Prioritising security in the robotics industry
By Gabriel Aguiar Noury, robotics product manager at Canonical, publisher of the Ubuntu open-source operating system
The robotics industry is thriving, with more organisations beginning to recognise the commercial and operational impact robots can have on their business.
In the retail sector, for example, Best Buy has introduced Chloe, a robot that operates like a vending machine – only instead of dispensing sweets, she distributes phone chargers and plug adapters.
Customers can place an order via a touchpad in-store and in under half a minute, Chloe scans thousands of products and locates the order for the consumer.
Because Chloe helps to cut administrative time, employees have the time to focus on more complex tasks, expanding the scope of their roles and improving their productivity.
Alongside the increase in demand, investment in the industry is also growing. Worldwide investment is expected to reach $210 billion by 2025 – more than double the figures in 2020. Competition is also increasing among developers and manufacturers as they compete to bring greater functionality to robots.
To aid the development, many businesses are using the Robot Operating System, the standard open-source framework for robotics application development.
While in the development stage, it’s important that manufacturers implement security measures from the very beginning. If security is overlooked, manufacturers put their data at risk.
On top of this, the physical safety of customers can be jeopardised if a hacker were to take over control of a robot and harm people or infrastructure. By addressing security risks, companies can make sure they protect both themselves and the customers they serve.
Putting security in place from day one
As the demand for robots grows, it can be tempting to rush through the development phase and ship robots quickly. In doing so, businesses risk not securing robots from the beginning and will face the task of trying to retrofit security measures, which ultimately becomes an expansive task.
It also causes downtime for the user and can have a negative impact on the image and reputation of the company.
A similar approach was taken with IoT security when the tech industry was too late to focus on it and many devices were shipped with weak password protection and an ineffective path and system update.
The fate of security in IoT and robotics are intertwined as the Internet of Robotic Things (IoRT) emerges where robots can monitor events, fuse sensor data from a variety of sources in its network, use this data to determine the best course of action then act to control objects in the physical world.
As an industry, the tech sector overlooked the need for strict security measures for IoT, and we must ensure the same doesn’t happen with robotics.
This starts with a watertight, proactive security strategy that ensures that there are enough levels of protection in place. For instance, just having a password in place won’t be enough to keep hackers out.
Multi-factor authentication methods should be implemented to ensure a business is doing all it can to keep its sensitive data safe. This could also make privilege escalation more challenging for attackers. Even using an OS with a containerised architecture could guarantee that attackers will operate in a sandbox.
But businesses can’t just implement security measures and consider their job to be done. Regular risk assessments must be carried out to identify, analyse and evaluate the risk to ensure that the cyber security controls they have chosen are still appropriate.
Without doing so, a business can waste time, effort and resources. Ultimately, a robot is another networked device within an organisation that needs to be included in risk assessments and patched as needed.
Security maintenance represents the minimum requirement for reducing vulnerabilities. If a robot software in a manufacturing line or retail is not maintained, sooner or later attackers may gain a foothold on it and possibly use it to gain access to the device itself, and potentially to other corporate assets.
How regulation can help
A big step in ensuring security is a high priority in robotics development should also involve the Robot Operating System (ROS). ROS isn’t just software, it’s an international community of developers, academics and engineers who have made it their mission to make robots better.
As a result of this, the field of robotics has a huge pool of talent at its fingertips to tap into to optimise security protocols, but it isn’t currently taking advantage of this.
If it did, the community could support each other in identifying vulnerabilities and reporting them, improve existing code by addressing security issues, improve new code writing, ensure that contributions from less-trusted parties are reviewed, suggest ways to harden measures, follow and propose secure design principles, and apply recommendations from cybersecurity frameworks.
Regulations can also be put in place to add an additional layer of security. While there aren’t robotics cybersecurity regulations, depending on the field, robotics companies need to comply with different security regulations.
For instance, in the finance sector companies need to adhere to PCI standards. For ROS within CIS, there’s a benchmark for ROC melodic that runs on Ubuntu 18.04. It contains over 200 recommended settings for securely operating ROS.
Regulations don’t have to be restrictive either, innovation-driven regulation, based on the collective views of developers and users within the community, can help to drive the development of open-source robotics security.
As an example, the UK government’s proposed cybersecurity laws are set to cover the connected devices that make up the IoT, but while this regulation is for everyday users, the same needs to be created for robotics.
Even though the regulation is for IoT, it’s worthwhile for robotics companies to abide by the same laws to ensure the security of their connected products.
Security is job one
It’s never been more important for security in robotics to be taken seriously. As the industry continues to thrive and manufacturers compete to get their products to market, developers may be tempted to take shortcuts, resulting in subpar security measures.
It will take a concerted effort from everyone involved to ensure there are strict security protocols in place. Robotics developers need to implement security from day one, consumers need to understand the risk and request a high level of security, the government and industry regulators need to be thinking ahead and passing regulations that prioritise IoT security, and the robotics industry as a whole needs to work together, as a hacked robot in someone’s home could impact millions of other customers.
With all the promise robots can bring to a business, to working more efficiently to greater sustainability efforts, none of this will be possible if they aren’t probably protected and a security breach hits. The ramifications of a breach are huge, and they can have a negative impact on all businesses involved.
From leaked data to physical harm to people and production lines, no business wants to be in that position. To fully reap the rewards of robots, security has to be prioritised, reviewed and maintained from day one.