They survey is still open! If you wish to participate, please do so in here. These first results have been presented in the Cybersecurity for Robots conference that took part within Basque Industry 4.0.
For years, robotics industry has put focus in ensuring safety in robots been built and deployed. However, as today, safety is still largely mistaken with security. In basic terms “safety” prevents the robot from harming its environment, whereas “security” prevents the environment affecting the robotic system. Security is a very much nobel concern in robotics gaining relevance rapidly with the advent of industry 4.0. The concomitant hyperconnectivity brings by an increased attack surface which could bring new threats against which robots should be protected.
“safety” prevents the robot from harming its environment, whereas “security” prevents the environment affecting the robotic system
Industry seems to be progressively transitioning from proprietary systems towards de facto development standards such as ROS (Robot Operating System), which was first purposefully created without considering cybersecurity. Its second version ROS 2, is an evolution where security is being considered through the underlying the DDS security capabilities.
Some of the prior work shows that security awareness is yet slowly being created in the robotics industry. Actors are showing often different degrees of awareness and maturity, depending on factors such as the professional profiles of the respondent, company size, particular use cases of robots, etc.
From our experience in Alias Robotics, most robot manfacturers seem to fall into security agnostics where security is not even considered or mistaken with safety. Others, knowingly reject security responsibilities and attribute security to the end user entirely, whereas there is a few aware manufacturers that are taking few laudable steps in the area.
In this entry, we present some results from an online survey (Robot Security Survey) conducted by ALIAS ROBOTICS and JOANNEUM RESEARCH. We aimed to assess the overall security status and awareness on robot security and the degree of uptake of security measures within the robotics industry. The survey is also concerned by the degree of adoption of security technologies in robotics and standardization perception of involved players in relation with its security awareness.
The robot security survey
The main objective to assess the global landscape of security status in robotics. The Robot Security Survey has been launched with the aim of shedding some more light about the global security status of the industry, but also identifying different behaviours and concern of players in the robotics value chain.
Material and Methods:
The Robot Security Survey is structured as follows:
- 1. General Questions, information about general aspects of the survey contributor.
- 2. Robot Usage. Questions dig into the robot use in their application domain, including use of resources and perception of the usage of those.
- 3. Security specific questions. Sums up perception of the security status of their robots, along with items asking for perceived feasibility and likelihood of robots robot security challenges.
- 4. Standardization. This section enquires about standardization knowledge of the responders and their perception on further requirements.
Results and discussion:
In this post, we preliminarily report some selected findings of our survey with answers processed at the time of writing.
- In total, we have received 43 responses to our survey at the time of writing. As it can be expected, the largest group of participants are University respondents (34%). However, robot manufacturers are already the second-largest participant groups (17%) followed by SW developers (12%).
- Amongst them, we found that most respondents belonged to Startups and SMEs (40%), 9% belonged to RTOs and only 14% to large companies. Most respondents belonged to the R&D category, with most respondents on the software engineering side.
- The transition to robotics excites the Improved efficiency, precision and repeatability (59%) followed by Improved standard of living (52%) and by AI and cognitive advances and reduced costs.
- Amongst open source resources, ROS and ROS2 are the most widely used with a 86%. Most participants using those use them daily (47%) and very familiar with the ROS community, but only some remain to be active contributors, fundamentally in ROS discourse.
- User perceived usefulness of the Open Source community is on average, 6.8 and find them notably trustworthy 7.1, in a scale from 0 to 10. However, setting up security is perceived as a fairly difficult task for ROS1 (6.6) and easier in ROS2 (5). Answers show some degree of improvement from ROS1-2 transition.
- Respondents attribute a value of usefulness of 6.4 to robotics, while transparency of robot use is rated as 4.4 on average. Worries in relation to robotics are related to robots erasing jobs (58%) and removing human element from the interaction (40%) while Skynet-esque events are mentioned in third position (35,2%)
- A majority of organizations (73%) is willing to invest in robot cybersecurity but only 26% actually did invest in the current year. Approximately half of the ones that did invest, actually increased their investments (54.5%). When asked to rate the importance of robot cybersecurity on a scale from one to ten, an average of eight points (8) is attributed to the topic.
- A majority (73%) of participants think that they have not invested enough to protect their robots from hackers.
- When asked about what percentage of a robot budget the participants think should be allocated to security. 55.6% think that 5-10% are appropriate, approx. one fifth thinks that it should be more than 10%.
Security is overall perceived with an importance of 8.0 out of 10 in the respondent application domain.
- Robots as an endpoint are perceived to be vulnerable to hacking to a great extent, with an average rating of 2.2. However, both ratings depend highly upon the professional profiles of the respondents.
- When it comes to security mitigations, most respondents apply Perimeter measures, such as Firewall and IDS to robotics (53%), followed by network segmentation 48% and per robot measures (36%). Only 26% perform network security audits.
- Interestingly, more than half (51%) of the participants have already identified weaknesses in their robots. Top observed weaknesses/vulns appertain to:
- Exposed network services
- Physical attacks
- Issues within the firmware
Still, and fortunately, only a small number of respondents have witnessed or suspected a cyberattack in robots 9%
- Insecurity concerns mentions fears attacks targetting IPR and generating safety violations. When enquired about attack likelihoods respondents estimate that safety violations and data loss are the most probable targets. Interestingly, cyberincidents are most likely attributed to blackhats and unintentional employees.
- Respondents acknowledge to some degree safety standardization actions involved in robotics (43%), whereas security standards are poorly known (22%), with some irrelevant references and some references to generic industrial standards, such as IEC 62443 or other (guidelines mostly) with reference to IoT. In general, there is a belief that security standards are missing for robots 79%
The robot security survey is the first of a series of attempts to depict a global picture of the cybersecurity status in robotics. A varied array of profiles responded to the survey, with different company backgrounds and professional profiles.
The survey sheds light on adoption of open source resources showing a great rate of adoption, particularly in younger companies and R&D. The ROS to ROS 2 transition depicts some enhancement in the security perception, yet setting up security is perceived as a difficult task in ROS, but somehow easier in ROS 2.
However, results depict that not much is done in terms of security investments yet in the area of robotics, even if the majority of particular respondents seem to be predisposed to invest on it. Robots are overall perceived as weak endpoint and cyberweaknesses are evident to a great degree, but there is a difference in this perception when unstacking value chain actors. Overall, it may be observed that there is some raise in awareness for cybersecurity in robotics, with levels depending highly on respondent profiles (Universities and Startups show greater awareness than SMEs and large companies). In general, stablished companies perceive less risk.
The conclusions suggest that further awareness raising actions are required into the robotics industry for a greater security enhancement. More concrete actions and investments on robot cybersecurity seem to be required. Amongst it, robot cybersecurity survey will continue gathering the inputs/worries/thoughts of the actors involved.