Answer These Five Cyber-Questions To Make Your Collaborative Robot Even Safer
Like the rest of your company, robots can be vulnerable to cybersecurity threats.
A recent study by Trend Micro and Polytechnic University of Milan showed that many industrial robots in many industries, including aerospace and automotive, were connected to the internet without being sufficiently guarded against cyber-threats. This left them open to outside access and hacking.
While collaborative robots may have ‘grown up’ alongside cybersecurity, they still risk suffering from similar cybersecurity woes as their industrial robot ‘cousins’. That is the bad news – the good is that your company has a vast array of available tools to prevent it from happening.
“Safety and security have long been closely related concepts in collaborative robotics. Just like physical isolation is not the only way to try to provide safety, digital isolation is not the only way to try to provide security. Collaborative robots have shown that built-in safety controls combined with in-context risk analysis can provide safety equivalent to physical barriers. Similarly, built-in security controls combined with threat analysis can provide a solid cybersecurity platform, while also enabling your company to reap the full benefits a connected co-bot has to offer,” Julian Weinstock, VP Product Management and Innovation at Robotiq, explains.
While many cybersecurity threats do not target collaboratively robots directly, attacks and hacks aimed at the increasingly connected production environments and companies they work in can also affect them.
Finding answers to the following five questions will serve as a big help in combating those potential issues, not just for collaborative robots but for your company as a whole.
1: What company are you?
Your cyber risk profile is tied directly to the type of company you are. Figuring out the answer to this question includes an in-depth look at your production setup, intellectual property (IP), where you are based (one central location vs. many), how your systems are tied together, how your employees connect to your network (on site, through mobile devices or using their own devices), etc.
It also requires a detailed analysis of your company’s IT profile, IT infrastructure, what your cybersecurity setup looks like, etc. One specific point to mention in this context is looking at what devices are sending and receiving data (half-duplex or duplex transmission). Even if systems connected on a network are always able to receive data (the nature of TCP/IP requires it), measures can be taken to greatly reduce the attack surface of such devices.
All these factors contribute towards creating your company profile, which in turn can help inform your decisions in connection with cybersecurity. An added bonus of the process is that it can help identify access points and endpoints that could be used to gain access to your network / connected devices.
2: Where are the collaborative robots?
The first question also provides a foundation for describing the environment that collaborative robots work in and what they are connected to. This helps decide how best to secure the environment and protect the robots against attacks. Further analysis of potential risks could include looking at what departments / employees have access to them, who has clearance to program them, what information and data is stored on the robot, what it is used for, etc.
“You should treat a collaborative robot just like any other business critical IT application, by enabling the connectivity and securing the network and its perimeter with the same policies, practices, and procedures. Your organization is not digitally isolated and neither should your robot need to be, if you follow correct procedures,” Julian Weinstock says.
3: What would an attacker want?
Answers to questions one and two help you create an informed answer to this third question.
Part of establishing the optimal cybersecurity setup is identifying what an outside force would want once they gain access to your network. Will they be looking to steal your IP? Are they interested in disrupting your production line and holding it for ransom? Would it be more likely that they are after employee information or other sensitive data? Are they looking to exploit computing resources for their own gain?
“Often companies will fall into the trap of saying: we’re too small, nobody would be targeting us so we don’t need much security controls. The fact is that an attacker does not need to know you or to be targeting you. Attackers may just be using automatic scanning to find a flaw in connected systems and exploit them in order to leverage the now compromised infrastructure afterwards,” Pierre Luc Simard, security expert, CTO and Partner at Mirego, says.
Regardless of whether your company is the specific target or not, consider how an attacker would try to use the information they gain access to. This will help to identify what the impact of a successful attack could be, and also help in relation to how to protect / safeguard various parts of your company, including collaborative robots.
“Performing such a threat analysis in your own network environment, just like performing a risk assessment for the robotic application, helps you take appropriate mitigation measures,” Julian Weinstock says.
4: What is your response going to be?
Anyone aiming for an impenetrable cybersecurity setup could well be in for a rude awakening. The starting point for cybersecurity should be that threats can be mitigated to be negligible, but that it is virtually impossible to create a 100% secure setup, whether the systems are connected or not. That makes it a pressing issue to identify how your company will react if IT systems are compromised.
Pierre Luc Simard advises creating a prevention-oriented setup that incorporates response strategies, based on the following points:
- Put in place a backup procedure to always be able to roll back updates or restore to a previously known good state if the machine misbehave
- Make sure all cyber systems are continuously monitored
- Access (physical and cyber) should be logged and reviewed to both identify suspicious access and to understand the sequence of events that led to a failure or security incident.
- Monitor all network access points.
- Perform risk assessments and develop response strategies
- Review and update your security controls and procedures periodically.
While this list can seem daunting to especially small companies, this is not something that necessarily requires thousands of man hours. For a company with a small attack surface it can be a simple as storing know good configuration on existing server, adding a log management system with alerting functions and putting in place a lightweight change management with a periodic review process. Like a production process, a large part of this can be automated if you analyse your IT process carefully.
5: How do you see your future?
Cybersecurity threats have developed rapidly over the years, and there is little to no reason to believe that this is about to change. Therefore, your cybersecurity setup needs to include looking at what the future of threats could be. This is intrinsically linked to how you see the future of your company.
For example, adding new offices, or merging with subsidiaries can create situations where you could need new security features. The same applies to integrating new collaborative robots or adding new IoT devices. One way of combating this is working closely with security partners and cybersecurity experts, as well as suppliers of connected devices, such as collaborative robots.