The emergence of Digital Twins (DT) in industry has been a major breakthrough in the improvement of industrial processes. It has also allowed the inclusion of simulations in an environment where trial-and-error method was used up to now, thus minimising the industrial waste generated by these tests and optimising the industrial process by means of different data processing techniques.
The use of meta-operating system frameworks such as Robot Operating System (ROS) provides multiple possibilities to interact with the robot and optimise its operation in real time. Nevertheless, the libraries and the protocols they use (ROSTCP and ROSUDP) have security vulnerabilities (e.g. ROS v1 was not designed with security considerations) that can provoke an external attacker to gain control of the robot. This may lead to consequences at shopfloor level, such as damaging the system, stopping production, or even affecting the safety of an operator.
To avoid such problems, well-planned Incident Response (IR) and Threat Intelligence (TI) services enable an organisation to identify potential security issues and react to them before they cause further damage.
In the context of the ODIN project, based on MaGMa Use Case and MITRE ATT&CK Frameworks, a cyber kill chain for robotic production systems has been modelled. A cybersecurity detection and response system (see Figure 1) has also been developed to mitigate the detected attacks and minimise the damage on the robotics environment.
A Cyber Kill Chain is a successful sequence of actions to gain access to a target by using different attack tactics and techniques from the MITTRE ATT&CK model. In ODIN, a cyber kill chain has been defined to detect ROS communications on the network and replicate the actions of the ROS master from the attacking host to the robot environment. The steps are as follow:
The responsibility of the cybersecurity providers is to be aware of the possible cyber kill chains affecting the system, and to be prepared to detect and mitigate the attacks as soon as they occur. For this, there are tools such as SIEM (Security Event and Information Management) with the capabilities of collection of logs and data from the network and systems and generate the corresponding security events; and SOAR (Security Orchestration, Automation and Response) with the capabilities of defining automation workflows that guide the incident response actions.
By combining threat intelligence with SIEM and SOAR platforms, incident responders can, on the one hand enrich their log file indicators and prioritise alerts, and on the other hand use indicators of risk to execute automated attack mitigations and improve the effectiveness of incident response.
For more information about cybersecurity and Threat Intelligence in Industrial and Robotics environments, see the following references: