Watch Those Robots
Watch Those Robots
Are you worried about security for robots? I am.
I worked with welding robots many, many years ago. They were not networked, and they ran on proprietary embedded systems and code. Twenty-five years later, I remember being briefed by a Japanese startup that was introducing a special USB stick for robots in manufacturing. It turns out that their prospects had noticed that the robots on the shop floor in manufacturing plants were slowing down and experiencing glitches because the Windows XP they were running was getting bogged down with spyware and viruses. Their device would plug into the USB port on these headless systems and scan them for viruses. You would then plug the device into a workstation to see what it had found.
I remember thinking, “wait, these special machines are running Windows? Who let that happen?” Sadly it is all too often the case.
You have seen the YouTube videos of modern robots. They are learning to walk, run, and even jump from box to box in one video that made the rounds of social media. Of course manufacturing robots are widely used everywhere today. On top of that, the warehouse operations at many distribution centers are being robotized. Little carts zooming around and automated machines depositing their orders on their little tables. But robots are invading much more of our world.
Farm equipment is being robotized. Tractors that can plow fields using GPS to guide them. Mining equipment that runs autonomously. Thousands of drones have been developed for specialized tasks like surveying, inspecting power lines, and of course home delivery. The Navy developed an autonomous drone that successfully completed a mission after launching and returning to an aircraft carrier. Speaking of homes, today we have floor cleaners; in the not too distant future, we will have window washers and flying dusters.
And don’t forget driverless vehicles. Within a decade we will see them on all the roads in the world.
The SpaceX Falcon9 is a robot. It lands itself on an big X after delivering the second stage to space.
Why am I worried about security in robots? Because all of these systems have yet to enter the gauntlet of attacks that every other computer system has already experienced.
By now, we all know how it plays out. A new system needs real world experience to become resilient. It took decades for the IT world to build in that resiliency. You could argue that it will be decades more before we stop experiencing breaches, failures, and loss of critical systems due to targeted attacks. When and how are robotic systems going to gain this trial by fire?
Robots have a physical aspect that your web server does not. A compromised web server means having a repair job and maybe defaced web pages or exfiltrated data. A compromised rocket means an explosion. A compromised long haul autonomous semi means people may die. An AI-powered dam floodgate may mean a flooded village if it is compromised.
Aside from the manufacturers of robots that should be investing heavily in securing their products, all organizations that purchase robots should be thinking about how to integrate them into their security management programs. When sourcing them, ask these key questions:
- How are the devices networked? What protocols/ports do they use?
- Is there an effective mechanism for patching them?
- Does the supplier research and track vulnerabilities in all of the subsystems they incorporate in the manufacture of the robots?
- Do they have a bug bounty program in place?
- Do they have a dedicated security team? Do they design security in from the beginning?
- Do they make patches available on a timely basis?
- Do they publish vulnerabilities?
- What measures have they taken to make the systems less likely to be hacked?
- Have they implemented strong authentication solutions for accessing and managing the devices?
- Have they undergone third-party testing and certification? Do those third parties use fuzzing attacks against open ports/protocols?
After purchasing robots, care should be taken to segment the networks they are on. Make sure the plant floor is not connected to the Internet. If data needs to be sent out of the facility, use a one-way data gate. Incorporate all the robots into your existing vulnerability and patch management systems. Add them to your asset inventory system and record all the software versions. Develop a plan for taking them offline for maintenance including system updates provided by the manufacturer.
Robots are changing the world. Just be aware that all the benefits come with increased exposure to multiple threats. Build in accommodating controls to ensure that those increased exposures are managed.