Our CTO on robot cyber security during COVID-19

Our CTO, Víctor Mayoral Vilches, answers some questions about robots, their security and the consequences of not being protected during COVID-19.

First published at https://www.spri.eus/es/basque-industry-comunicacion/ciberseguridad/uso-robots-deberia-seguir-siempre-politica-estricta-seguridad/ by the Development and Infrastructure department of the Basque Government


What has been the level of integration of robots in medicine or the bio-health area in recent years? Has there been a large increase?

The increase has been significant. More and more surgeons are using surgical robots to reduce the impact of operations. Robots are even used to automate the production of samples in laboratories for research purposes. The use of these technologies provides promises better results, but I see a concerning consequence in this evolution: the use of robots should always follow a very strict policy of security and this is not fulfilled. Robots are used in an unsafe way, risking users, patients and surrounding humans in most of the cases.

To illustrate this, according to our data, the Basque Country has 5 "Da Vinci" surgical robots from the American firm Intuitive Surgical. This robot, which costs several million Euros, is connected to the hospital's local area network and from there to the cloud, constantly sending data to the manufacturer. This may imply a serious conflict with patient data privacy if any leaks were to happen. And it is dangerous, because if the manufacturer (Intuitive) wanted, could even tele-operate the robot from thousands of kilometers away. Imagine now that a malicious hacker, one with bad intentions, attacked the network and took control of that robot in the middle of an operation.

From our interactions, Intuitive shows good will and a professional attitude however the security of these systems needs to be assessed periodically and users (Hospitals), should demand minimum levels of compliance.

Intuitive Robotics' Da Vinci robot. Source: Wikipedia

In the fight against the coronavirus, is the world of robotics indispensable? What role is it playing?

It is being relevant, but not essential. Robots are characterized by their ability to operate continuously. Without interruption, as long as their technical and logical capacities allow it, of course. They are also useful when people cannot perform a task. And they do not catch any viruses.

That said, after 10 years of building robots I am more and more convinced that the capabilities of today's robotics are overrated in many domains of application. Creating a robotic system and programming it to perform a number of simple tasks with some flexibility and adaptability is something that very few groups have achieved so far. It requires a huge engineering investment. Hospitals are usually unstructured environments, complex and rapidly changing these days. In my view, for many tasks in healthcare today, robots simply won't do. We have qualified professionals, who are able to adapt to the changes in a matter of seconds in a hospital.

That said, there are useful and effective applications. Like robots with ultraviolet light that help eliminate bacteria in a semi-automatic way in hospitals. Though again, precautions need to be taken from a security perspective.


How is this equipment protected? Is it enough to have pre-established systems in their manufacture or is it necessary to be constantly incorporating systems that allow defense against new threats?

Today, though increasing, still very few manufacturers care about protecting their robots against cyber-threats. It's surprising, but true and happened a few years ago with ICS. In Alias Robotics my team has just discovered more than 80 vulnerabilities in one of the best-selling industrial robots on the market, manufactured by Universal Robots. This is just an example of manufacturers ignoring security recommendations and claiming that they leave the users in charge of protecting themselves. Security is not a product, which is applied, and “that’s it!". It is a process that needs to be periodically reviewed. It is essential that protection systems evolve and adapt to the robot and the environment.

Many robots try to protect themselves with perimeters, but this is equally incorrect as it's been showed with other industrial devices. These security solutions (perimeters) do not add value anymore in the current hyper-connected landscape we're living in. There're too many entry points one could use to attack a robot. To address this, our team is a) developing an adaptative immune system for robots that will evolve while protecting them and b) is involved in helping to develop and steer new security standards specifically for robots.


What are the most common hacks for these types of robots? What are the consequences?

According to our data, the most common attacks are focused on disabling the robotic systems, encrypting their file systems and requesting a ransom in exchange for "leaving them alone". In other words, what is technically called 'ransomware'. In addition, we are increasingly seeing more sophisticated attacks in which attackers not only take control of the robot, but also take advantage of its sensors to cause damage (for example, by disabling safety systems and directly impacting a person when they approach).


What steps does Alias Robotics take to protect robots?

Alias has created the Robot Immune System (RIS). It is the result of more than two years of research financed by the European Union and the Basque Government, among other agents, which combines scientific and technological efforts to recreate the human immune system in a robot. It is a software that is installed in the robot and evolves with it, learning its usual environment, its usual commands and developing protections as it goes.
During these two years more than a dozen professionals have participated in its development, including biologists and robotics engineers. RIS is now available in several robots and robotic components. More will be announced soon.


What is the ecosystem of the companies dedicated to the protection of robots? Are there many in our environment, very specialized, of what size?

Fortunately, we are more and more, the number of companies that are concerned about security in robotics and that are looking to enter the sector is growing. Right now, Alias Robotics leads the lists of 4 independent studies on the key players for robotic cyber security. We encourage more people in the Basque Country to learn about robotics, its tools, operating systems and to become interested and involved in this sector.

Most of our competitors are foreign and with different degrees of maturity. The main entry barrier we observe is the talent in robotics. Entering robotic cyber security requires prior experience with robots. There is a tremendous lack of professionals with knowledge of robotics, and even less who know about securing them. We are still a very small community. We all know each other and there is a lot of competition for experienced professionals.