Industrial Cyber-Physical Systems (CPSs), like any computer system, are vulnerable to cyberattacks that may endanger the safety of personnel on automated production lines. This paper studies IDSs for industrial robots that model their legitimate behavior through statistical and ML techniques and detect anomalies as deviations from the learned norm. We validate our approach against attacks in a simulated and real environment, demonstrating its efectiveness in detecting anomalous behaviors during the robot operation.
perform anomaly detection. In the second scenario, the robot interacts with a more complex environment and changes its operation based on external conditions: in this case, we use a model based on Long Short-Term Memory Network (LSTM) Recurrent Neural Network (RNN) that predicts the legitimate behavior during production and detect anomalies as deviations from the learned norm. We evaluate our approach against novel and known attacks that introduce both spatial and temporal anomalies in simulated and real scenarios: we study the detection performance in terms of the speed and spatial thresholds under which attacks are identified. Results indicate that our approach is efective in learning the correct robot behavior and timely detecting the attacks within seconds of their introduction and low error rates. This research provides the following contributions: • We design three novel attacks, not detected by state-of-the-art solutions, that modify the manufacturing process leading to the introduction of defective products. • We propose an IDS comprising two diferent learning models capable of detecting the attacks developed in this research and current state-of-the-art attacks, demonstrating its efectiveness.
Classical IDS for Industrial Control System (ICS) perform anomaly detection at process [
Cheng et al. [
Munawar et al. [
One of the most concerning types of attack on a production line is the introduction of microdefects (product faults of small enough scale not to be noticed by supervising human operators but suficient to cause critical failures when the product is used). Early, automated defect detection is the aim of several works that apply machine learning techniques to images of the manufactured product but the efectiveness against micro-defects inserted on purpose has not been proven yet.
Narayanan, et al. [
Threat modeling is a necessary step of any security evaluation, especially when focusing on cyber-physical systems [29]. In this work, we focus on identifying and preventing attacks that alter the movement of industrial robots, potentially causing physical damage or defective products in an Industry 4.0 automated production line. Two main types of attackers [30, 31] are considered: internal attackers who have direct access to the robot controller and HMI and external attackers who exploit vulnerabilities in the ICS network to gain access. The worst-case scenario is assumed, where the controller is fully compromised, making it impossible for IDS to rely on data from the controller. In particular, we mainly consider production sabotage attacks, which result in defective products, causing economic loss and potential harm to users.
One specific concern is micro-defects, small faults that can lead to critical failures but are unnoticeable by human operators.
Belikovetsky et al. [32] provide an example of how micro-defects can cause major failures in the specific case of drone propeller blades.
Conventionally, defects are found after production by carefully examining samples. This is both time-consuming and costly for both the company and its customers. Early detection of defects during the production process would benefit the company.
We introduce three attacks:
Attack 1: Alteration of the robot movement. It involves altering the robot’s firmware or
parameters to afect its accuracy or movement. This can cause the robot to follow a diferent path
or perform tasks at a diferent velocity, leading to defects. For example, a welding robot could
introduce a product defect by performing the welding operation at a higher velocity than the one
designed to set up the task while still following the programmed path. The Narayanan et al. [
Attack 3: Alteration of the robot logic. It involves altering the robot’s logic that uses external signals for decision-making. For example, a drilling robot could perform a diferent path based Prediction Module
LSTM (Cooperative task)
SARIMA (Repetitive task) Live Signal
Prediction
Detection Module Error Function
Outcome Sampled Signal for Training
Untampered Signal for Live Training on the type of product coming from the conveyor belt, and the type of product is determined by an external sensor, sending the signal to the robot through the network or a physical interface. An attacker can change the controller logic to cause the robot to perform the wrong task, leading to defects.
Our approach consists of a prediction module and a detection module, as shown in Figure 1. The prediction module builds a prediction from the nominal data in the form of time series of the position of the end efector of the robot during the robot’s task execution, alongside the angular position of each of the joints of the robot calculated through an inverse kinematic function. The detection module produces a prediction error and identifies anomalous behavior.
Our approach is mostly unsupervised and uses nominal movement data to create a behavioral model for the untampered system. Anomalous behavior is identified by comparing the prediction with live operation data and flagging a movement that difers from the expected value by means of an error function.
The prediction module has two task-dependent sub-modules: SARIMA for repetitive tasks and LSTM for cooperative networked environment tasks.
Scenario 1: Repetitive Task. The robot performs a single repetitive task [
Scenario 2: Cooperative Networked Environment. It involves a networked environment with multiple robots and industrial devices performing coordinated tasks by exchanging information and signals. The robot’s behavior can change based on external signals, and the task performed alternates between pre-defined tasks. An attacker – performing the third attack described in the previous section – could introduce defects in production by altering the network’s coordinating logic.
The main concept behind our unsupervised approach is to use data obtained by logging the correct movement of the robot to learn a correct behavioral model. This model is then used to perform predictions during the live operation of the robot. For each of the two operational scenarios identified, we propose a specific model that learns the robot’s behavior and performs predictions of its movement. For the first scenario (repetitive task), we leverage the repetitive nature of the robot task to learn its movement over time: in this case, we use a Seasonal AutoRegressive statistical model [33], which can be seen as a sub-model of the Seasonal AutoRegressive Integrated Moving Average (SARIMA) model. In the second scenario (cooperative networked environment), the overall task is not identically repeated over time, hence the robot behavior is not seasonal anymore: the SAR model cannot correctly learn the robot expected behavior in this context. For this scenario, we use a Long Short-Term Memory Network (LSTM) RNN, well known for its capability to learn long-term dependencies and behaviors in time series datasets [34]. Prediction Module for Repetitive Task: SAR(IMA). The core concept behind a SARIMA model is to predict future values of a time series as a function of its past values (lags) and prediction errors, while also including a seasonal component capable of addressing the seasonality of a time series. The model is composed of a non-seasonal component (a standard ARIMA model) and a seasonal part that consists of the same component delayed in time by the seasonal parameter. A SARIMA model is defined as follows: (,,) × (,,), where the parameter is the order of the n⏟on-seasonal ⏟ seaso⏞nal
⏞ AR component, is the parameter of the Integrator component, and is the order of the MA component. , , and are the orders of the relative component lagged by the seasonality parameter .
However, in order to accurately predict the signal of each robot axis, we do not require the full SARIMA model: given the stationary [35] and constant seasonal nature of the analyzed signal, we only require the Seasonal AutoRegressive (SAR) component of the SARIMA model. The complete model is then simplified to a (,0,0)× (,0,0)
The main benefit of a Seasonal AR model increases when the analyzed signal has a long seasonality and its seasonal component is predominant with respect to the other components. This is the case of the signals we collect from the industrial robot: the signal is periodic with close to zero variations from one cycle to the next.
By including the lags at the period of the signal, the model is able to learn its seasonality and perform a long prediction of a whole cycle. Signals with long periods would require very large AR models, which are not eficient to train. With a SAR model, we are able to include only the useful parameters at time lag − and train the model with few parameters.
Therefore, for our first operational scenario, we choose to use a (1,0,0)× (1,0,0) model to learn the robot’s movement and perform predictions: ˆ = + 1− 1 +Θ 1− +
The most straightforward approach to build our model would be to perform a single initial prediction of a complete signal cycle. The prediction obtained through this cycle would then be repeated in a continuous cycle to build the full prediction signal. However, this approach is not feasible in our scenario since the exact period of the signal is not necessarily an exact multiple of the sampling time. For this reason, an error - smaller than the sampling time - is introduced each cycle, leading to a drift between the real signal and the repeated predicted cycle, invalidating the comparison. To solve this issue, we perform a new prediction for each cycle of the robot, re-training the SARIMA model on a sliding window on the observed dataset, ending at the end of the last observed cycle. A sliding window approach is to be preferred to an expanding window because in that case, the training dataset could become very large after long productions. A very long dataset of a repeated signal would make the training less eficient while not providing much more information to the trained model. After training the model on the current sliding window, we perform the prediction for the next cycle and then move the window ahead of one cycle, for the prediction of the next.
The introduction of a sliding window as a source of the training set for the SARIMA model opens the possibility of the model learning anomalies as they happen and thus forgetting the correct behavior of the robot. While we assume that anomaly detection in the robot operation would bring human intervention to restore the correct status of the system, a model learning the anomaly could also be exploited by an aggressor to perform an attack where a tiny drift is slowly introduced over time. To evaluate this, we test the model in Experiment 2 against an attack of that type. Prediction Module for Cooperative Networked Environment: LSTM. Recurrent Neural Networks are a type of neural network introduced to overcome the lack of information persistence through the time of traditional neural networks. While Recurrent Neural Networks (RNNs) are efective in considering recent information for each prediction, their performances worsen when the relevant information to be considered is further away in the past with respect to the current prediction time. To solve this issue, Hochreiter and Schmidhuber[24] introduced LSTM networks, a kind of RNN network specifically designed to learn long-term information dependencies. In our specific instance, to predict the correct behavior of the robot in the second scenario of the threat model 3, our model requires learning complex dependencies between the diferent variables we collected. To achieve this, we use LSTM in a multivariate and stacked configuration. A multivariate model takes in multiple input variables to perform predictions of one variable. This multivariate model learns the behavior of each robot axis, taking into account not only its past values but also the values of the other positions of the axes and the value of the input signal: this allows the model to detect when the robot movement does not reflect the provided input based on the initially learned behavior. The network topology of our model consists of a single main layer of LSTM neurons with a one-neuron output linear activation layer. The network weights are trained once for each robot axis, and each model is used to predict the relative axis behavior on the test set. To train the model, the complete dataset is split into training and test sets, where the training set does not contain anomalies. To perform a multivariate batch training of the model, we follow common data preparation techniques [36] that normalize and reshape the training time series set into a three-dimensional array that is needed for the LSTM model input [37]. Detection Module. For each axis of the robot, the values from the predictions dataset are compared to the observed ones using the sample-wise Root Mean Squared Error (RMSE). RMSE reduces noise influence while emphasizing larger variations. During training, the anomaly threshold is determined by comparing the non-anomalous live data to the predictions. The anomaly threshold is used to classify samples as anomalous or not based on whether they exceed it. The overall anomaly score of a sample is determined by summing the anomalous axes. Finally, the sample is classified as benign or anomalous by comparing its anomaly score to a user-defined threshold. In the first scenario, the process is repeated by considering whole cycles and averaging the prediction error function along the cycle for easier inspection and intervention on anomalous flagged cycles.
Our validation aims to prove the eficacy of our proposed attack detection models and compare them to the state of the art. We also aim to determine, where possible, the threshold levels under which our models do not reliably detect possible micro-scale attacks. We conduct 5 experiments, including spatial attack detection (experiment 1), progressive velocity alteration attack detection (experiment 2), anomaly detector against altered sub-task cycles (experiment 3), detection system against logic tampering attacks (experiment 4), and a comparison with a state-of-the art approach (experiment 5). Tests are performed in a simulated environment and on a real industrial robot, with a comparison of results and a discussion of diferences.
Experimental Setup.
We conducted experiments on an ABB IRB 140 industrial robot 1 connected to an IRC5
controller. This robot is widely used in industrial operations due to its millimetric precision. The
same robot has been the subject of a seminal experimental security analysis [
Dataset. The data fed to the detection system is logged directly into the robot controller memory.
Each dataset consists of six columns, one for each axis value, a column for the anomaly status,
and one for the simulated input signal (only for the 4th experiment). The sampling frequency,
limited by the robot controller’s computational constraints, is of 10Hz. The dataset consists
largely of a normal, non-anomalous robot operation. After a predefined period of time we
introduce an anomaly, depending on the experiment, and then terminate the robot operation,
as would happen in real-life production environment operating under our assumptions. In a
real world scenario, data collection would happen via a dedicated device directly wired to the
robot axis sensors, as the robot controller is to be considered compromised and not reliable. [
The task executed by the robot in this experiment is a pick and place operation repeated over
time. We introduce an anomaly in the task by altering the location where the place event takes
place. This attack is one of the most common experiments in current research [
0.6 tasks we apply the SARIMA detection module. The rolling window training set size of the SARIMA model has been set to 5 cycles through empirical performance analysis. Results. In table 1 we report the results of Experiment 1. For each task we present the values of the confusion matrix and the evaluation metrics mentioned before, on top of the Time To Detection (TTD) expressed in seconds or number of cycles for the sample-by-sample and cycle-by-cycle detection methods respectively.
The confusion matrices reported in Table 1 suggest that the model is capable of detecting anomalous samples with increasing accuracy on more significant anomalies. It is important to notice that the majority of false classifications happen as anomalous events that are not recognized (false negatives), which are mostly found in blocks of malicious data, as proven by the fact that the cycle-by-cycle detection process outperforms the sample-by-sample one, since small amounts of false negatives in a cycle mostly composed of true positives is still classified as anomalous. Overall, as also evident from the precision-recall curves for all the anomalies presented in Figures 2a,2b, performances for 5mm tests are optimal, for 2mm may still be useful depending on the implementation simulated environment physical robot simulated environment physical robot Experiments 2 and 3 - Confusion matrix values and metrics, divided in Sample-by-Sample and Cycle-byCycle tests. Time To Detection (TTD) is represented in seconds for the Sample-by-Sample IDS while in number of cycles for the Cycle-by-Cycle IDS. The Speed Change Before Detection, relevant for Experiment 2, is represented in mm/s. case, while 1mm ones do not perform well, especially when testing the real world robot scenario.
The task performed in experiment 2 is the same pick and place in experiment 1. The stealthy anomaly is represented by a slow increase in the robot operating speed, while mantaining the correct path.
A detection system that only considers the physical location of the end efector of the robot would therefore not be capable of detecting such anomaly.
For this experiment, the attack dataset is composed of 100 cycles of correct behavior followed by 100 cycles where the base speed of the robot (200mm/s) is increased by 0.1mm every 5 cycles. Again, for repetitive tasks we use the SARIMA detection module and the window training set is 5 cycles long.
Results. In Table 2 we report the results of Experiment 2. For each task we present the values of the confusion matrix and the evaluation metrics mentioned before, on top of the Time to Detection (TTD) and Speed Change Before Detection (SCBD).
We implemented this attack specifically to challenge our sliding window-trained SARIMA model, as evident from the results. We observe a large number of False Negatives, that correspond to the initial period in which the attack is introduced but the increase in movement is minor. However, once the anomaly increases over a threshold it is correctly and consistently detected. For this reason in Table 2 amongst the metrics for this experiment we show also the speed change before detection.
Despite being designed to be undetected and slip through the rolling window training, we argue that this anomaly is still detected by the model because its constant change in speed introduces a long-term variation in the overall duration of a single cycle. Being the cycle period estimated only once from a set of non-anomalous cycles, its value is fixed in time and used during the prediction of each future cycle. Training the same model with a signal with a diferent seasonal component would then increase the prediction error, thus triggering the anomaly detection. In Figure 3a we report the precision-recall curves of the two analyzed sample-by-sample classifications. Lower performance metrics are explained by the long time it takes to detect the anomaly during which the predictions result in a lot of False Negatives. Similarly to the previous experiment, averaging the prediction to entire cycles improves overall detection metrics (as visible also by comparing the precision-recall curves in Figures 3a,3b), although the speed change before detection does not significantly change in the real world robot scenario.
Experiment 3 is composed of the repetition of two paths, each one simulating the complete covering of an area. The two paths difer in the way they cover such area, as visible in Figure 4a and Figure 4b. This type of patterns can be used for tasks such as to paint, sand, or polish an area. Similarly to Experiment 2, a detection system that only considers the physical location of the end efector of the robot would therefore not be capable of detecting such anomaly. For the non-malicious part of the dataset, in each cycle both paths are repeated exactly three times. The anomaly we introduced alters the number of times each path is executed, bringing them to two and four times respectively. The attack dataset is composed of 120 untampered cycles and 5 tampered ones. Results. In Table 2 we report the results of Experiment 3. For each task we present the values of the confusion matrix and the evaluation metrics mentioned before, on top of the Time to Detection (TTD). Due to the longer task, the number of samples is significantly higher. In this experiment the anomaly is not a proper micro-defect, but a variation in how well the overall task is performed. This type of change in the path is easily detected by the IDS as shown by the metrics in Table 2. Even in the case of the real robot the anomaly is detected only 0.3 seconds after the first occurrence.
Such as Experiment 3, the task performed in this experiment consists of two sub-paths that are alternatively performed by the robot. In experiment 4, however, to simulate an external input to choose which sub-path the robot should execute, we use a simulated random input signal. Due to this, the LSTM module is used for detection. The two sub-paths compose two circular shapes in diferent spatial positions, similarly to the behavior of drilling or cutting operations. Results. We are not able to rely on a defined repetitive operation in this task that can be broken down in sequential cycles, so we have to rely upon the sample-by-sample anomaly detection only. As the other experiments, we provide confusion matrices and performance metrics for both the simulated environment and the physical robot experiment. Being LSTM based on a stochastic process during training, diferent training runs will result in slightly diferent models: to ensure a relevant result, we reproduce the training 30 times and provide their averaged result in the following section. Observing the confusion matrices in Table 2 and the precision-recall curves in Figure 4f, we observe that this model performs similarly in the classification of both the simulated environment and the physical robot, with a little diference in the number of False Positives. We argue that this similarity in the results, in contrast to what has been observed in the performances of the SARIMA model, is due to a greater generalization capability of the model, which focuses less on small variations. The lower generalization capability of the SARIMA model, instead, makes it more suitable for anomaly detection where robot task is repetitive. The values of the performance metrics in Table 2 and precision-recall curves in Figure 4f present very positive classification results.
We compared our model to the state-of-the-art by testing Narayanan et al’s SVM-based anomaly
detection approach [
As expected, the state-of-the-art IDS is only able to spot variation in the spatial domain of the robot performed task. Because of this, its anomaly detection is missing variations in the velocity of the robot.
In this chapter we will briefly explain the limitations we encountered during our research and the implementation of some parts of our approach. First of all, an industrial robot physically consists of a robotic arm that supports an end efector or actuator. This end efector is the tool that performs the action and defines the robot work (for example a welding attachment, a drill, mechanical pliers to grab and move objects) and can be greatly responsible for the good quality of the pieces it produces.
The enormous variety and heterogeneity of end efectors make comprehensive research unfeasible, so we opted to limit our research to the signals we can extract from the robot. This decision is also been made based on the lack of end efectors available to us to attach to the physical robot and its controller in our laboratory, making it impossible for us to back any simulation test with a real-world experiment. A complete IDS would need to also consider the operational parameters of the end efector, which is part of the overall industrial robot and it certainly is one of the possible targets that an attacker could exploit to introduce defects in the production. For example, an attacker able to access the functioning of a welding attachment could alter its welding temperature in order to make dangerous defective welds on critical equipment. Moreover, end efectors are produced by diferent manufacturers often with their own proprietary interfaces, which makes it more dificult to have a single data collection system 2https://github.com/narayave/mh5_anomaly_detector without some dedicated adjustments or interfaces. Despite these dificulties, data collected from the end efectors with dedicated sensors could be treated as time series and analyzed alongside the ones we gather in our research to expand the industrial robot models.
Secondly, we implemented our own test tasks for the experiments in this research mainly because of a lack of examples from real production lines we could use. This absence of already made functioning industrial robot tasks can be explained by the limited demand for them in the research environment combined with the development eforts punt into their realization. On top of that, real industry programs are covered by intellectual property from the manufacturing companies, greatly limiting the availability of real industrial tasks. We were not able to obtain any complete task script to test, so we developed movement tasks that we deem realistic and based our experimental evaluation on those. These tasks are a small subset of all the tasks that industrial robots can perform and surely do not cover all the possible robot use cases.
Finally, with regards to our fourth experiment, we did not have an adequate network of robots at our disposal. Having to work with a single robot, we had to simulate the presence of an external signal within the robot controller itself, limiting the complexity of the system considered in the experiment. We were therefore not able to test the performance of our LSTM based anomaly detection model with more complex systems consisting of multiple robots and sensors working together. More tests are then needed to fully evaluate the proposed anomaly detection technique in this scenario.
This work is part of a broader line of research on industrial robots security from the NECST Laboratory at Politecnico di Milano. Future works based on this research will start by dealing with the limitations outlined.
First of all, the proposed anomaly detection models need to be expanded to consider end efectors, by providing direct test examples and ofering a more generalized approach, able to cover most types of end efectors. The models proposed in this research can be expanded with the inclusion of other time series datasets with little modifications. If the operating conditions of the two scenarios are maintained even in the end efector operations (e.g., cyclicity of the operation in the first scenario), the IDS should be able to be tested against anomalies of the same type as the ones analyzed in this work. To achieve this goal, more research needs to be carried out into the development of a common interface to gather data from diferent kinds of end efectors and merge them with the ones collected from the robot controller. Following the indications in Section 4, such a system should be implemented externally of the robot controller in order to prevent an attacker to alter them after compromising the controller. With the availability of a more complex production line testing environment, more research can be carried out on anomaly detection on robots interacting with each other or their environment. Furthermore, future works could also expand the experiments of this research with more advanced tasks obtained from real production lines.
Finally, more research can be done in evaluating more advanced and new machine learning or statistical models to improve the learning and prediction capabilities of the system behavior.
This paper presented an IDS for industrial robots that identifies abnormal behavior. The IDS has a prediction and detection module, including two predictors: a SARIMA model for repetitive tasks and an LSTM-based model for tasks in cooperative networked environments. We evaluated the system in two diferent scenarios (a simulated environment and a real robot) and found that it outperforms state-of-the-art detection systems. We demonstrated that, unlike our system, the current state of the art could not handle a set of attacks that modified the speed and not the spatial behavior of the robot. Our results were promising and showed the diferent capabilities of the system’s predictors on their tasks. The tasks performed in our experiments mimic common industrial operations, and the introduced attacks simulate the introduction of potential micro-defects in the production outcomes. The results of our experiments suggest that this approach would be capable of detecting the efects real-world attacks on manufacturing robots.