Robot Security Framework (RSF)

Introducing the Robot Security Framework (RSF)

We present the Robot Security Framework (RSF), a methodology to perform systematic security assessments in robots. We propose, adapt and develop specific terminology and provide guidelines to enable a holistic security assessment following four main layers (Physical, Network, Firmware and Application).

Robots are going mainstream. From assistance and entertainment robots used in homes, to those working in assembly lines in industry and all the way to those deployed in medical and professional facilities. For many, robotics is called to be the next technological revolution. Yet, similar to what happened at the dawn of the computer or the mobile phone industries, there is evidence suggesting that security in robotics is being underestimated. Even though the first dead human from a robot happened back in 1979, the consequences of using these cyber-physical systems in industrial manufacturing, professional or commercial environments are still to trigger further research actions in the robotics security field. Robot security is being underestimated. To address this issue, we present the Robot Security Framework (RSF), a methodology to perform systematic security assessments in robots. We propose, adapt and develop specific terminology and provide guidelines to enable a holistic security assessment following four main layers (Physical, Network, Firmware and Application). We argue that modern robotics should regard as equally relevant internal and external communication security. Finally, we advocate against "security by obscurity". We conclude that the field of security in robotics deserves further research efforts.

An open source template of our security framework is available at http://github.com/aliasrobotics/RSF and licensed under GPLv3. We kindly invite security researchers, robotic researchers and analysts to use, review, challenge and complement our work.

View Code Read Paper

Introduction

Over the last 10 years, the domains of security and cybersecurity have been substantially democratized, attracting individuals to many sub-areas within security assessment. According to recent technical reports summarizing hacker activity per sector, most security researchers are currently working assessing vulnerabilities in websites (70.8%), mobile phones (smartphones, 5.6%) and Internet of the Things (IoT) devices (2.6%), amongst others. Notwithstanding the relevance of robot vulnerabilities for most sectors of application, no formal study has yet published relevant data about robotics nor seems to be an active area of research. We believe that the main reasons for this gap are twofold. In a first aspect, security for robots is a complex subject from a technological perspective. It requires an interdisciplinary mix of profiles, including security researchers, roboticists, software engineers and hardware engineers. In a second aspect and to the best of our knowledge, there are few guidelines, tools and formal documentation to assess robot security. Overall, robot security is an emerging challenge that needs to be addressed immediately.

In an attempt to provide a solution for the second problem, this paper presents the Robot Security Framework (RSF), a systematic methodology for performing security assessments in robotics. We argue that security, privacy and safety in robotic systems should clearly be recognized as a major issue in the field. Our framework proposes a standardized methodology to identify, classify and report vulnerabilities for robots within a formal operational protocol. Throughout the description of the RSF, we present exemplary scenarios where robots are subject to the security issues hereby exposed.

Previous work

Robot security is becoming a concern that extends rapidly. However, to date, and as already briefed in the Introduction section, there are few honest and laudable efforts that elaborate into methodologies for analyzing robot's security or cybersecurity. The most relevant of those pioneering contributions is Shyvakov's work. Him and collaborators aimed to develop a preliminary security framework for robots, described from a penetration tester's perspective. The cited research piece is, to the best of our knowledge, the best piece of literature addressing robot security concerns. Nonetheless, on the basis of the content and structure of that particular work, we largely found motivation for the present work. We found extremely relevant to review, discuss, complete it, and motivate the full picture assesment from a robotics standpoint.

The author's classification proposed 4 levels of security: a) physical security, b) network security, c) operating system security and d) application security. However, we find that the author lacks to some extent, the background knowledge related to the robotics field, particularly regarding the internal organization of these systems. For instance, he states that robot have "internal networks for wiring together internal components (nodes), yet, these networks miss the fact that each is a security critical element which can potentially influence the overall robot security". Shyvakov even includes a brief category, devoted to internal networks, within his proposed framework. However, under the assumption that "normal user is usually not supposed to connect to the internal network", he advises that of cases where "it is not possible to implement full network monitoring due to hardware limitations but provides no further details on the rationale. By claiming that At least there should be a capability to detect new unauthorized devices on the network" he suggests the idea that dedicated robot network security is needed. Moreover, the author discusses that "thresholds on IDS of the internal network should be lower than on the external network" but provides no additional foundation for such a claim. We argue that such approach would lead to an incomplete security framework by obscurity. We also believe that modern robotics should converge towards enforcing identical security levels on both inner and outer communication interfaces. Therefore, we advocate for an holistic approach to robot security on the communications level into which we will elaborate.

In an attempt of providing real use-case scenarios, the author recommends a preliminary implementation of the framework and provides exemplification for real robots, yet this particular part of his work remains hidden or sanitized. Even if the reasons behind this to be kept confidential may include the interest of robot manufacturers or stakeholders, it does little favour for actual enforcement of any security framework. Therefore, we find it necessary to provide illustrative real public cases whereto any framework may be applied.

Other contributions to robot security, have primarily focused upon providing only partial contributions, e.g. hardening particular aspects of robots, such as middleware, and elaborated on further efforts towards the application aspect or the lower communication aspects.

Recently, some pieces of research have brought focus onto the necessity of a framework for the evaluation of IoT device security. Such existing frameworks were targeted by Shyvakov and duly criticized as not suitable due to incompleteness. We share the view that IoT frameworks are not applicable nor valid to provide guidance into the assessment of security to the robotics landscape. It is a common misconception that robots are a particular subset of IoT devices. Due to the fact that robots are often orders of magnitude more complex than common IoT devices, robots are to be considered, if any, a sophistication of a "network of computers", consisting of a distributed logic working in an array of sensors, actuators, power mechanisms, user interfaces and other modules that have particular connectivity and modularity requirements. Other recent researches claim to perform structured security assessment of a particular IoT robot. Yet, all these aforementioned pieces of research remain, in our opinion, very partial and not stablishing the. Therefore, we find it necessary to systematize assessment by further elaborating on a common and universal reference procedure for robotic systems.

Our contributions

Inspired by the current state of the art, inter alia, we propose the subsequent Robot Security Framework (RSF). We also extend the initial ideas presented in prior art and add our contribution from a roboticist's perspective. Our main contributions on top of previous work are:

  • Reformulation of the categorization terms. In particular, the term component becomes aspect. Component is a rather generic term in robotics and it typically refers to a discrete and identifiable unit that may be combined with other parts to form a larger entity. Components can be either software or hardware. Even a component that is mainly software or hardware can be referred to as a software or hardware component respectively. In order to avoid any confusions, rather than component, the term aspect will be used to categorize each layer within RSF.
  • Overall restructuring of the content. The original structure of the work presented by Shyvakov hinders its comprehension, specially for those more familiar with robots and their components. Therefore, we propose a layer-aspect-criteria structure where each criteria is analyzed in terms of its objective, the rationale or relevance, and the systematics of assessment or method.
  • Formalized firmware layer. We adopt a commonly accepted definition of firmware suitable for the context of robotics: software that is embedded in robots. We apply this definition to the previous 'Firmware and Operating System layer' and generalize it simply as 'Firmware layer'. Besides the operating system, we include robot middleware as a relevant topic of assessment and group them both into Firmware, according to the adopted definition.
  • Adoption of generic "component" and "module" terms. As an alternative to the proposed "internal component" and "external component" terminology, we suggest the generic terms "component", as defined above, and "module". Both are commonly accepted as a component with special characteristics that facilitate system design, integration, inter-operability and re-use. This way, we simplify the message when speaking about componentsThe term "internal components" can lead to misunderstandings. For some, internal components are those physically embedded within the robot exoskeleton. According to others, internal components are those that physically define each discrete and identifiable component and, thereby, should not be exposed nor taken into consideration from a security perspective. Ultimately, there is a third school of thought that classifies internal and external components based on a networking point of view, considering as "internal components" only those that are connected to the internal network (with no external interface access). [↩]. In light of the above, we elaborate on the following notion: robots are composed by components and modules. Some of them are physically exposed and some others are not. Among the modules and components, some are part of the "internal network", thereby hidden from the outside from a network perspective, whereas others are freely accessible from the outside and thereby part of the external network.
  • Improved internal networking security model. As pointed out above, according to our vision, modern robotics should converge towards the enforcement of identically strict security levels on both internal and external communication interfaces. Therefore, we propose changes to assess internal network security and justify them by presenting existing study cases.
  • Improved model for physical tampering attacks. We include a series of aspects and criteria to detect physical attacks on robots. We highlight the use of logging mechanisms, already present in most robots, in order to monitor suspicious physical changes therein.
  • Added exemplary scenarios. Throughout the framework content we add exemplary scenarios to illustrate how our methodology helps to assess the security of existing robots.
  • We open source our work and provide a variety of user-friendly representations to simplify its adoption. This work is available and freely accessible at http://github.com/aliasrobotics/RSF under GPLv3 license.

The Robot Security Framework

We hereby propose a framework based on four layers that are relevant to robotic systems. We subsequently divide them into aspects considered relevant to be covered. Likewise, we provide relevant criteria applicable for security assessment. For each of these criteria we identify what needs to be assessed (objective), why to address such (rationale) and how to systematize evaluation (method). The following image pictures our framework:

A complete list of elements, including several examples, is provided within our paper. A template for security analysts is also available in the RSF Github repository. We kindly invite security researchers, robotic researchers and analysts to use, review, challenge and complement our work.

View Code Read Paper

Acknowledgements

This research has been partially funded by the Basque Government, throughout the Business Development Agency of the Basque Country (SPRI) through the Ekintzaile 2018 program. Special thanks to BIC Araba for the support provided.

Table of Contents

Cite our work

@ARTICLE{2018arXiv180604042M, author = {{Mayoral Vilches}, V. and {Alzola Kirschgens}, L. and {Bilbao Calvo}, A. and {Hern{\'a}ndez Cordero}, A. and {Izquierdo Pis{\'o}n}, R. and {Mayoral Vilches}, D. and {Mu{\~n}iz Rosas}, A. and {Olalde Mendia}, G. and {Usategi San Juan}, L. and {Zamalloa Ugarte}, I. and {Gil-Uriarte}, E. and {Tews}, E. and {Peter}, A.}, title = "{Introducing the Robot Security Framework (RSF), a standardized methodology to perform security assessments in robotics}", journal = {ArXiv e-prints}, archivePrefix = "arXiv", eprint = {1806.04042}, primaryClass = "cs.CR", keywords = {Computer Science - Cryptography and Security, Computer Science - Robotics}, year = 2018, month = jun, adsurl = {http://adsabs.harvard.edu/abs/2018arXiv180604042M}, adsnote = {Provided by the SAO/NASA Astrophysics Data System} }