Cybersecurity in the Era of Robotics

September, 2024

The ongoing Russia-Ukraine war has demonstrated that if weapons and systems are not secure, one should not even bother bringing them onto the battlefield. Ukrainian Marines successfully hacked a Russian drone to locate its base and eventually blew it up with artillery.

Today, robots are not only extensively used in warfare but also for various commercial purposes, ranging from manufacturing and healthcare to entertainment. This would cover applications such as drones, automated vehicles, home assistants, industrial robots, and robots for elderly care.

Recent advances in AI have also led to the development of more advanced robots that can perform tasks previously thought to be exclusive to humans, such as visual perception, speech recognition, and decision-making. According to the International Federation of Robotics report on Top 5 Robot Trends in 2024, the global stock of operational industrial robots reached a new record of approximately 3.9 million units. Elon Musk has famously predicted that Tesla alone could produce billions of humanoids.

However, as the world prepares for a deluge of humanoids, the wide adoption of robots presents unique cybersecurity threats, ranging from data interception to device hijacking. Many of these are due to a lack of native cybersecurity features in robotic equipment and related technologies, such as the IoT.

The vulnerabilities found in Aethon TUG robots, deployed across hospitals in the US, highlight how IoT devices at medical facilities can present new security challenges as sensors, scanners, robots, and other technologies are increasingly connected wirelessly. Cynerio, a healthcare cybersecurity company, found a series of critical zero-day vulnerabilities in Aethon TUG hospital robots, allowing hackers to remotely control robots and disrupt day-to-day hospital operations: access the personal medical files of patients in the hospital, covertly control the elevators across buildings, and even harm patients by providing them with incorrect or intentionally harmful medicine.

The threat is not limited to robots but also associated devices such as remote controls. In June 2024, TeamViewer, a provider of remote-control software for managing devices, including industrial machines and robots, was hit by a cyberattack. One of the employees’ accounts was compromised to intrude into TeamViewer’s internal corporate IT environment.

Security Providers, Government, and Academia Push to Enhance Robotics Security

As robots assume more critical roles, collecting sensitive and personal data such as national security classified information, personally identifiable information (PII), and personal health information (PHI) to carry out their functions, the adoption of zero-trust principles—focusing on “never trust, always verify”—becomes essential for developing cyber-resilient robots and managing the risks tied to interconnected systems.

This approach necessitates secure data collection, management, and sharing to ensure the safe operation of robots and related devices while safeguarding privacy.

In the Avasant Cybersecurity Services 2020 RadarView™, we highlighted this strategy, which involves compartmentalizing data from various sources, including users, devices, networks, infrastructure, and applications. By segmenting and isolating critical systems, this method helps prevent extensive damage from a single point of failure. Techniques such as software-defined perimeter (SDP) ensuring authorization-based access, identity governance, microsegmentation, and software-defined network access support various use cases, including biometrics and multifactor authentication (MFA).

On the production side, secure-by-design principles are gaining momentum to address security concerns throughout the development, release, and operational stages. These principles are increasingly reflected in government policies. For example, the Australian Government’s National Robotics Strategy, introduced in May 2024, emphasizes developing a robotics and automation ecosystem, promoting adoption, adhering to secure-by-design principles, ensuring safety, and fostering skill development.

Moreover, in March 2024, the EU Parliament passed new standards under the Cyber Resilience Act, which impose security-related obligations on the entire supply chain, including manufacturers, importers, and distributors. These standards are designed to protect all digital and connected products by addressing vulnerabilities in both hardware and software.

Additionally, the cultural and technological surge following the launch of OpenAI’s ChatGPT in November 2022 has sparked growing interest within the robotics community in utilizing AI-based tools to bolster security:

    • Security providers are increasingly utilizing generative AI-based tools to scale automated penetration testing across interconnected robots, ensuring consistent testing protocols and addressing various scenarios, from basic vulnerability scans to complex attack simulations. For example, in August 2024, the Spanish robotics company Alias Robotics launched an automated penetration testing tool called PentestGPT. This tool uses large language models like GPT-4 to enhance the detection and mitigation of security vulnerabilities in robotic systems, automating tasks such as deploying testing tools, interpreting results, and recommending subsequent actions.
    • Academia is also making strides in using AI to protect unmanned systems. In October 2023, Charles Sturt University and the University of South Australia (UniSA) unveiled a cyber-intrusion detection system to identify man-in-the-middle (MitM) cyberattacks on unmanned military robots. This system employs AI, specifically deep learning convolutional neural networks (CNNs), to mitigate vulnerabilities in the robot operating system (ROS). During tests on a US Army GVT-BOT ground vehicle, the algorithm demonstrated a 99% accuracy rate.

Finally, securing communication is crucial, particularly in interconnected robotic environments. In December 2023, FORT Robotics, a developer of robotic control solutions, launched Safe Remote Control Pro, a device with a built-in SIL 3-certified safety feature for commanding multiple machines, such as autonomous robots and heavy equipment. The device protects firmware against cybersecurity threats and follows protocols for secure boot, configuration, and updates, ensuring that only authorized devices can communicate with each other.

Conclusion

To fully harness the potential of robotics, government, industry, and academia are collaborating to enhance security across all facets of robotic development and deployment. As robots permeate both military and commercial sectors, the critical need for comprehensive cybersecurity measures is clear. These measures must address every potential attack surface, from the physical robot to the operating system, firmware, remote controls, vendor services, cloud platforms, and networks.


Analysis by Arav Goyal and Gaurav Dewan, Avasant.