Threats and Consequences: A Security Analysis of Smart Manufacturing Systems
Threats and Consequences: A Security Analysis of Smart Manufacturing Systems
Through a thorough analysis of an actual smart manufacturing environment, our in-depth security research explores several attack vectors that could be used by threat actors to launch unconventional attacks on smart manufacturing systems.
Download Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis
In the era of Industry 4.0, there has been increasing adoption of smart manufacturing technologies by organizations looking to improve their manufacturing efficiency. While this has provided plenty of benefits, such as enhanced productivity at lower costs, it has also introduced new attack vectors that can be exploited by threat actors looking to gain a foothold in or move laterally across smart manufacturing facilities.
Smart manufacturing systems are designed to be isolated from the corporate network and the outside world. Nevertheless, there is the possibility that attackers will use other, more unconventional methods to compromise systems. The feasibility of attacks that use these methods and their repercussions for targeted organizations were what we sought to determine in our research.
Given that a smart manufacturing setup can be incredibly complex and involve a large array of technologies and disciplines, we decided to focus on a specific aspect of security: attack models wherein threat actors who have gained access to different parts of the system use these entry points and targets to expand their reach.
To do this, we needed to get up close to an actual smart manufacturing environment. This allowed us not only to study the inner workings of the production process, but also to simulate the production of goods so as to see where the weak points lay. For our analysis, we partnered with Politecnico di Milano, the largest technical university in Italy, to gain access to the Industry 4.0 Lab, a research laboratory that manufactures toy cell phones using the same fundamental principles as full-fledged production floors.
A photo of Industry 4.0 Lab, the system that we analyzed during this research
What we found confirmed many of our theories on how attackers might remotely or indirectly compromise smart manufacturing systems.
The smart manufacturing system
The overall architecture of the smart manufacturing plant that we used in this research
The modular smart manufacturing system that we analyzed is made up of stations, each comprising at least three key components:
A physical machine that does the actual work, such as a loader, drill, or industrial robot.
A human-machine interface (HMI), which is used by the operator to monitor and control the progress. Aside from traditional HMIs, there are mobile HMIs, which are essentially apps that perform HMI roles.
A programmable logic controller (PLC), which serves as the interface for the interaction between the physical machine, the HMI, and the rest of the network.
At the heart of the smart manufacturing system lies the manufacturing execution system (MES), a complex logic layer on top of a database that acts as the interface between the enterprise resource planning (ERP) system and the physical plant.
Threat actors can target a combination of these parts (or their own components) by taking advantage of the trust relations that they have within the smart manufacturing system.
Attacker entry points
There are several key entry points that an advanced attacker may consider in carrying out an attack on a smart manufacturing system.
An engineering workstation is a shared system with domain users that is connected to the production floor most of the time. It is mainly used for developing and deploying program logic, or for managing field devices such as PLCs and HMIs. It can also be used to deploy programs that were developed externally. There is normally a dangerous trust relation between any engineering workstation and the rest of the system, which can be exploited by an attacker by, say, compromising the software supply chain, which includes externally developed software, libraries, extensions, and the like.
Custom IIoT device development environment
Smart manufacturing systems sometimes use custom industrial internet-of-things (IIoT) devices, which offer better automation flexibility than classic automation hardware such as PLCs. These devices are programmed by either internal employees or system integrators. The potential entry point in this case comes in the form of the custom IIoT device development environment: An attacker can take advantage of the many trust relations between the smart manufacturing system and the multiple software libraries used to program the devices.
The MES database stores sensitive data from the MES such as work orders and work templates. An MES database is implicitly trusted by the rest of the system, meaning that an attacker with access to either the network or an unauthenticated MES database can alter production by forging or changing the records within the database.
Data and software dependencies in the context of a smart manufacturing system
We tested the feasibility of several attacks under different attacker model assumptions, focusing on the three aforementioned entry points. We analyzed five attacks, which are presented here according to the depth of their penetration into the system, from entry point to the final target.
Compromise through a malicious industrial add-in
We demonstrate that an attacker can gain access to an engineering workstation by using a malicious add-in and vulnerable development environment that are specific to industrial automation. They can then use the engineering workstation to steal secrets and remotely trojanize task programs in order to move laterally to other parts of the system with the goal of either altering the factory's production, or at the very least, remaining persistent for future activities. An attacker can also take advantage of the fact that an add-in has access to system resources that are necessary for implementing different functions. This means that an uploaded add-in can be used for malicious purposes, e.g., for appending malicious code or collecting sensitive data.
Trojanization of a custom IIoT device
Developing for custom IIoT devices often involves using resources, tutorials, and libraries that are uploaded to publicly accessible repositories that lack a mechanism or vetting process aimed at checking for their integrity. We show that some of these development tools can have malicious functions integrated into their code, or can even have vulnerabilities unwittingly introduced either by their creators or by developers who take preexisting libraries, modify them, and then re-upload them.
High-level overview of the possible attacks included in our case study
Exploitation of a vulnerable mobile HMI
The primary security risk of mobile HMIs is the same as traditional ones’: They exist in a closed, wired network where trust between an HMI and the rest of the system is a given. An attacker can take advantage of this trust relation by finding a weakness in a mobile HMI and exploiting it to affect the physical machines that it interacts with. For example, as we show in our demonstration, a mobile HMI can be leaking sensitive information that an attacker can discover and use to interact with the system’s endpoints.
Data mangling on the MES
We show that an attacker can go straight for the MES to cause malfunctions in the manufacturing of goods, either by introducing an error in the production, e.g., by changing the value of the parameters used in the operation to create defects in the final product, or by introducing an out-of-bound value in the parameter values of the operation, which will cause a denial of service that will essentially block production.
Use of the vulnerable or malicious automation logic in a complex manufacturing machine
The complex machines used in smart manufacturing rely on automation logic to perform their manufacturing tasks. We show that an attacker who has managed to gain access to either the network or the targeted machine itself can purposely write malicious programs that abuse specific functionalities, or can exploit vulnerabilities that have been unwittingly introduced by programmers into the programs — on par with programs written with general-purpose programming languages. There is an interplay between these two cases, and vulnerable and malicious automation logic can have various consequences, including information theft and unintended machine movement.
A summary of the broad cases of unsafe automation logic
A forward-looking approach to securing smart manufacturing systems
There has been an increasing shift among organizations in the manufacturing industry from static deployments toward connected and dynamic setups using reconfigurable modular plants. In line with this, there is a need for them to adjust their security policies away from the assumption that endpoints or machines within a manufacturing plant should automatically be trusted, and to opt for a more granular approach instead.
With this in mind, we enjoin organizations to take concrete steps toward protecting their systems:
At the network level, there should be deep packet inspection that supports the relevant operational technology (OT) protocols for spotting anomalous payloads.
For endpoints, there should be periodic integrity checks in order to receive alerts for any altered software components.
For IIoT devices, code signing should be required. However, it should not be limited to the final firmware alone but should also include any other dependencies to protect them from third-party libraries that could be hiding malicious functions.
Risk analysis for automation software should be tailored as needed. In systems where collaborative robots work side by side with humans, for example, safety should be implemented at the firmware level.
In addition, we believe that organizations should protect themselves not only from current threats but also from possible future threats by following the same levels of security implementation found in the secure coding practices and defenses of non-OT software such as mobile apps, web apps, and cloud environments. Organizations should focus their attention on improving their products and embedding them with secure functionalities. These include a full chain of trust for data and software within the smart manufacturing environment, detection mechanisms for recognizing vulnerable or malicious logic in complex manufacturing machines, and sandboxing and privilege separation mechanisms for software running on industrial machines and development environments.
In our research paper, “Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis,” we provide an in-depth discussion of the different entry points, targets, and attacks that threat actors could use against smart manufacturing systems, and of the consequences should these attacks be successful. Ultimately, we aim to provide insights to organizations that use — or plan to use — smart manufacturing technologies about how they can protect their current smart manufacturing systems and prime themselves for future threats.
Smart manufacturing systems are typically isolated from both the outside world and the corporate network. This means that attackers have to take unconventional approaches to be able to compromise these systems. In collaboration with Politecnico di Milano, Trend Micro Research explores the feasibility of a number of attacks and the impact they could have on affected systems.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).