Implementing and Auditing Cyber Security in Robotics (Part – 1)

Introduction:

As technology and human intelligence are evolving, new products are being developed by humans. But the evolution comes with benefits and drawbacks. One of the new and evolving technology is related to Robots and robotic process automation.

An increase in cyber-attacks, combined with the shift toward automating business processes using robotic process automation (RPA), introduces new risks that must be addressed to secure sensitive data and install in organization robotic platform.

We see robotics is rapidly gaining traction in organizations across many industries and sectors. Business users are employing Robotic Process Automation (RPA) to quickly and easily automate repetitive and time-intensive processes. IT and cybersecurity groups are leveraging the ability of robotics platforms to orchestrate workflows and perform cognitive learning functions.

Purpose:

Purpose of this blog is to outline security concerns in robotics and identify recommended solutions/practices to improve the security posture.

Description:

What is robot and robotic process automation?

As per IEEE, a robot is an autonomous machine capable of sensing its environment, carrying out computations to make decisions, and performing actions in the real world.

Robotic Process Automation (RPA) is an application of technology, governed by business logic and structured inputs, aimed at automating business processes.

– CIO.com

 RPA leverages simple applications to configure software robots that can be quickly trained and deployed to automate manual tasks across various business processes spanning multiple systems. Typical activities considered for RPA include data entry, migrating data across multiple systems, data manipulation, data reconciliation and rule-based decision-making in business processes. These software’s are formulated to interact directly with a user interface with no need to develop code to automate individual tasks.

Levels of robotics/RPA:

LEVEL 1

RPA+ Cognitive Solutions +Machine Learning +Digital enabled STP

  • Digital solutions to enable Straight Through Processing (STP) without changes to the core systems
  • Reduction in transactions moving to back-office for manual touchpoints
  • Faster cycle time

LEVEL 2

RPA + Machine Learning

  • Natural Language Processing to interpret and understand the unstructured messages
  • Make Judgmental decisions based on training and historical data using cognitive techniques
  • Handle complex exceptions using Machine Learning Technology

LEVEL 3

RPA

  • Integrated RPA and BPM strategy
  • Recurring additional maintenance expenses due to a large number of robot’s deployment
  • Not amenable to RPA for unstructured or hand-written, requires judgmental decisions, has voice steps and exception handling

Recognition of risks and controls

Risk mitigation is the foundation for strong business performance, and organizational apprehension has surfaced that robotic deployments may be a new form that presents both traditional risks and introduces new, unforeseen risks. Minimally, from a risk and control perspective, organizations are tackling the following representative apprehensions with their RPA journey.

  • Rationalization — Although organizational direction may be communicated with regards to RPA, anxieties exist regarding the improper usage and deployment of robotics. RPA sometimes may rightly serve in a bridge capacity, but situations have occurred whereby RPA is not the appropriate technology and was solely selected due to a speed-to-market goal. As a result, the advantages of flexibility and convenience have been a curse and led to knowingly circumventing extensive queues within development teams and cumbersome technology controls.
  • Maintenance and operations — Robots require guidance and steps to perform desired activities. Although robots are configured as of a point in time based upon defined business requirements, broader architecture and system changes can severely affect the expected performance. Modified data field mappings, orphan and dangling robots, vendor upgrades, system integrations, capacity and performance monitoring, and forward compatibility considerations require attention to preserve the original intentions of the robot and manage the perceived brittleness of the application and RPA dependencies.
  • Cybersecurity and resiliency — As robotics become mainstream, these new entrants to the IT environment represent additional vectors for compromise. Abuse of privileged access mismanaged access entitlements and disclosure of sensitive data are valid concerns. Additionally, platform security vulnerabilities, privacy implications and denial of service may yield ramifications that impact the RPA integrity, reliability and downstream business processes.
  • Methodology and documentation — Agile development methodologies encourage iterative communication and coordination between key stakeholders, adherence to documented standards should be a staple of this approach to support the risk and control mindset. Although business functionalities may be delivered timelier and accurately, the traceability of artefacts related to RPA decisions often is absent, and even an afterthought.

Regardless of an employee’s role within an organization, it is widely accepted that regulatory, financial and reputational risk management is simply “good business.” Automation agendas are exciting and groundbreaking yet require an effective step from a risk management point of view to protect organizations. As robots extract, aggregate, transform and upload organization data, risk and control considerations become paramount.