The Internet of Robotic Things: Secure, harmless helpers or vulnerable, vicious foes

23.01.2015
Experts say robots will be commonplace in 10 years. "Many respondents see advances in [artificial intelligence] and robotics pervading nearly every aspect of daily life by the year 2025--from distant manufacturing processes to the most mundane household activities," says Aaron Smith, senior researcher, The Pew Research Center's Internet Project, speaking of the several experts quoted in his "Predictions for the State of AI and Robotics in 2025".

People are increasingly connecting the broadening array of robots to the Internet and IoT devices, including sensors, to add functionality. "A new generation of robots uses wireless networking, big data, machine learning, open-source, and the Internet of Things to improve how they assist us in tasks from driving to housekeeping to surgery," says Ken Goldberg, Professor, UC Berkeley. IoT such as sensors produce useful data, anything from temperature readings to measurements of vibrations, for decision-making by control systems that manage robots.

[ How Dangerous Could a Hacked Robot Possibly Be ]

But there are security issues with Internet-based control of robots, which will grow as the number of robots and connections grow. "Security is a critical issue that prevents the widespread adoption of IoT technologies and applications. For this reason, this paper remarks that a full re-discussion about the major security challenges is required to make IoT a viable paradigm, especially in robotics applications," says L.A. Grieco, Associate Professor, Politecnico di Bari, Italy, et.al in "IoT-aided robotics applications: technological implications, target domains, and open issues" (2014).

CSO explores the Internet of Robotic Things and the information security challenges it presents for the enterprise.

The Internet of Robotic Things

The Internet of Robotic Things will encompass more than robots working in factories. "We see IoT creating autonomous control loops where components that aren't considered traditional robots are automated, delivering close-looped intelligence on the floor, generally through a connection with the Internet," says Sarah Cooper, head of engineering, M2Mi.

[ 5 ways to prepare for Internet of Things security threats ]

Robots and close-looped autonomous control systems use sensors to provide real-time data about the environment and status of these robotic IoT devices. Remote control systems respond to changes in sensor data, making changes in robot behavior based on changes in IoT tasks in progress and in environmental factors.

High functioning robots rely on distributed sensor networks to provide decision-making input. Robots and IoT control devices relying on distributed systems require greater interoperability, more distributed processing, and much more secure communications.    

"As IoT matures, we see the industry adding more robotic and AI functions to traditional industrial and consumer robots," says Cooper. Beyond simply automation, these functions include predictive analysis, learning capabilities [such as machine learning], autonomous decision making, and complex programmable responses, explains Cooper. "The autonomous nature of these systems and their often critical function in the larger system make them of particular concern when it comes to security," says Cooper.

The Internet of Robotic Things challenges security

The Internet of Robotic Things challenges security with loss of control, says James Ryan, Digital Leadership Fellow, Minnesota Innovation Lab. IoT creates an attack vector where someone can now gain control of industrial robots using cyberattacks. And when hackers attack IoT, the consequences are immediate and apparent, instilling a sense of loss of control in the enterprise, vendors, and users. Once IoT is deployed, it is harder and harder to update and patch it. "The 'patch and pray' mentality that we see inside many organizations won't work here," says Ryan.

The evidence is piling up that existing security practices are not effective. If the industry stays on course, following the same ineffective enterprise security strategies with robots that it does with other technologies, the consequences of losing control of robotic assets will multiply. "We cannot protect laptops today. What makes us think we can protect robots" asks Ryan.  

"An Internet-connected robot is still a secure control environment," says Cooper. But the temperature sensors on the plant floor--part of those distributed sensor networks--that the robot interacts with to make decisions are a lot simpler, dumber, and easier to hack. This provides an indirect avenue for disrupting the function of the robot without hacking the robot itself. A hacker could spoof a sensor and provide bogus temperature data to the control plane for a welding robot, which would direct the robot to change the duration of the weld, leading to a faulty weld.

The industry has not adequately identified this threat from the data plane, from the data coming in from the Internet and Internet-connected sensors, in order to verify that the sources are trustworthy.

It should not, however, be difficult to achieve verification. Realizing that there are several temperature sensors on a plant floor, for example, an enterprise could compare sensor readings in order to address these risks. "If one sensor records a drastically different temperature than the other sensors do, or if that one sensor is supposed to be in the US, and all of a sudden its DNS registry is in Romania, attackers may be spoofing it," says Cooper.

Internet of Robotic Things security challenges enterprises

The awareness and intelligence from environmental sensor data that Internet-connected robots from different vendors will increasingly share between them in this ecosystem is a big security challenge for the enterprise, whether it is producing robotics, AI, and related data or simply consuming them, says Cooper.

The smart home is a great example. It's really just a set of single-point robots like the Roomba and smart connected devices making individual decisions. "In 10 years--and we have some customers who are working on this--your smart home will actually become aware," says Cooper.

The smart home will apply base services and presence, knowing where family members are and what they are doing, and use that information to tell the Roomba to leave the room where they are hosting a party, to tell the assisted living service to move objects that an elderly patient could bump into, and to tell a service robot to bring a family member their sneakers.

"That kind of predictive element requires those base services to be available and shared as sort of an awareness, a consciousness," says Cooper. There will be that kind of awareness and service availability in industry as well. But it opens up the potential for a proliferation of security threats and faults between systems of multiple vendors.

This demands a sophisticated system of data provenance that knows where data came from, what happened to it before it arrived, and what decisions systems have already made in order to address those security threats and faults, says Cooper. This could help prevent false data from spoofed sensors from having the effect the attacker intended.

Will enterprises meet those challenges

Pew Internet data says that AI and Robotics will be in nearly every aspect of human life by 2025, just 10 years from now. Will enterprises meet these security challenges by then Perhaps, with the right preparation and tools they will.

Cloud-based data processing is one possibility. A distributed intelligence model would enable a subset of local decision-making on a drill head on the factory floor, for example. The cloud could take that drill head data output, perform some additional intelligence analysis on it, and provide that back to the cloud and down to the drill head to capture and provide provenance about data.

This data provenance could control and secure that data at the same distributed points where that intelligence is generated. Together with that data provenance, the cloud system would capture and provide information about how that data should be secured, who can see it, and how they can use it.

(www.csoonline.com)

David Geer