Can ROS be used securely in industry? Red teaming ROS-Industrial

With its growing use in industry, ROS is rapidly becoming a standard in robotics. While developments in ROS 2 show promise, the slow adoption cycles in industry will push widespread ROS 2 industrial adoption years from now. ROS will prevail in the meantime which raises the question: can ROS be used securely for industrial use cases even though its origins didn't consider it? The present study analyzes this question experimentally by performing a targeted offensive security exercise in a synthetic industrial use case involving ROS-Industrial and ROS packages. Our exercise results in four groups of attacks which manage to compromise the ROS computational graph, and all except one take control of most robotic endpoints at desire. To the best of our knowledge and given our setup, results do not favour the secure use of ROS in industry today, however, we managed to confirm that the security of certain robotic endpoints hold and remain optimistic about securing ROS industrial deployments.

[1]  Agostino Cortesi,et al.  Penetration Testing ROS , 2019, Studies in Computational Intelligence.

[2]  Miklós Kozlovszky,et al.  Increasing ROS 1.x communication security for medical surgery robot , 2016, 2016 IEEE International Conference on Systems, Man, and Cybernetics (SMC).

[3]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[4]  Peter Schartner,et al.  Application-level security for ROS-based applications , 2016, 2016 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).

[5]  Lander Usategui San Juan,et al.  Industrial robot ransomware: Akerbeltz , 2019, 2020 Fourth IEEE International Conference on Robotic Computing (IRC).

[6]  Irati Zamalloa Ugarte,et al.  Robot hazards: from safety to security , 2018, ArXiv.

[7]  Lander Usategui San Juan,et al.  The shift in the robotics paradigm — The Hardware Robot Operating System (H-ROS); an infrastructure to create interoperable robot components , 2017, 2017 NASA/ESA Conference on Adaptive Hardware and Systems (AHS).

[8]  Sean Rivera,et al.  ROSploit: Cybersecurity Tool for ROS , 2019, 2019 Third IEEE International Conference on Robotic Computing (IRC).

[9]  Gorka Olalde Mendia,et al.  Robotics CTF (RCTF), a playground for robot hacking , 2018, ArXiv.

[10]  Morgan Quigley,et al.  ROS: an open-source Robot Operating System , 2009, ICRA 2009.

[11]  Todd R. Andel,et al.  Cybersecurity issues in robotics , 2017, 2017 IEEE Conference on Cognitive and Computational Aspects of Situation Management (CogSIMA).

[12]  Vicente Matellán Olivera,et al.  Cybersecurity in Autonomous Systems: Hardening ROS Using Encrypted Communications and Semantic Rules , 2017, ROBOT.

[13]  Vicente Matellán Olivera,et al.  Cybersecurity in Autonomous Systems: Evaluating the performance of hardening ROS , 2016 .

[14]  David Mascareñas,et al.  A preliminary cyber-physical security assessment of the Robot Operating System (ROS) , 2013, Defense, Security, and Sensing.

[15]  Bernhard Dieber,et al.  Introducing the Robot Vulnerability Database (RVD) , 2019, ArXiv.

[16]  Federico Maggi,et al.  Rogue Automation: Vulnerable and Malicious Code in Industrial Programming , 2020 .

[17]  Henrik I. Christensen,et al.  SROS: Securing ROS over the wire, in the graph, and through the kernel , 2016, ArXiv.

[18]  Endika Gil-Uriarte,et al.  DevSecOps in Robotics , 2020, ArXiv.