Robotics and its compromised new supply chain
Insecurities in robotics are not just in the robots themselves, they are also in the whole supply chain. The tremendous growth and popularity of collaborative robots have over the past years introduced flaws in the –already complicated– supply chain, difficulting serving safe and secure robotics solutions.
This article builds upon a previous essay [1] and presents a series of thoughts and questions (most left unanswered and for future research). The aim is to question whether the current supply chain favors overall the end-user's security and safety.
The robotics supply chain
The robotics supply chain is generally organized as follows:
Traditionally, Manufacturer
, Distributor
and System Integrator
stakeholders were all into one single entity that served End users
directly. This is the case of some of the biggest and oldest robot manufacturers including ABB or KUKA, among others.
Most recently, and specially with the advent of collaborative robots [2] and their insecurities [3], each one of these stakeholders acts independently, often with a blurred line between Distributor
and Integrator
. This brings additional complexity when it comes to responding to End User
demands, or solving legal conflicts.
Companies like Universal Robots (UR) or Mobile Industrial Robots (MiR) represent best this fragmentation of the supply chain. When analyzed from a cybersecurity angle, one wonders: which of these approaches is more responsive and responsible when applying security mitigations? Does fragmentation difficult responsive reaction against cyber-threats? Are
Manufacturers
like Universal Robots pushing the responsibility and liabilities to theirDistributors
and the subsequentIntegrators
by fragmenting the supply chain? What are the exact legal implications of such fragmentation?
Stakeholders of the robotics supply chain
Some of the stakeholders of both the new and the old robotics supply chains are captured and defined in the figure below:
Not much to add. The diagram above is far from complete. There're indeed more players but these few allow one to already reason about the present issues that exist in the robotics supply chain.
The 'new' supply chain in robotics
It really isn't new. The supply chain (and GTM straregy) presented by vendors like UR or MiR (both owned by Teradyne) was actually inspired by many others, across industries, yet, it's certainly been growing in popularity over the last years in robotics. In fact, one could argue that the popularity of collaborative robots is related to this change in the supply chain, where many stakeholders contributed to the spread of these new technologies.
This supply chain is depicted below, where a series of security-related interactions are captured:
The diagram presents several sub-cases, each deals with scenarios that may happen when robots present cybersecurity flaws. Beyond the interactions, what's outstanding is the more than 20 legal questions related to liabilities and responsibility that came up. This, in my opinion, reflects clearly the complexity of the current supply chain in robotics, and the many compromises one needs to assume when serving, distributing, integrating, or operating a robot.
What's more scary, is that most of the stakeholders involved in the supply chain I interact with ignore their responsibilities (different reasons, from what I can see). The security angle in here is critical. Security mitigations need to be supplied all the way down to the end-user products, otherwise, it'll lead to hazards.
While I am not a laywer, my discussions with lawyers on this topic made me believe that there's lack of legal frameworks and/or clear answers in Europe for most of these questions. Morever, the lack of security awareness from many of the stakeholders involved [2:1] is not only compromising intermediaries (e.g. Distributor
s and System Integrator
s), but ultimately exposing end-users to risks.
Altogether, I strongly believe this 'new' supply chain and the clear lack of security awareness and reactions leads to a compromised supply chain in robotics. I'm listing below a few of the most relevant (refer to the diagram above for all of them) cybersecurity-related questions raised while building the figure above reasoning on the supply chain:
- Who is responsible (across the supply chain) and what are the liabilities if as a result of a cyber-attack there is human harm for a previously not known (or reported) flaw for a particular manufacturers's technology?[4]
- Who is responsible (across the supply chain) and what are the liabilities if as a result of a cyber-attack there is a human harm for a known and disclosed but not mitigated flaw for a particular manufacturers's technology?
- Who is responsible (across the supply chain) and what are the liabilities if as a result of a cyber-attack there is a human harm for a known, disclosed and mitigated flaw, yet not patched?
- What happens if the harm is environmental?
- And if there is no harm? Is there any liability for the lack of responsible behavior in the supply chain?
- What about researchers? are they allowed to freely incentivate security awareness by ethically disclosing their results? (which you'd expect when one discovers something)
- Can researchers collect insecurity evidence to demonstrate non-responsible behavior without liabilities?
While I can't answer most of this now, I hope I will in the short future.
So, what's better, fragmentation or the lack of it?
I see a huge growth through fragmentation yet, still, reckon that the biggest and most successful robotics companies out there tend to integrate it all.
What's clear to me is that fragmentation of the supply chain (or the 'new' supply chain) presents clear challenges for cybersecurity. Maintaining security in a fragmented scenario is more challenging, requires more resources and a well coordinated and often distributed series of actions (which by reason is tougher).
fragmentation of the supply chain (or the 'new' supply chain) presents clear challenges from a security perspective.
So what's better from a security angle? I don't know. I really don't. My team and I at Alias Robotics are still collecting data and slowly disclosing while cooperating with vendors. What's clear is that much needs to be done to improve the current robotics supply chain and prepare it for the upcoming cyber-threats.
Investing in robot cybersecurity by either building your own security team or relying on external support is a must.
References
Mayoral-Vilches, V. Vulnerability coordination and disclosure in robotics. Cybersecurity and Robotics. Retrieved from /vulnerability-coordination-and-disclosure-in-robotics/ ↩︎
Mayoral-Vilches, V. Universal Robots cobots are not secure. Cybersecurity and Robotics. Retrieved from /security-universal-robots/ ↩︎ ↩︎
Mayoral-Vilches, V. More than 100 companies use vulnerable collaborative robots. Cybersecurity and Robotics. Retrieved from /companies-use-vulnerable-collaborative-robots/ ↩︎
Note this questions covers both, 0-days and known flaws that weren't previously reported. ↩︎