AMR1 Case Study

Other case studies

What is threat modeling?

Threat modeling is a structured exercise that leverages abstractions and real-world data to detect potential risks. This process identifies potential attackers, their capabilities, resources, and intended objectives. In this study, threat modeling is applied to analyze each platform's implementation, detect security vulnerabilities, and offer practical solutions or workarounds based on real-world usage scenarios.

Threat modeling is crucial for developing robust security defenses and generally answers the following key questions:

  • What is your curent cybersecurity status?
  • What can go wrong? Could it lead to a major loss or impact?
  • What steps can be taken to improve the system’s security?

Objective

This case study aims to conduct a preliminary analysis and provide practical recommendations to strengthen the cybersecurity of connected autonomous mobile robots (AMRs). The goal is to protect AMR systems, ensure user safety, and encourage a proactive approach toward cybersecurity. This approach is critical to addressing emerging threats and ensuring the reliable performance of AMRs in an evolving environment. The study also aligns with forthcoming regulations such as the Cyber Resilience Act for manufacturers and NIS2 for end users.

About premium AMR1

PREMIUM AMR1 is a state-of-the-art autonomous mobile robot designed to optimize logistics and material handling in industrial environments. Its compact, agile design allows it to navigate complex warehouse layouts and confined spaces effectively. PREMIUM AMR1 stands out for its advanced capabilities compared to lower-performing alternatives.

Key features

  • Advanced navigation and obstacle-avoidance technology capable of autonomously transporting payloads up to XXX kg.
  • Adaptive motion planning that dynamically adjusts routes in environments shared with human operators.
  • Multiple safety features, including collision avoidance and dynamic obstacle detection.
  • Integration with existing warehouse management systems (WMS) and compatibility with third-party software for centralized monitoring and control.
  • Real-time status updates and diagnostics via an intuitive web-based user interface.

Despite these impressive features, cybersecurity remains an under-prioritized aspect of AMR design. Manufacturers often do not focus on security as a selling point, leaving these robots vulnerable to cyberattacks. To understand the attack surface of a robotic system, it is essential to conduct a threat modeling exercise to identify and mitigate cybersecurity risks.

ARM

Methodology

Cybersecurity has become essential for maintaining the safety and integrity of industrial applications, especially in complex, interconnected environments like the logistics industry. The growing connectivity and complexity of these systems significantly expand the attack surface, exposing Autonomous Mobile Robots (AMRs) to various cyber threats. These threats can compromise operational availability, lead to safety issues, and cause economic and reputational damage.

To perform this threat model, a premium AMR, widely used in the automotive, food manufacturing, and warehousing industries, was selected for analysis. For this study, it will be referred to as AMR1.

Read more about threat modeling

Disclaimer

The names and details in this case study have been anonymized for confidentiality. This content is solely intended to highlight the general cybersecurity status of AMRs. Alias Robotics does not endorse, encourage, or promote unauthorized tampering with robotic systems, which may result in severe injury, significant property damage, and legal consequences.

Industries Served

OTTO industries served

System architecture of premium AMR1

Overview of the onboard architecture

OTTO diagrama 1
  • Onboard computer system: The onboard computer serves as the central hub for managing operations. It features an industrial-grade PC running a Debian-based Linux distribution with ROS (Robot Operating System).
  • Wireless communication system: Includes Wi-Fi and LTE capabilities (LTE not enabled). These interfaces facilitate communication with the WMS, updates, and synchronization with other robots.
  • Safety systems:
  • Equipped with two LIDAR sensors (front and rear) for collision avoidance.
  • Two emergency stop buttons (E-Stop) for immediate shutdown.
  • A front-facing 3D depth camera for enhanced obstacle and human detection.
  • Complies with ISO 13849 safety standards, although real safety cannot exist without robust cybersecurity.
  • User interface and control panel: Features a web-based interface for real-time monitoring, setting operational parameters, and running diagnostics.
  • Navigation and path-planning algorithms: Utilizes a ROS-based navigation stack that allows it to adjust its route autonomously based on real-time environmental data.

Actors

End user
NIS2 sectors

Robot operator
Production manager

Defender
Alias Robotics

Architecture data flow

The architecture data flow diagram outlines how different components interact and exchange information within the system. It highlights critical assets and their connections, providing insight into potential vulnerabilities.

Diagrama 2

Trust boundaries

A trust boundary marks areas where multiple entities with different privileges interact. Systems with numerous external interfaces have more complex trust boundaries and larger attack surfaces. The following are the trust boundaries identified in this study:

  • TB1 – AMR
  • TB2 - Wireless 1
  • TB3 - Wireless 2
  • TB4 - RJ45/Ethernet
  • TB5 - Outside world
OTTO Diagrama 3

Entry points

Identified entry points where a malicious actor could initiate an attack:

  • EP1 (USB): Physical USB port, crossing from the Outside World to the AMR.
  • EP2 (Wi-Fi): Wireless communication, crossing from Outside World to Wireless 1
  • EP3 (Wi-Fi): Wireless communication, crossing from Outside World to Wireless 2.
  • EP4 (Ethernet): Wired communication, crossing from Outside World to RJ45/Ethernet.
OTTO Diagrama 4

Risk analysis and feasible attacks

Alias Robotics identified several possible attach pathways affecting PREMIUM AMR1:

  • Malware Injection via USB
  • Man-in-the-Middle (MITM) Attack on the wireless network
  • Unauthorized Access through the web-based management interface
  • ROS Node Compromise
Diagrama 5

Conclusions

PREMIUM AMR1 is a highly capable industrial-grade robot with an expanded attack surface, making it a potential target for cybercriminals. Conducting a threat modeling exercise is essential to comply with industrial cybersecurity standards (IEC 62443 Part 4) and mitigate risks effectively.

The next step involves cybersecurity testing of the identified threat landscape to ensure comprehensive protection. Cybersecurity is an iterative process that must be revisited periodically as threats evolve.

Alias Robotics is a leading provider of robot security solutions. Contact us to learn how we can help secure your robotic systems.

Co-Funded by the EIC Accelerator Project – GA 101161136

EIC Co-Funded by Quadri