We underestimated IoT security. Let’s not make that mistake with robotics.

agility robotics digit

New commercial robots are changing what’s possible in the physical world. They are tackling increasingly complex tasks beyond early uses such as manufacturing assembly lines and material handling in warehouses.

For example, ABB’s PixelPaint uses a pair of high-precision robotic arms to make car painting faster and more customizable. Adidas’s STRUNG is a textile-industry-first robot that uses athlete data to make perfectly fitting shoes. And this year, the world has watched in fascination as NASA’s one-ton rover Perseverance and tiny helicopter Ingenuity explored Mars.

Artificial intelligence and other advances will accelerate robots’ ability to sense and adapt to their environment. Robotics companies are eagerly developing new machines with ever more impressive functionality. Many are built on the Robot Operating System (ROS), which is the de-facto open-source framework for robot application development. (My company chairs the initiative’s security group.)

So the robot future is coming. But robot developers must not lose sight of a critical priority: security.

Robots are far more capable if connected to the internet. That allows them to work with other robots and access enterprise IT systems and the cloud so they can process and learn from huge amounts of remotely stored data. Connectivity also provides agility for quick bug patching or system reconfiguration.

But even if placed behind a firewall, inadequately secured robots may not be safe. We’ve already seen malware that breaches isolated networks — for instance, the Stuxnet malware attack. But that occurred more than 10 years ago. Today’s malware is far more effective. If the malware has a hold on a network and a robot is the unpatched, unsecured link in the chain, the robot will open the door to attackers.

The bottom line: We need to acknowledge that robots are vulnerable to cyberattacks. Imagine the damage that could be done if a hacker was able to maliciously hijack and control robots being used in, say, a healthcare setting.

I worry that many companies, in their focus on development, are paying too little attention to crucial security questions as they approach production.

With competition in the market heating up — worldwide spending on robotics is forecast to reach $210 billion by 2025, more than double the 2020 total — companies will be increasingly tempted to ship quickly without rigorously hardening the machines against attack. That could expose them to vulnerabilities such as hard-coded credentials, unencrypted development keys, no update path, and various security weaknesses.

Another issue is complexity. Enabling security techniques such as full disk encryption, cgroups, AppArmor, and SECcomp is challenging. Someone has to configure those and set up the security policy. Robots are already complex enough. They’re built by mechanics and electronics engineers, and these arcane security technologies aren’t in their wheelhouse.

The tech industry was also late in focusing on Internet of Things (IoT) security. Too many devices were shipped with weak password protection, an ineffective path and update system, and other flaws. Intrusions into smart devices and networks still continue.

The security fates of IoT and robotics are actually intertwined as the Internet of Robotic Things (IoRT) emerges as a paradigm for combining intelligent sensors that monitor events happening around them with robots so they can receive more information to do their work.

We can’t allow history to repeat itself. Just as the industry has come to realize that the IoT is an attack surface that must be safeguarded as carefully as any other enterprise system, we must ensure security is a high priority in robotics deployment. But how exactly?

A big step involves the Robot Operating System. ROS to this point hasn’t been built with security in mind, but there’s a big opportunity to change that.

Because ROS isn’t merely software but an international community of engineers, developers, and academics dedicated to making robots better, the robotics field can tap into an enormous pool of talent to optimize security.

The community can identify vulnerabilities and report them, contribute hardening measures, follow and propose secure design principles, and apply recommendations from cybersecurity frameworks. Open source robotics will become as secure as the community wants it to be.

Regulations could be helpful too. Innovation-driven regulation, based on the collective views and needs of developers and users, could help accelerate the development of open source robotics security. For example, a law on the books in the U.S., the IoT Cybersecurity Improvement Act, and a similar initiative in the U.K. should be expanded to address robotics security.

The use of robots in many industries will continue to grow in the coming years. It’s unacceptable not to make security a top priority. Let’s learn from the mistakes of IoT and get it done.

Gabriel Aguiar Noury is robotics and smart displays product manager at Canonical, the publisher of Ubuntu.