Robots are often shipped insecure and in some cases fully unprotected. The rationale behind is threefold: first, defensive security mechanisms for robots are still on their early stages, not covering the complete threat landscape. Second, the inherent complexity of robotic systems makes their protection costly, both technically and economically. Third, vendors do not generally take responsibility in a timely manner, extending the zero-days exposure window (time until mitigation of a zero-day) to several years on average. Worse, several manufacturers keep forwarding the problem to the end-users of these machines or discarding it.
what's the status of cybersecurity in robotics? and, how can we best improve cyber-resillience in robotics?
In this article, the status of the robot cybersecurity is reviewed considering three sources of data: , 2) performed in top robotics forums and 3) recent in robot cybersecurity. Building upon a decade of experiences in robotics, this article reviews the current status of cybersecurity in robotics and argues about the current challenges to secure robotic systems. Ultimately, based on the empirical results collected over a period of three years performing security assessments in robots, the present text advocates for a complementary offensive approach methodology to protect robots in a feasible and timely manner.
Using these different sources of information, we draw the following observations:
- Based on literature, robot cybersecurity is still a new field that deserves further attention, tools and educational material to train new engineers in security practices for robotics.
- There's a gap between the expectations and the actual investment, which suggests that cybersecurity actions in robotics will grow in the future for the ROS community.
- The lack of robot-specific security measures (36%) and offensive assessments (26%) can be interpreted as an indicator of the maturity level of the technology when compared to other sectors (e.g. IT or OT) where these practices are common and specialized.
- Both the PX4 and the ROS communities indicated that the majority is yet to witness a cyber-attack. In the ROS community only one out of ten respondents (9%) had seen it whereas in the PX4 group, approximately one out of four (27%).
- Data confirm that respectively for both ROS and ROS-I groups mitigations concentrate mostly on the perimeter.
- In Europe, the majority of the respondents agree that the responsibility in case of damage as a result of a cyber-incident is to be assumed by the supply chain (86% indicated that it'd sit between System Integrators and robot vendors), with only a 14% pushing the responsibility to the end-user.
- Collaborative robot manufacturers MiR and UR have zero days with an age at least older than one year. These flaws continue growing older due to the inactivity from the manufacturers.
- Vulnerability data affecting ABB robots shows how according to historical data, vulnerabilities were patches as early as 14 days after its disclosure however the average mitigation time is above four years (1500 days).
- The ratio of publicly disclosed vulnerabilities versus the ones remaining private is an indicator when evaluating the security readiness of a robot manufacturer. The threat landscape of a given robot is correlated to this ratio in a direct manner.
Complexity difficulties security in robotics. The inherent complexity of robotic systems leads to wide attack surfaces and a variety of potential attack vectors which manufacturers are failing to mitigate in reasonable time periods. As research advances in the field and the first commercial solutions to protect robots appear, to meet the security expectations of most immediate industries, a reverse defensive approach (an offensive one) is recommended. Periodic security assessments in collaboration with security experts will be the most effective security mechanism in the short term.
For a postprint version of the full text, read the complete article. This is a postprint-produced PDF of an article submitted to the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). Some rights reserved. The definitive publisher-authenticated version will be available online from https://conceptechint.net/index.php