Cybersecurity Threat Assessment

General Cybersecurity

Description

Connecting a Universal Robots robot to a network can introduce cybersecurity risks.

These risks can be mitigated by using qualified personnel and implementing specific

measures for protecting the robot's cybersecurity.

Implementing cybersecurity measures requires conducting a cybersecurity threat assessment.

The purpose is to:

  • Identify threats

  • Define trust zones and conduits

  • Specify the requirements of each component in the application

Failure to conduct a cybersecurity risk assessment can place the robot at risk.
  • The integrator or competent, qualified personnel shall conduct a cybersecurity risk assessment.
Only competent, qualified personnel shall be responsible for determining the need for specific cybersecurity measures and for providing the required cybersecurity measures.

 

Security Architecture

PolyScope X implements multiple independent layers of security (Defense in Depth) so that compromise of any single layer does not grant unrestricted access to the system.

 

  • Secure defaults. Network services are disabled at delivery. Only services explicitly enabled by an administrator are reachable from the network. From PolyScope X 10.14, inbound HTTP/HTTPS on ports 80 and 443 is closed by default and remains closed across reboots until an administrator enables it.

  • Network perimeter. A configurable firewall restricts traffic to specified ports and IP addresses.

  • Authentication. Three independent passwords (Admin, Operational Mode, Safety) protect separate functional domains. SSH supports key-based authentication as an alternative to passwords.

  • Authorization. Admin-locked permission screens restrict access to network settings, software updates, URCap management, and service configuration. Operational Mode separation prevents program modification during automatic execution.

  • Cryptographic identity. The robot maintains a digital certificate for secure identification. Self-signed and CA-signed certificates are supported through built-in certificate handling.

  • Audit trail. Security-relevant configuration changes and events are logged, retained, and can be inspected using standard audit tools.

The integrator shall conduct a cybersecurity threat assessment to determine potential need of additional hardening for the specific application.

 

 

Cybersecurity Requirements

Description

Configuring your network and securing your robot requires you to implement the threat measures for cybersecurity.

Follow all the requirements before you start configure your network, then verify the robot setup is secure.

 

Cybersecurity

  • Operating personnel must have a thorough understanding of general cybersecurity principles and advanced technologies as used in the UR robot.

  • Physical security measures must be implemented to allow only authorized personnel physical access to the robot.

  • There must be adequate control of all access points. For example: locks on doors, badge systems, physical access control in general.

Connecting the robot to a network that is not properly secured, can introduce security and safety risks.

  • Only connect your robot to a trusted and properly secured network.

Network configuration requirements

  • Only trusted devices are to be connected to the local network.

  • There must be no inbound connections from adjacent networks to the robot.

  • Outgoing connections from the robot are to be restricted to allow the smallest relevant set of specific ports, protocols and addresses.

  • Only URCaps and magic scripts from trusted partners can be used, and only after verifying their authenticity and integrity

Robot setup security requirements

  • Change the default password to a new, strong password.

  • Disable the "Magic Files" when not actively used (PolyScope 5).

  • Disable SSH access when not needed. Prefer key-based authentication over password-based authentication

  • Set the robot firewall to the most restrictive usable settings and disable all unused interfaces and services, close ports and restrict IP addresses.

  • Close unused HTTP/HTTPS access using the HTTP toggle in Settings > Security > Services (PolyScope X 10.14 and later). Keep ports 80 and 443 closed unless required for PolyScope web access, REST/Robot API, or externally available URCaps.

 

Cybersecurity Hardening Guidelines

Description

Although PolyScope includes many features for keeping the network connection secure, you can harden security by observing to following guidelines:

  • Before connecting your robot to any network, always change the default password to a strong password.

  • You cannot retrieve or reset a forgotten or lost password.

    • Store all passwords securely.

  • Use the built-in settings to restrict the network access to the robot as much as possible.

  • Disable the HTTP toggle in Settings > Security > Services when the robot does not need inbound web traffic (PolyScope X 10.14 and later). After upgrading to 10.14 or later, confirm the toggle state; port 80 no longer re-opens automatically on boot.

  • Some communication interfaces have no method of authenticating and encrypting communication. This is a security risk. Consider appropriate mitigating measures, based on your cybersecurity threat assessment.

  • SSH tunneling (Local port forwarding) must be used to access robot interfaces from other devices if the connection crosses the trust zone boundary.

  • Remove sensitive data from the robot before it is decommissioned. Pay particular attention to the URCaps and data in the program folder.

    • To ensure secure removal of highly sensitive data, securely wipe or destroy the SD card.