Security
Panayiotis Karachristou,
Prof. John A. Clark
Threat modelling is the process of finding security threats for a given system, achieved with the use of abstractions. We use threat modeling to find possible vulnerabilities in a Cobot (collaborative robot) scenario and more specifically the teconnex cell, a high level diagram of this can be seen in the figure below.
Figure 1: High level diagram
We introduce a novel Cobot life cycle as depicted in figure 2, to help us with this process, which consists of 6 steps:
- Define the security requirements, or in other words what are you trying to achieve? What is your aim?
- Creating a diagram of the cobot system, in this example a high level diagram was used, but in reality any kind of diagram can be used, the right one is the one more helpful in better understanding how the system works.
- Identify: actors, adversaries, assets and entry points. This step is needed for the same reason step 2 is needed, which is to help better understand how the system works.
- Identify threats. Identify all threats in the system using the STRIDE mnemonic.
- Mitigate threats. Find mitigations to the threats previously identified.
- Validate that all the threats have been mitigated.
Figure 2: Cobot Threat Modelling Lifecycle
We use the STRIDE mnemonic in order to categorise any possible threats to this system. The STRIDE categories stand for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. STRIDE was first introduced as a threat modelling approach by Loren Kohnfekder and Praerit Garg in 1999 [1].
Some examples of the Vulnerabilities identified listed by STRIDE category are:
Spoofing:
Identity Spoofing. An attacker spoofs his identity and poses as a user or administrator of the system, this could be achieved either by accessing the information needed illegally e.g social engineering, Keylogger attack.
Tampering:
Tampering with robot state. The adversary alters the true robot status causing the true operator to lose control or get injured.
Repudiation:
Deletion of logs/data. An attacker manages to delete data or log files from the system.
Information disclosure:
Sniffing the data. A way this attack could be achieved is by adding a malicious module on the main computer or even adding a sniffing device in the building that has the cobot.
Denial Of Service:
An assailant overwhelms the robot disk with data. This could be achieved in a number of ways, a common scenario would be the attacker can send commands that require high computational power overwhelming the robot with data in the short term memory and causing it to stop functioning properly.
Elevation of Privilege:
Running programs with elevated privileges, for example in Universal Robots, URCaps (zip files containing java powered apps) are executed with unbounded privileges.
Mitigation techniques are policies or measures that need to be taken in order to prevent any breach of security, here are two examples that we have proposed:
Continuous Authentication. The continuous authentication of active physical users should be carried out to the operators of the cobot. This could be achieved by using NFC Tags or smart wearable devices to the users.
Ports should be accessible only by authorized users. This includes any ports, either external or internal. This could be ensured by the use of continuous authentication, if the user is authenticated and only then then the port should pass any data or power through it.
Moreover we have proposed some Security Policies for Co-bots. Security policies are the security measures and security configurations which users are required to follow in order to ensure the confidentiality, integrity and availability in an organisation, in this case the Teconnex cell. Some Cobot specific examples of these are:
Each cobot operator should be continuously authenticated while around the cobot system. In order to achieve this the user/system must:
- Log in to the system with his credentials at the beginning of the session on the Teach pendant. All login information should be strictly confidential and unique to each person.
- At all times wear the smart bracelet given to him.
- The user should manually log out the cobot system whenever leaving the cobot system untenanted.
We are now working on the attack system and IDS (intrusion detection system) deliverable. Our basic plan is to use the digital twin to gather data for the IDS. We should be able to use the digital twin to create an IDS model for the digital twin as well as create another IDS model for the physical robot. Currently we are focusing on the former, creating an IDS model with digital twin data. We have already collected some initial data from the digital twin this data is normal data (non attack) and it includes information such as: robot velocity (speed), joint positions, timestamps We are now developing the data pipeline (preprocessing of data) and intrusion detection system while looking for possible ways to get attack data (e.g. attacking the twin or simulating an attack). Moreover we are looking into possible ways and the possibilities to create additional data streams to obtain environmental data (e.g. power consumption robot temperature) which need further development of models on the digital twin.
References.
- L. Kohnfelder and P. Garg, 鈥淭he threats to our products,鈥 Microsoft Interface, Microsoft Corporation, vol. 33, 1999.