List

Issues and benefits when using Robotic Process Automation (RPA), as well as methods for improving RPA security are elaborated in this blog.

Robotic Process Automation

Robotic Process Automation (RPA) enables the automation for an overwhelming range of repetitive processes. Namely, for all those processes that are unfrequent for traditional process automation, and to diverse to be performed by a machine [1]. Because of this, RPA is able to reduce costs heavily. For example, Telefonica O2 achieved a ROI between 650 and 800 % when implementing RPA technologies [2].

To automate processes (activities, transactions, tasks), the RPA technologies make use of predefined business rules and procedures. Hereby, the RPA tries to imitate the user’s actions [3]. For example, filling out a form with data, assigning a customer to an invoice based on transaction data, etc. Based on the difficulty of the underlying process along with the complexity of the RPA, three different types of RPA are distinguished, whereby each type builds upon the foregone type:

  • Desktop automation forms the lowest level of RPA. The techniques belonging to this category make use of screen or web scraping. For example, when using markups for information retrieval.
  • RPA with a graphical user interface (GUI) forms the intermediate level of RPA. Compared to the category mentioned above, techniques belonging to this category are able to interact. For example, if some information has to be entered for further processing.
  • Context-based RPA (also referred as Smart RPA) is the highest level of RPA. Those techniques are able to automate decision-making tasks. Those techniques make use of knowledge (knowledge-based systems) and form the transition to Artificial Intelligence (AI) techniques.

The above-studied three types of RPA further underline the broad application area of RPA. However, an important topic to consider is cyber security. Does applying RPA decrease or increase cyber security. In a student project performed at Aalen University, a group of students and I have deepened this question.

Cyber Security

IT security takes care of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction [5]. In addition to IT security, cyber security includes not only all information technology connected to the Internet and comparable networks but also communication, applications, processes, and processed information based on this technology [6]. Potential or imminent attacks in the context of cyber security are categorized into four types [7,8]:

  • Interception attacks influence the confidentiality of the information and are hard to detect as data is accessed unauthorized. The attacker physically or logically stands between two communication partners and has complete control over the data traffic. The Man-in-the-Middle can read confidential information, such as login data [4].
  • Interruption attacks influence data availability or usability – temporary or permanent. Having this form of attack, named Distributed Denial of Service, attackers target selected destination IT systems and try to shut them down with a large load of special requests by exhausting the available resources like e.g. bandwidth, memory, or processing capacity [4].
  • Modification attacks alter data and therefore attack the integrity of data systems. Using this technique, named Ransomware, hackers deploy technologies that enable them to literally kidnap an individual or organization’s database and hold all of the information for ransom [9].
  • Fabrication generates new information that communicates with the system. The foundation of such an attack (also named: Social Engineering) is to persuade the loss of information that is confidential then exploit an individual or an organization. In essence, an attacker engages social engineering as a tactic to use human insiders and information to circumvent computer security solutions through deceit. A frequently used type of social engineering is the so-called pretexting. The goal here is to steal personal information (log-ins, etc.) from a target. The strategy is to use fear and urgency while building a sense of trust with a victim to confirm or obtain sought information [10].

RPV vs. Cyber Security

In the context of cyber security there are two perspectives regarding the application of RPA: Either RPA usage is seen as security enhancement due to the elimination of human-centered security vulnerabilities like social engineering and phishing [11] or as additional systems posing further vulnerabilities for potential attackers [12, 13].

RPA Security Issues

The problems that arise in terms of cyber security through the application of RPA are listed subsequently:

  • Insufficient process monitoring as RPA removes human supervision. To overcome this, processes have to be monitored adequately to prevent fabrication attacks.
  • Credential leakage as RPA systems have access to sensitive information in order to perform business processes. The credentials provided to the RPA system in order to access these information can get hacked by attackers or can be exposed by the system itself through software malfunction [14].
  • Disclosure of sensitive data as RPA systems become more intelligent. Smart RPA techniques have to make decisions and often communicate with users. For these use-cases where RPA systems have are embedded into end-user communi- cation and therefore face both interception and mod- ification threats, strict security measures have to be implemented to asure that these context-based smart RPAs do not expose sensitive data.

RPA Security Benefits

The above listed security issues do not differentiate noteworthy from the problems that are already present with the regular workforce [12]. In consequence, RPA systems do not imply notable further security risks than a regular employee [11], yet there are some security problems that even get solved when applying RPA:

  • Resilience against human-centered attacks as human-centered attacks like social engineering is a major security vulnerability for businesses, RPA systems attribute vastly to improved cyber security as they remove the human risk factor completely. RPA systems do not expose information to unauthorized attackers if they are not programmed to do so, nor do they follow suspicious links or try to log in on phishing websites.
  • Application for cyber security operations. RPA can be used to automate formerly manual tasks like data collection, data analytics, or reporting and therefore free up the IT security staff to focus on more important tasks [26]. These monitoring and alerting tasks minimize the opportunities for unrecognized intrusions and contribute therefore to an overall better cyber security situation.

Altogether RPA systems contribute a lot more towards a better cyber security situation, than their application implies new risks [11]. Hence, in order to securely use RPA systems they have to be integrated into a security architecture with multiple layers of protection [12]. In the follow- ing Section 4 we introduce detailed methods to securely operate RPA systems.

Methods to improve RPA Security

To improve the security of RPA systems several experts recommend five main approaches [12, 13]:

  1. Improve governance. Implement a framework and strategy for risk evaluation and management. This includes technical frameworks to monitor RPA systems, like “SOAR” and “SIEM” [15], as well as reducing possible insider threats by hiring and monitoring of developers work. Another part is raising awareness of users and developers for the risks of RPA-use. A strategy to improve RPA security is to implement a workflow where random samples are evaluated by a human. Furthermore a recurring validation of RPA training or even retraining also contributes to a more secure application of RPA.
  2. Control access and identity of data streams. Not only the access of the RPA system has to be limited to the lowest possible but also the data created with the credentials of the RPA system should not be trusted entirely and has to be verified [16, 17].
  3. Early focus on security. Ensure that security is in scope during development to ensure that vulnerabilities do not have to be fixed by additional software or fixes after deployment. A key part of developing a secure agent is to understand the workflow and introduce relevant security measures like data encryption and data validation [18].
  4. Keep track of systems. Evaluate the current state of potential risks and securities as well as ongoing development of patches for the RPA-ecosystems on a regular basis [15]. This is crucial as threats, system environments, and requirements change during time.
  5. Introduce response management. Implement rou- tines and plans how to react to possible or real breaches. Therefore at least the damage due to security breaches can be minimized. Appropriate responses can thereby range to a full shutdown and “going back to manual” as well as stepping back to complete supervised work by humans [16].

Conclusions

If adequate security measures are implemented, the application of RPA systems contributes much more to the cyber security situation of a business as it imposes new risks. To facilitate the implementation of secure RPA systems, five key approaches have been presented, which have to be considered when using RPA systems.

References

[1] W. M. P. van der Aalst, M. Bichler, A. Heinzl, Robotic pro- cess automation, Business & Information Systems Engineering 60 (4) (2018) 269–272. doi:10.1007/s12599-018-0542-4.
URL https://doi.org/10.1007/s12599-018-0542-4

[2] F. Kosi, Robotic process automation (rpa) and security, Mas- ter’s thesis, Mercy College (2019).

[3] Ieee guide for terms and concepts in intelligent process automation, IEEE Std 2755-2017 (2017) 1–16doi:10.1109/ IEEESTD.2017.8070671.

[4] N. Pohlmann, Cyber-Sicherheit – Das Lehrbuch für Konzepte, Prinzipien, Mechanismen, Architekturen und Eigenschaften von Cyber-Sicherheitssystemen in der Digitalisierung, 1st Edition, Springer-Verlag, Berlin Heidelberg New York, 2019.

[5] J. Andress, The Basics of Information Security – Understand- ing the Fundamentals of InfoSec in Theory and Practice, 2nd Edition, Syngress, Burlington, MA, 2014.

[6] B. für Sicherheit in der Informationstechnologie, Cyber- sicherheit(accessed on 02/06/2020). URL https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/ cyber- sicherheit_node.html

[7] C.P.Pfleeger,C.T.Reviews,SecurityinComputing-,Prentice Hall, London, 2007.

[8] UKEssays, Interruption interception modification and fabrica- tion attacks computer science essay.(accessed on 02/02/2020). URL https://www.ukessays.com/essays/computer- science/interruption- interception- modification- and- fabrication- attacks- computer- science- essay.php

[9] M. Moore, Top cybersecurity threats in 2020, (accessed on 01/21/2020). URL https://onlinedegrees.sandiego.edu/top- cyber-security- threats/N. Y.

[10]Conteh, P. J. Schmick, Cybersecurity:risks, vulnerabili- ties and countermeasures to prevent social engineering attacks, International Journal of Advanced Computer Research 6 (23) (2016) 31–38. doi:10.19101/IJACR.2016.623006. URL http://accentsjournals.org/PaperDirectory/Journal/ IJACR/2016/3/1.pdf

[11]  G. Roy, How to use rpa to increase security while reducing risk to banking fraud, (accessed on 02/07/2020) (2019). URL https://www.automationanywhere.com/blog/product- insights/how- to- increase- security- while- reducing- risk- to- fraud- in- banking- with- rpa 

[12] Deloitte, It security for the digital laborer: “how do we manage the bot and maintain it security?”, (accessed on 02/02/2020) (2018).
URL https://www2.deloitte.com/content/dam/Deloitte/us/ Documents/public- sector/us- fed- it- security- for- the- digital- laborer.pdf

[13] E. Young, How do you protect the robots from cyber at- tack?(accessed on 02/06/2020). URL https://www.ey.com/Publication/vwLUAssets/ey- how- do- you- protect- robots- from- cyber- attack/$FILE/ey- how- do- you- protect- robots- from- cyber- attack.pdf

[14] IBM, Security bulletin: Passwords are unencrypted locally in ibm robotic process automation with automation anywhere (cve-2018-1877), (accessed on 02/02/2020) (2018). URL https://www.ibm.com/support/pages/security- bulletin- passwords- are- unencrypted- locally- ibm- robotic- process- automation- automation- anywhere- cve- 2018- 1877

[15] Four ways to integrate cyber security automation within your enterprise, https://www.thesslstore.com/blog/4- ways- to- integrate- cyber- security- automation- within- your- enterprise/, (accessed on 02/07/2020).

[16] us-fed-it-security-for-the-digital-laborer.pdf, https: //www2.deloitte.com/content/dam/Deloitte/us/Documents/ public- sector/us- fed- it- security- for- the- digital- laborer.pdf, (accessed on 02/07/2020) (2017).

[17] Robotic process automation – das unterschätzte sicherheitsrisiko, https://www.industry- of- things.de/ robotic- process- automation- das- unterschaetzte- sicherheitsrisiko- a- 832803/, (accessed on 02/07/2020) (05 2018).

[18] K. O’Flaherty, Managing security risks in rpa, https:// www.information- age.com/security- risks- rpa- 123479490/, (accessed on 02/07/2020) (02 2019).