In recent years, many companies in different sectors have chosen to base their digital transformation on RPA – Robot Process Automation, which has facilitated the creation of hundreds of thousands of bots (software robots) in the technology environments of thousands of companies globally. This small army of automation routinely interacts with employees to form a new “digital workforce”.
These automations, known as bots, are usually a modern and agile version of complex, multi-system scripts and will therefore be able to process spreadsheets, download attachments from mailboxes, plan processes or balance accounting reports. People involved in business processes can now (with very light training and many utilities) program powerful bots outside the IT department or external providers. This is the so-called low code approach.
In recent years, the RPA sector has added various AI-related tools to its software suites. With this reinforcement, we will avoid writing complex computer programs and use approaches such as Machine Learning so that the system is trained (e.g., detecting fields in all types of invoices, in any language) and continues to learn over time. To this improvement, we would like to add some NLP (Neuro-Linguistic Programming) type function that allows us to have a first level of understanding of text information (e-mail messages or customer chats) in multiple languages.
All this firepower is a reality in thousands of companies where financial processes and insurance companies make up the majority of digital employees. Industrial, logistics or telecommunications companies have been using this technology intensively for several years now as well.
From a cyber security point of view, RPA scenarios can be a new focus of attacks of various kinds. The various manufacturers of these platforms provide bot creators with all possible functionalities in terms of data encryption, authentication, use of external business identity platforms, etc. This enables the creation of process robotics platforms that are truly robust in terms of security.
Types of Attacks Against RPAs
The most likely attacks to be attempted in an RPA deployment will typically involve authentication, especially when the environment is complex (federation, MFA, 2FA, etc.) and attacks on the central consoles (where the system log, authorisations, credential chests, etc. will be stored). We must remember that bots interacting with our business systems will need sets of credentials analogous to those used by human employees.
A second attack vector will be related to source code and the potential weaknesses of the usual ecosystem of in-house developers, service companies, subcontractors, etc. If we do not maximise secure development measures (a DevSecOps-type framework, for example) and maximise best practices (such as the use of credential chests, instead of clear passwords) or external authentication systems (for accounts with higher privileges), we will unintentionally create a large attack surface for our adversaries.
Training systems and other AI functions should be reviewed following these best practices to avoid allowing vulnerabilities in the final systems we put into production.
The major cyber security frameworks (such as the NIST framework in the United States) can be applied to review the entire collection of controls that we will need to take into consideration when developing our specific RPA solution.
In a company with a mixed workforce (human employees and software robots), the level of constant monitoring and cyber security governance cannot overlook these new “digital employees” and all the technology that keeps them active. They, like us, will be logging into systems, creating and using files with sensitive information and acting directly on our business platforms (ERP, CRM, etc.) possibly on a 24/7 basis. If these platforms are vulnerable and offer a large attack surface, a new generation of cyber security risks will start to appear on every CISO’s agenda.
Therefore, our current approach to cyber security must gradually prepare to include such platforms, processes and activity in its coverage. It will soon be part of our daily reality and we must be prepared for it.