FANUC Karel TCP Socket security

    Hi all,


    I would like to first mention that I am new to the FANUC world.


    My question would be related to the security side of socket communication.


    I've managed to setup a TCP server socket on the robot in ROBOGUIDE and a TCP client socket on my desktop (in node.js and .NET).

    The communication is successful between the 2 sockets.

    However, the messages are sent in plain text through the network.


    Are there any built-in funtionalities of securing this pipeline (SSL maybe)? If not, do you have any suggestions on how to obtain this?


    Thank you.

    To my knowledge, not right out of the gate no. You would have to implement your own implementation of it. In karel to boot. Yuck.


    But I am not sure if this is needed. Industrial networks should be airgapped from the internet.

    Check out the Fanuc position converter I wrote here! Now open source!

    Check out my example Fanuc Ethernet/IP Explicit Messaging program here!

    Quote from Nation

    To my knowledge, not right out of the gate no. You would have to implement your own implementation of it. In karel to boot. Yuck.


    But I am not sure if this is needed. Industrial networks should be airgapped from the internet.


    I'm working on an Educational kit from FANUC, so the robot is not used in an industrial environment.


    The computer that has the client socket is connected to Internet.


    Anyhow, I thought that it's better to be safe than sorry. That's why I was interested in finding ways of securing the channel and if there is anything built-in. But it seems that there aren't any.


    Thank you for your answer.:smiling_face:

    Quote from hermann

    Do you fear agents in your factory?

    You can't trust anybody these days...


    Kidding, thank you for your answer.

    The Robot I'm working on is not in an Industrial environment; it's used in academia.


    That's why I was trying to dig a bit deeper into the security side.

    But it seem that there not much to dig deeper into.

    This is actually a very relevant question, but unfortunately the answer has already been posted by Nation.


    There is no support for secure sockets in Karel. And it would require quite some dedication to implement something like SSL or TLS in that language.


    Quote from Nation

    But I am not sure if this is needed. Industrial networks should be airgapped from the internet.

    This doesn't seem reasonable to require any more these days. What about predictive maintenance? Remote monitoring? ERP integration?


    Even without direct internet connections, attackers could have ample opportunity to hop from host to host, until they arrive at the host they're interested in.


    Securing all incoming and outgoing connections would be a simple, but effective measure against some of the more simple types of attacks.


    Unfortunately it's not possible right now.

    Quote from rf103

    This doesn't seem reasonable to require any more these days.

    I'd argue that it is even more reasonable these days, especially since industrial device manufactures seem to place security at the bottom of the list of things to implement.


    After the success of the shutdown of the Colonial Pipeline via ransomware, in which Colonial paid the ransom, its only a matter of time before some dedicated hacker creates ransomware for robots.

    Check out the Fanuc position converter I wrote here! Now open source!

    Check out my example Fanuc Ethernet/IP Explicit Messaging program here!

    No SSL on Fanuc, At the moment everything is done through VPNs, Firewalls, etc. Most of industrial machines equipped with Firewall and VPN devices in case of using factory network or internet connection to remote servers/ remote control. It's impropriate price increase and decrease communication time for equipment (robots, plc), easily saying if you need secure connection with industrial equipment you should be ready to buy firewall/vpn devices if you really need it.

    In my past experience with high-security environments, the automation (robots and PLCs) were all deliberately air-gapped from the plant "IT" network. The only interconnection allowed was through a single dedicated computer that provided port filtering, firewalls, and various other protections.


    For things like IIoT, ERP integration, etc, generally the solution has been to use extremely limited HTTP ports or opening only ports for OPC-UA, with anything not strictly necessary turned off. And still using heavy firewalling between the automation and the "IT" infrastructure.


    Part of the problem is that automation gear simply can't be updated as quickly and easily as regular computers can. And even in the IT world, most sysadmins hate doing updates, even security updates, on their production systems, b/c of the potential to break something. This leads to all sorts of testing servers, incremental rollouts, and lots of "save points."


    Now, try to imagine setting up that kind of thing with robots. Which robots are you going to risk suffering a serious breakdown b/c a new security patch borked something? After all, "when a web weenie makes a programming mistake, someone's website goes down for a while. When we make a mistake, we smash $50k hardware into another $50k hardware at 50mph!" Then add in that a lot of automation runs on firmware, not software, that is made for reliability, not easy upgrades, a lot of automation runs for decades before being replaced....


    Cybersecurity is a hard enough with just computers. With massive automation systems, with almost every robot in every cell being at least slightly customized....

    "The computer that has the client socket is connected to Internet."


    What do you do if somebody is hurt by robot movements, caused by hackers?
    Will be a nice talk with the insurance company :winking_face:

    All our machines are protected by industrial security security routers, usinf VPN, port filtering and so on.
    Just as written above...

Advertising from our partners