Robots present a cyber risk Source: Bob Violino
The prospect of an army of robots marching in unison to launch an attack on an unsuspecting city belongs in the realm of science fiction—as do most images of menacing autonomous machines wreaking all kinds of havoc on civilization.
That’s not to say robotics is free from security and safety threats, however. In fact, experts say the growing use of robots by companies such as manufacturers, retailers, healthcare institutions and other businesses can present a number of cyber risks.
There are two primary issues related to security and robotics, says Michael Overly, a partner and information security attorney at law firm Foley & Lardner.
First, these machines are generally integral to assembly line operations and other similar activities, Overly says. “An attack could literally bring a manufacturing or assembly plant to its knees,” he says. “We have seen this very outcome in a ransomware attack targeted at robotic assemblers in a plant in Mexico.” In that case, the ransomware locked up the specifications files from which the robots drew their operating parameters, he says.
Second, robots are generally large and capable of causing significant bodily and property damage if operated other than in accordance with their specifications. “If the subject of an attack, the machines could cause dramatic harm, both to individuals and to property,” Overly says.
The difference between actual and potential risks with robot security incidents “is a function of the complexity of the algorithms used by robots, and the physical and social context of their operation, and their numbers,” says Tom Atwood, executive director of the National Robotics Education Foundation, which provides educational information about robotics to students, educators and professionals.
For example, the circumstances and predictions of potential harm will vary widely depending on whether the robots are used in an industrial, military, urban, mobile, educational context or other context, Atwood says. “These contexts are growing in number as physical and virtual robots proliferate in all spheres of human endeavor,” Atwood says.
Many organizations that operate autonomous machines such as industrial robots mistakenly think they will not be targets because the machines don’t process personal information or financial information. The same goes for companies that produce the machines.
“They tend to not have the level of security protection found in other industries,” Overly says. “These organizations should start with a thorough information security audit conducted by a third-party auditor who has specific experience in the manufacturing and automation space. They should prioritize remediation measures based on the outcome of that audit.”
The motivation to build rigorous and secure robots should be there “because it is quite possible that all involved in its design could be held liable if a horrendous weakness was found that led to personal distress or financial losses,” says Kevin Curran, senior lecturer in computer science at the University of Ulster and a senior member of the Institute of Electrical and Electronics Engineers (IEEE).
"No distinction should be made between a Web-enabled robot and a router in a back office."
Kevin Curran, senior lecturer in computer science at the University of Ulster
“Security should also not be an afterthought,” Curran says. “Ultimately every device connected to the Web should be password protected. It should not be connected with the default out of the box password. A long complex password needs to be set. All devices should be updated as soon as updates are released, just like best practice on PCs and tablets.”
Robot manufacturers should also release security updates once vulnerabilities are found, Curran says, “but the incentive is simply not there for them to do it much of the time.”
Examine how robots use data
Data security risks related to robotics can be addressed by examining how robots use and harbor data, and by evaluating how they can be hacked. But again, the outcomes from such analyses depend in large part on the type of robot in use and how it is being used, Atwood notes.
Much like the risk of other industrial controls systems, the risk of autonomous machines is the unpatched vulnerabilities and access to critical and confidential information within the environment, says
Jerry Irvine, member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and CIO of IT outsourcing provider Prescient Solutions.
“These vulnerabilities can allow access to [business] critical systems and intellectual property,” Irvine says. He recommends that organizations implement secure access and authorization controls, limiting access to people who need it to perform their jobs. Another good practice is to segment autonomous machines from other networks to limit their digital footprint and accessibility to other systems and applications, he says.
One of the most important steps to ensuring strong security for robotics is to keep a close watch on them.
“Human stewardship of robot protocols and operating procedures, and human oversight of robots at work, must be maintained at a high level at all times for the foreseeable future,” Atwood says.
“These detailed oversight practices are important to prevent endangerment of people in work environments where robots operate,” Atwood says. “Hotel lobbies, factory floors, parking lots, warehouses, hospitals and our streets where robotic autos are emerging are all immediate front lines.”
Deciding who within an organization is responsible for robotics security is up to the individual enterprise. But in general because robots can transcend multiple areas of operations it should involve representatives from several groups, including IT and security management, operations, and even top senior managers.
“The board of directors and the most senior officers bear ultimate responsibility,” Overly says. “IT management and security management are on the front line, but senior management is, by law, the ultimate responsible party. They need to exercise reasonable business judgment in addressing these issues.”
The role of CISOs and CSOs in robotics security should be to oversee overall security policy and approach, but also to ensure that the board and senior management is adequately informed of any security-related issues and the efforts being made to address them, Overly says.
At many organizations, top security and IT executives will have a key role in robotics security, especially if robotics efforts are tied to IT-related areas such as cloud services, mobile applications and big data/analytics initiatives.
“The CISO and/or CSO is the titular head of cyber security, and is the leading executive whose job it is to inform and coordinate with the CEO and other designated people to protect the company’s robotic infrastructure as well as the people working in the organization,” Atwood says.
Curran agrees. “The CISO and his IT team should assume responsibility for all connected devices including robots,” he says. “No distinction should be made between a Web-enabled robot and a router in a back office.”
Appropriate preventive and corrective controls in the form of policies, standards, procedures or technology functions and monitoring mechanisms are needed to minimize the risks associated with deploying any connected devices within an organization, Curran adds.
Robots themselves might in some cases play a role on the security team.
“Already, security intrusion detection robots have been developed by many companies,” Curran says. “These for the most part consist of smaller mobile robots with cameras and movement detection, which move around a building looking for intrusion.”
These machines use technology such as high-definition cameras, sensors, and microphones to measure a variety of conditions and actions.
“There is [always] the risk of such robots being hacked, therefore additional measures need to be taken such as implementing extra security authentication—perhaps facial recognition of the owner when opening panels,” Curran says. “There is a real risk of privacy invasion,” especially in the case of a robot that has complete freedom to roam inside a building, he says, “so we have to ensure that the surveillance footage is securely stored.”
| }
|