CLIC Crab Cavity and Wakefields Praveen Ambattu CLIC crab group Cockcroft Institute / Lancaster

ICFA Beam Dynamics Workshop 2010, Daresbury CLIC Crab Cavity and Wakefields Praveen Ambattu CLIC crab group Cockcroft Institute / Lancaster University / University of Manchester / ASTeC Crab Cavity Operation BDS chapter of the CLIC CDR,

586 views • 17 slides
Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org

Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org

Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org 12/11/2020 1 Talk loosely based on following publications Han et al. SIGL: Securing Software Installations Through Deep Graph Learning ,

635 views • 41 slides
Chapter 13 13.1 Detecting Extrasolar Planets Other Planetary Systems The New Science of Distant

Chapter 13 13.1 Detecting Extrasolar Planets Other Planetary Systems The New Science of Distant

Chapter 13 13.1 Detecting Extrasolar Planets Other Planetary Systems The New Science of Distant Worlds Our goals for learning Why is it so difficult to detect planets around other stars? How do we detect planets around other

571 views • 8 slides
Outline Introduction Paper: Paper: Antenna Designs Antenna Performance Analysis:

Outline Introduction Paper: Paper: Antenna Designs Antenna Performance Analysis:

Paper presentation Ultra-Portable Devices Outline Introduction Paper: Paper: Antenna Designs Antenna Performance Analysis: Free Space vs Wearable Akram Alomainy,Yang Hao and David M Davenport Parametric St d Study of

97 views • 5 slides
LLRF Operator Training for XFEL Introduction and Guide Lines Mathieu Omet DESY, 27.11.2018

LLRF Operator Training for XFEL Introduction and Guide Lines Mathieu Omet DESY, 27.11.2018

LLRF Operator Training for XFEL Introduction and Guide Lines Mathieu Omet DESY, 27.11.2018 Contents > Introduction > What an operator should know > Expert only features > Exceptional cases and how to react > Summary Mathieu Omet |

726 views • 33 slides
Resolving Profile Distortion Resolving Profile Distortion for Electron-based IPMs for

Resolving Profile Distortion Resolving Profile Distortion for Electron-based IPMs for

Resolving Profile Distortion Resolving Profile Distortion for Electron-based IPMs for Electron-based IPMs using Machine Learning using Machine Learning 3rd IPM Workshop D. Vilsmeier (GSI) J-PARC (Tokai, Japan) M. Sapinski (GSI) R. Singh

346 views • 24 slides
Measurement of the lifetime of tau-lepton Mikhail Shapkin Institute for High Energy Physics,

Measurement of the lifetime of tau-lepton Mikhail Shapkin Institute for High Energy Physics,

Measurement of the lifetime of tau-lepton Mikhail Shapkin Institute for High Energy Physics, Protvino Russia For the Belle Collaboration The 13th International Workshop on Tau Lepton Physics Aachen, Germany, 15-19 September, 2014 Measurement

340 views • 31 slides

More recommend