Articles Download Safety & Security Forum myUR Go to Main Site
 

Securely enable external access to services on UR cobots

This describes how to securely enable external access to selective services on UR Cobots without unnecessary compromising security for other parts of the system

Last modified on Oct 09, 2024

Securely enable external access to services on UR cobots

From PolyScope 5.17 the default administrator settings are now set in secure state (updating a robot will not change settings). This covers point 2-5 listed in the following article:

https://www.universal-robots.com/articles/ur/cybersecurity/secure-setup-of-ur-cobots/

  1. Change default admin access credentials
  2. Disable “Magic files” when not used
  3. Restrict inbound connections
  4. Disable services that are not used
  5. Disable SSH access if not used
  6. Use key-based authentication
  7. Use local port forwarding to tunnel unencrypted connections
  8. Keep the robot updated with latest software

In addition, the change of admin access credentials is now enforced.
The recommendation around the four topics with the inversed logic is:

  1. Enable "Magic files" no longer than needed
  2. Allow only needed inbound connections
  3. Enable access only the services that are used
  4. Only enable SSH access if needed

Enable “Magic files” no longer than needed

A “Magic File” is a script on a USB drive that runs automatically when the USB is inserted into the USB port. Magic Files have unrestricted privileges to make system changes. Disable the functionality if it is not actively used. If used sporadically, you can choose to enable it only as required.

To enable and disable Magic Files:

  1. In the Header, tap the Hamburger menu and select Settings.
  2. Under Security, select General.
  3. Enter your Admin password.
  4. Enable or disable Run Magic Files.

Magic files can be used for:

  • Upload All Programs from USB to robot
  • Screenshots of the TP
  • Backup All Programs
  • Backup Configurations files
  • Backup Log History file

https://www.universal-robots.com/download/?filters[]=98765&query= 

 

Allow only needed inbound connections

To reduce the robot’s exposure to other devices in the network, the inbound access is restricted, if access is needed specific hosts, and/or specific ports can be added. This minimizes risk of unauthorized access by other devices or computers.

Configure Restrict inbound network access to this subnet to make sure network connections, originating from an IP-address outside the indicated subnet, are refused.

For example:

  • 192.168.1.0/24 only allows access from hosts in range of 192.168.1.0 – 192.168.1.255. The /24 appended to IP address specifies the subnet range (0-255) in CIDR notation.
  • 192.168.1.96 only allows inbound access from one host: 192.168.1.96

Leave the field blank to disable subnet restriction.

Configure Disable inbound access to additional interfaces (by port) to make sure any inbound connection to the designated ports is refused. The default 0-65535 will block all ports(except for those that are related to a enabled service)

Examples:

You can use two ranges to enable a single port. If SSH is running on port 22, access can be configured by:

  • 0-21,23-65535

Leave the field blank to avoid blocking ports.

Any enabled service, in the Services tab, with a corresponding open port, takes precedence over port blocking.

The following section describes how to disable unused services.

URCaps can require particular network interfaces to be open in order to function. Consult your URCaps vendor/s, if any of your URCaps require particular network interfaces (ports/services) to be open.

To configure Inbound Connections:

  1. In the Header, tap the Hamburger menu and select Settings.
  2. Under Security, select General.
  3. Enter your Admin password.
  4. Enter subnet restrictions under Restrict inbound network access to a specific subnet.
  5. Enter the interfaces to be closed in Disable inbound access to additional interfaces (by port).

 

Enable access only the services that are used

You can enable access to services running in the system. The Services menu under the Security tab lists standard services running on the robot. You can enable or disable access to each service. Only enable access to the services that need external access(URCaps that are running on the robot and need access will not be blocked by this setting).

To enable and disable a Service:

  1. In the Header, tap the Hamburger menu and select Settings.
  2. Under Security, select Services.
  3. Enter your Admin password.
  4. In the list, select an option and tap Enable, or tap Disable.
  5. Go to general and make sure subnet include wanted clients(see Allow only needed inbound connections) 

Only enable SSH (access) if needed

Secure Shell (SSH) establishes encrypted and authenticated connection to the robot and allows remote administration of the system. You can enable or disable SSH, depending on how often it is used.

To enable and disable SSH access:

  1. In the Header, tap the Hamburger menu and select Settings.
  2. Under Security, select Secure Shell.
  3. Enter your Admin password.
  4. Configure the Secure Shell Settings – select or deselect Enable SSH Access.
  5. Go to general and make sure subnet and port is matching SSH state(see Allow only needed inbound connections)

It can be convenient to set ports to “0-21,23-65535”(Enable) or “0-21,23-65535,22”. Then toggle the state can be done by adding/removing 22 

Example of configuration

This sketch below illustrate a configuration that only allows access from hosts in range of 192.168.1.0 – 192.168.1.255. And allow access to the services Dashboard server, Modbus and SSH. The resulting open ports will be 22, 502 and 29999.

Additional Ethernet interfaces

If an additional Ethernet adapter is attached, the firewall rules will not apply to that.  

 

 

Note: URSims default settings is not secure.