The Business Cost of Insecure Robotics: Threat Modeling a Premium AMR

Alias Robotics -

WHAT IS THREAT MODELING?

Threat modeling is a structured exercise that leverages abstractions and real-world data to detect potential risks. This process identifies potential attackers, their capabilities, resources, and intended objectives. In this study, threat modeling is applied to analyze each platform's implementation, detect security vulnerabilities, and offer practical solutions or workarounds based on real-world usage scenarios.

Threat modeling is crucial for developing robust security defenses and generally answers the following key questions:

  • What is your current cybersecurity status?
  • What can go wrong? Could it lead to a major loss or impact?
  • What steps can be taken to improve the system's security?

OBJECTIVE

This case study aims to conduct a preliminary analysis and provide practical recommendations to strengthen the cybersecurity of connected autonomous mobile robots (AMRs). The goal is to protect AMR systems, ensure user safety, and encourage a proactive approach toward cybersecurity. This approach is critical to addressing emerging threats and ensuring the reliable performance of AMRs in an evolving environment. The study also aligns with forthcoming regulations such as the Cyber Resilience Act for manufacturers and NIS2 for end users.

ACTORS

  • End user: NIS2 sectors
  • Robot operator: Production manager
  • Defender: Alias Robotics

CLIENT PROFILE

About Premium AMR1

Premium AMR1 is a state-of-the-art autonomous mobile robot designed to optimize logistics and material handling in industrial environments. Its compact, agile design allows it to navigate complex warehouse layouts and confined spaces effectively. Premium AMR1 stands out for its advanced capabilities compared to lower-performing alternatives.

Key features:

  • Advanced navigation and obstacle-avoidance technology capable of autonomously transporting payloads
  • Adaptive motion planning that dynamically adjusts routes in environments shared with human operators
  • Multiple safety features, including collision avoidance and dynamic obstacle detection
  • Integration with existing warehouse management systems (WMS) and compatibility with third-party software for centralized monitoring and control
  • Real-time status updates and diagnostics via an intuitive web-based user interface

Despite these impressive features, cybersecurity remains an under-prioritized aspect of AMR design. Manufacturers often do not focus on security as a selling point, leaving these robots vulnerable to cyberattacks. To understand the attack surface of a robotic system, it is essential to conduct a threat modeling exercise to identify and mitigate cybersecurity risks.

INDUSTRIES SERVED

METHODOLOGY

Cybersecurity has become essential for maintaining the safety and integrity of industrial applications, especially in complex, interconnected environments like the logistics industry. The growing connectivity and complexity of these systems significantly expand the attack surface, exposing Autonomous Mobile Robots (AMRs) to various cyber threats. These threats can compromise operational availability, lead to safety issues, and cause economic and reputational damage.

To perform this threat model, a premium AMR, widely used in the automotive, food manufacturing, and warehousing industries, was selected for analysis. For this study, it will be referred to as AMR1.

Disclaimer: The names and details in this case study have been anonymized for confidentiality. This content is solely intended to highlight the general cybersecurity status of AMRs. Alias Robotics does not endorse, encourage, or promote unauthorized tampering with robotic systems, which may result in severe injury, significant property damage, and legal consequences.

SYSTEM ARCHITECTURE OF PREMIUM AMR1

  • Onboard computer system: The onboard computer serves as the central hub for managing operations. It features an industrial-grade PC running a Debian-based Linux distribution with ROS (Robot Operating System).
  • Wireless communication system: Includes Wi-Fi and LTE capabilities (LTE not enabled). These interfaces facilitate communication with the WMS, updates, and synchronization with other robots.
  • Safety systems:
  • Equipped with two LIDAR sensors (front and rear) for collision avoidance
  • Two emergency stop buttons (E-Stop) for immediate shutdown
  • A front-facing 3D depth camera for enhanced obstacle and human detection
  • Complies with ISO 13849 safety standards, although real safety cannot exist without robust cybersecurity
  • User interface and control panel: Features a web-based interface for real-time monitoring, setting operational parameters, and running diagnostics.
  • Navigation and path-planning algorithms: Utilizes a ROS-based navigation stack that allows it to adjust its route autonomously based on real-time environmental data.

ARCHITECTURE DATA FLOW

The architecture data flow diagram outlines how different components interact and exchange information within the system. It highlights critical assets and their connections, providing insight into potential vulnerabilities.

TRUST BOUNDARIES

A trust boundary marks areas where multiple entities with different privileges interact. Systems with numerous external interfaces have more complex trust boundaries and larger attack surfaces. The following are the trust boundaries identified in this study:

  • TB1 -- AMR
  • TB2 -- Wireless 1
  • TB3 -- Wireless 2
  • TB4 -- RJ45/Ethernet
  • TB5 -- Outside world

ENTRY POINTS

Identified entry points where a malicious actor could initiate an attack:

  • EP1 (USB): Physical USB port, crossing from the Outside World to the AMR
  • EP2 (Wi-Fi): Wireless communication, crossing from Outside World to Wireless 1
  • EP3 (Wi-Fi): Wireless communication, crossing from Outside World to Wireless 2
  • EP4 (Ethernet): Wired communication, crossing from Outside World to RJ45/Ethernet

RISK ANALYSIS AND FEASIBLE ATTACKS

Alias Robotics identified several possible attack pathways affecting premium AMR1:

  • Malware Injection via USB
  • Man-in-the-Middle (MITM) Attack on the wireless network
  • Unauthorized Access through the web-based management interface
  • ROS Node Compromise

CONCLUSIONS

  • Premium AMR1 is a robust industrial robot with an expanded attack surface, making it a potential target for cybercriminals
  • Threat modeling is essential to comply with IEC 62443 Part 4 and to mitigate cybersecurity risks effectively
  • The next step is to conduct cybersecurity testing of the identified threat landscape
  • Cybersecurity is an iterative process that must be revisited regularly as new threats emerge
  • Alias Robotics is a leading provider of robotic cybersecurity solutions

Read more about threat modeling | View other case studies