Author Tiandi Hexing Industrial Cybersecurity Research Institute
However, if we look at the tasks that advanced attackers can accomplish from a different perspective, while considering the system as a whole, this system is not just composed of items in the factory workshop. For example, what would happen if an attacker could blend in as legitimate network traffic or normal host activity? What would such an attacker do to maintain persistence? Are there unique attack opportunities that may be outside the network scope and are currently overlooked?
The following figure illustrates many dependencies within the software and data ecosystem surrounding smart manufacturing systems. During the development phase, there are software add-ons and digital twin models provided by vendors, or software add-ons and digital twin items developed on engineering workstations (which can also be uploaded to online directories usually provided by software extensions). This workstation is also used to create custom automation logic (for machines such as robots) or firmware for custom IIoT devices. All of this, along with other components like human-machine interfaces, manufacturing execution systems, and programmable logic controllers, enables automation logic to function. High-level business decisions are translated into data written in ERP systems (or other databases), which then determines operations scheduled by MES, and subsequently defines automation routines executed by PLCs.The indirect impact of the software supply chain on final automation operations can be seen here.
The following figure visualizes the attack opportunities within data and software dependencies. Attacks involving compromise through malicious industrial plugins and attacks involving the “Trojanization” of custom IIoT devices abuse software components, which is now possible and has been seen in the wild, as the complex supply chain conversely contains a multitude of vulnerabilities. Attacks targeting vulnerable mobile human-machine interfaces demonstrate how information leaked from mobile HMIs can be exploited to access the machines controlled by those HMIs. Attacks on MES’s data management show how any operations on data at the ERP system or database level can later affect automation.Attacks involving vulnerable or malicious automation logic in complex manufacturing machines are inherently more complex as they exploit vulnerabilities within the automation logic.
Experts indicate that isolating smart manufacturing systems in dedicated, isolated networks is a common practice. These systems are viewed as black boxes, in a sense, believed to be invulnerable. On the other hand, connectivity is increasing, and vendors are pushing for wireless networks to be established at the factory level, directly connecting assets like industrial robots to wireless networks.
Attackers may have various motivations to cause failures, damage products, or alter workflows to manufacture defective products: attackers may be hired by competitors, may have financial motives (for example, attackers may demand payment in exchange for not disclosing confidential information they have stolen), or may simply want to impact the overall reputation of the factory. Attackers may also be interested in automation logic, which is often a well-protected intellectual property.
In recent years, researchers have discovered numerous supply chain attacks targeting software development tools or libraries (especially open-source code repositories), which may target the software itself or certain third-party extensions of that software.Interestingly, it has been reported that 42% of attacks in the manufacturing sector are not directly targeting facilities but rather certain systems within the supply chain.
The following figure highlights the security-sensitive areas of smart manufacturing systems, emphasizing the physical network perimeter. The factory layer network is separated from other networks (such as the internet, corporate networks) by firewalls, with red indicators representing endpoints that can serve as attack entry points.
2.1Engineering Workstations
Engineering workstations are systems shared with domain users who are always connected to the production layer. They are used to develop and deploy program logic or connect to field devices (such as programmable logic controllers, HMIs) for maintenance, diagnostics, or reprogramming. Sometimes, they are simply used to deploy programs developed elsewhere, possibly by system integrators’ personnel outside the factory.
Any workstation used for engineering purposes has a trust relationship with the rest of the system.Sometimes this relationship is known and is part of the security plan. At other times, considering the indirect or implicit trust relationships between the party developing the automation logic and the smart manufacturing system deploying the logic, it becomes harder to see. This does not necessarily mean that the developers are malicious: their computers may have simply been compromised, or even a library they used may have been compromised at the source code level. A good example is the xcodeghost malware, which was used in one of the earliest supply chain attack instances: one of its techniques was to modify the Xcode compiler, infecting the compiled iOS applications.
2.2Custom IIoT Device Development Environment
Custom IIoT devices programmed by system integrators or internal staff, such as embedded systems, Arduino-like devices, Raspberry Pi, or other single-board computers, are increasingly popular due to their greater automation flexibility compared to traditional automation hardware like programmable logic controllers.
There are many trust relationships between multiple software libraries in this ecosystem and the smart manufacturing system where the final deployed software resides. Developers are likely to need to use third-party libraries, libraries based on third-party libraries, or third-party libraries based on another party’s libraries. This software dependency chain is very complex.Developers cannot easily verify the end-to-end integrity and authenticity of libraries, which can lead to the inclusion of Trojan components.
2.3Manufacturing Execution System Database
MES databases are typically shared with the upper levels of the automation pyramid. Their function is to contain work orders and work templates, which are clearly sensitive data. When work templates are created on MES, new records will be saved to the database.Similarly, when work orders are initiated, the status of production operations is also updated in the database.
At a conceptual level, MES trusts the data coming from the database. This means that if there is no authentication and integrity of the data stored in the database, an attacker on the network or database could forge or alter records, leading to changes in production. Changes could occur at the product characteristic level and could be non-destructive.
In-depth exploration of specific aspects of smart manufacturing technology reveals components that provide attack opportunities, including: industrial plugins, custom IIoT devices, human-machine interfaces, manual coding stations, complex programmable manufacturing machines.
3.1Industrial Plugins
As the pace of innovation accelerates, the delivery mechanisms for industrial software are also evolving. Specifically, some solutions have been inspired by the app store model. For example, ABB has an app store where anyone can register (registration is automatic, requiring only email verification) and upload ABB’s RobotStudio plugins, which engineers use to write automation logic for ABB industrial robots. There are about 1000 plugins in the store, some of which have been downloaded thousands of times.These numbers must first be considered in the context that industrial robotics is currently a niche field, and developers tend to keep everything “in-house.” This is expected to change, and app stores like ABB’s are the first signs of this shift in direction.
Smart factory solutions are similar to ABB’s app store. However, it is not specifically for robotics but for general industrial applications. Individuals cannot upload applications; only registered businesses can.Applications are purchased through business-to-business (B2B) channels and provided via business-to-consumer (B2C) channels.
OrangeApps was developed by Kuka, although it is not directly developed or managed by Kuka. Unlike ABB’s app store, OrangeApps does not accept user-submitted content; it is a closed ecosystem. Interestingly, it simultaneously provides applications for desktop software and industrial robot controllers. Therefore, applications sourced from OrangeApps contain code that runs directly on industrial robot controllers. However, the network transmission uses plain HTTP, which provides the potential for man-in-the-middle (MitM) attacks.
Siwiat’s solution has a slightly different model: vendors provide hardware (IIoT devices) that have capabilities that can be extended by downloading applications from the app store. This software delivery model is very similar to the mobile device ecosystem, where users simply purchase a piece of hardware and extend its capabilities by downloading (trusted) applications delivered from the store. In fact, anything from the app store is considered trusted.
3.2Custom IIoT Devices
Widely and highly decentralized “industrial-grade” embedded devices (often Arduino-compatible) products are used for rapid prototyping and production use. Such as Arduino Industrial 101, Industrial Shields devices, Industrino, Iono Arduino, and Siemens Simatic IoT2000. These IIoT devices provide end-users with comprehensive software customization capabilities. However, the increasing demand for customization and flexibility has enlarged the attack surface of industrial factories like smart manufacturing systems.
Most industry experts confirm that they have used some custom devices in actual production to run custom firmware. Even in industrial 4.0 laboratory environments, there is a (separate) network of Raspberry Pi nodes monitoring physical conditions in the factory using sensors (such as temperature, pressure, light, noise).
“Extra” devices connecting to the ground network are becoming increasingly common, which in itself poses a risk. In fact, there have been instances of such devices being used to breach critical facilities. In 2018, a hacker targeted an unauthorized Raspberry Pi device to access NASA’s Jet Propulsion Laboratory (JPL) network. Additionally, the miniaturization of electronic components and the accessibility of manufacturing labs have made it possible to create hardware implants as small as the metal part of a USB key.
Custom IIoT devices can run complex firmware and often include several external libraries with further dependencies. The management of the software supply chain for custom IIoT devices is more complex compared to vendor-provided hardware and software solutions. The main risk is that, apart from the official libraries provided by Arduino, there are no integrity mechanisms in place to ensure that the libraries used by these devices are authentic and unaltered. In fact, attackers have realized that if they can find the “source,” i.e., by compromising popular libraries or “tying” their code into the final product (rather than the original product), they can compromise a large number of computers simultaneously.
3.3Human-Machine Interfaces
Research findings regarding human-machine interfaces indicate that HMIs often run outdated and vulnerable software. HMI technologies and custom deployments create opportunities for attack types, rather than traditional HMI-side software exploits.
Web-based and cloud-based solutions, as well as application or plugin-based systems, have made traditional HMIs more interconnected. HMIs have also evolved from a statically defined “interaction” concept to a more flexible concept that provides means for end-users to design or customize interfaces, quickly upload, and integrate into existing systems.These features make human-machine interface components complex, leading to a greater attack surface.
For example, even in test setups in research laboratories, HMIs are mixed and utilize embedded web browsers, allowing factory operators to customize UIs (for example, by providing custom HTML or JavaScript resources) without the intervention of system integrators. Domain experts designing manufacturing plants for large clients confirm that this is often requested by clients. Attackers can manipulate a simple webpage, not only delivering vulnerabilities but also playing some UI tricks to deceive operators and influence their decisions (for example, simulating errors or emergencies). Users may trust HMI screens and act based on their input, especially when the authenticity of the embedded webpages cannot be ensured.
Due to their flexibility and ease of use, mobile devices such as tablets and smartphones make good human-machine interfaces. Although HMIs are a relatively niche market, over 170 HMI applications have been found on the Google Play Store, with more than 40 applications installed over 1000 times, and in some cases, even exceeding 100,000 times. Researchers not only expect the demand for these solutions to grow but also highlight the usability and security advantages of mobile HMIs over classic HMIs.In addition to users being accustomed to using mobile devices, they are also more flexible and easier to manage than industrial computers running HMI software.As applications running on modern mobile operating systems are sandboxed, they are easier to keep updated and inherently more secure, a crucial feature lacking in touch-based industrial computers running outdated versions of Microsoft Windows.
However, due to their flexibility, and since the hardware is a general-purpose computer, mobile HMIs are susceptible to other categories of attacks. At the physical network layer, mobile HMIs connect via wireless protocols (Wi-Fi or Bluetooth), making it easier for attackers to access them compared to wired connections. The main risk is that mobile HMIs are designed with the same assumptions as traditional HMIs, namely that they are located within a closed wired network. For example, in Comau’s PickApp (a human-machine interface for interacting with industrial robots), the network protocols used do not enforce data integrity or confidentiality, nor do they authenticate endpoints or perform any authentication, meaning that as long as the data complies with its application protocol, they will trust any data.
Like other applications, mobile HMI applications may inadvertently carry sensitive information (such as credentials and private keys). The key point here is that this information will be exposed as the preferred delivery mechanism is through app stores.
3.4Manual Coding Stations
In smart manufacturing systems, MES plays a critical role as the gateway between high-level manufacturing scheduling (like ERP) and the actual production of goods in the manufacturing workshop. The MES market is “closed,” targeting specialized solutions. For example, researchers could only find two open-source solutions, with no more commercial and enterprise products, the most popular of which include General Electric’s Predix Manufacturing Execution System, Honeywell Connected Plant, Rockwell Automation’s FactoryTalk Production Center MES, SAP Manufacturing Execution System, and Wonderware MES.
Enterprise-level MES is very expensive and difficult to access. From a security research perspective, this is clearly an issue, as it is crucial to have access to real, mature systems for security testing. Apart from cloud-based solutions and some transient instances of Wonderware that we discovered through remote desktop protocols (possibly honeypots or staging systems), it is unlikely to find internet-facing MES.
From a security perspective regarding MES, it is reasonable to assume that attackers are already on the network. Regarding lateral movement, this does not mean assuming that attackers can access the MES (otherwise, it would already be too late). For example, researchers believe that attackers may only have access to the MES database, rather than the entire MES endpoint.
3.5Complex Programmable Manufacturing Machines
Complex programmable machines (such as industrial robots) execute their manufacturing tasks based on task programs, which are essentially scripts executed on the machine (e.g., “move right,” “open gripper,” “move down,” “pick item”). Each machine vendor has its own domain-specific language for writing task programs, such as ABB’s Rapid, Comau’s PDL2, Fanuc’s Karel, Kawasaki’s AS, Kuka Robot Language (KRL), Mitsubishi’s Melfa Basic, Yaskawa’s Inform. These industrial robot programming languages (IRPLs) are proprietary, and each language has its own set of unique functions.
IRPLs are very powerful because they allow programmers to write automation programs that can also read and write data to the network or files, access process memory, execute code dynamically downloaded from the network, and so on. One of the primary use cases for this powerful functionality is the need to integrate with middleware software, allowing robots to converse with vendor-neutral solutions (such as Robot Operating System Industrial, ROS Industrial), which is the most popular solution, with many top industry brands being part of the ROS Industrial consortium.
If misused without proper security awareness, these powerful features can be very dangerous. First, if used without input validation (which is the most common case we found), these features can introduce vulnerabilities. Secondly, due to the lack of privilege separation during execution, programs that perform simple machine movements can be executed alongside programs that read from the network, write to files, or execute that file (i.e., behavior similar to a dropper) or scan the network to affect the manufacturing machines, or alter the movements of robots and other characteristics affecting the physical environment.
Attack vectors can be malicious task programs that are undetectable by conventional security scanning programs (similar to how PowerShell or JavaScript malware variants are often undetectable), or Trojan task programs with dropper functionality that download malicious payloads and execute them under unforeseen circumstances.
4.1Exploitation of Vulnerabilities
Smart factory systems include countless devices and components connected to a single network. Any vulnerability present in any of these devices could expose the system to any form of attack. In fact, the Stuxnet worm is an example that exploited certain 0-day vulnerabilities for propagation. Stuxnet gained attention because it targeted critical infrastructure.The successful attack activities using vulnerabilities highlight the importance of good security practices, such as regular patching of vulnerabilities.
4.2Malware Installation
Past attacks have shown that malware deployment is the most commonly used method by threat actors. Malware installed on industrial networks can jeopardize Industrial Control Systems (ICS), such as BlackEnergy and Killdisk. The Trojan Triton gained notoriety for specifically manipulating industrial safety systems and shutting down operations at an industrial plant. Recently, it was discovered that threat actors used cryptocurrency mining malware to attack a water facility in Europe.
Threat actors use different types of malware for attacks, such as rootkits, ransomware, and Trojans. They also consider how to effectively deploy malware, which means a method that can cause maximum damage or penetrate the target defense system without being detected. They can leverage techniques such as social engineering, spear-phishing attacks, and watering hole attacks.This is why manufacturers should not only establish cybersecurity awareness for smart factory operators but also for all employees.
4.3DoS and DDoS
DoS is a type of network attack aimed at disabling or shutting down networks, devices, or resources.DDoS is a distributed DoS that uses a large number of compromised devices (bots) to attack the target system’s connections or processors. For example, the IoT botnet Mirai took down several well-known websites and online services. Although its impact on the industrial sector is not well-known, it still demonstrates the potential effectiveness and consequences of DDoS attacks. With the release of its source code and the emergence of DDoS-as-a-service providers, it is not unbelievable that future DDoS attacks targeting smart factories and other IIoT infrastructures will increase. Similarly, compromised ICSs could ultimately be used by botnets to attack other organizations.
4.4Man-in-the-Middle Attacks
Man-in-the-middle (MitM) attacks involve threat actors entering the communication channels that the company is using. Smart manufacturing systems require multiple communication channels to facilitate their processes, such as communication between control systems and devices. In addition to forwarding information to malicious third parties, this attack could also allow attackers to input their own code or data. For example, insecure communication protocols may allow attackers to modify firmware upgrades during transmission. MitM attacks emphasize that ensuring the security of communication channels is crucial to the overall security of the system, in addition to device and network security.
4.5Reconnaissance and Information Theft
Attackers can also take a more subtle approach by stealing information or monitoring exposed systems. For example, exposed human-machine interfaces (HMIs) may reveal customer databases, and attackers may steal personally identifiable information (PII). This threat and its ripple effects could impact exposed integrated circuits in critical sectors and other industries. By gaining unauthorized access to the network, threat actors can also steal information regarding device behavior that is essential for the factory’s automated functions, usually collected by its sensors. Such attacks on the network highlight the importance of APT intrusion detection and prevention systems.
4.6Device Attacks
The number of connected devices inside and outside the factory floor does not diminish the importance of each device to overall security. Attackers can use a single compromised device to spread malware or access the entire industrial network. If attackers gain physical access, they can even tamper with actual devices. They may then cause the tampered devices to send incorrect information to other parts of the network or simply malfunction, impacting other parts of the production line.
References:
1. TrendMicro, Attacks on Smart Manufacturing Systems, A Forward-looking Security Analysis
2. https://iiot-world.com/cybersecurity/security-threats-and-risks-in-smart-factories/
