Robot cybersecurity: securing autonomous systems

The highest-probability high-impact risk in most manufacturing environments is ransomware reaching robot control systems through enterprise IT networks — typically via an engineering workstation or SCADA system connected to both the enterprise IT network and the robot control network. Once ransomware encrypts robot control system files or the historian database, the production line stops regardless of whether the robots themselves are compromised. The mitigation is strict network segmentation — air gaps or one-way data diodes between IT and OT networks, with no direct connectivity. The second highest risk is unpatched vulnerabilities in robot vendor software and firmware — industrial robots average 18+ months between vendor patching and customer deployment due to the disruption of patching production systems. Automated vulnerability scanning of robot software inventories and vendor security notification monitoring are the minimum response.

ROS 1 was designed for research use in trusted networks — it has no native authentication, no encryption, and no access control in its core communications layer. It should not be deployed in production environments with any network connectivity without additional security overlays. ROS 2, the successor, integrates DDS (Data Distribution Service) as its communications middleware and supports DDS security through SROS2 — providing identity-based authentication, encryption of topics, and access control policies. ROS 2 with SROS2 configured correctly provides a reasonable security foundation for production robot communications. However, configuring SROS2 correctly is non-trivial and rarely done in practice — most ROS 2 deployments run without security plugins enabled. For enterprise deployments, require SROS2 configuration as part of the deployment standard and include it in security assessments.

The operational constraint on robot patching — that patching requires a maintenance window that production scheduling rarely accommodates — is the root cause of the chronic under-patching of industrial robots. Effective approaches include: staged patching (patch a subset of a fleet, validate, then continue — requiring identical spare capacity); blue-green fleet management (maintain a patched fleet in parallel, cut over traffic/work allocation, validate, then patch the original fleet); scheduled maintenance integration (coordinate patches with planned maintenance windows already in the production schedule); and virtual patching (network-layer mitigation of known vulnerabilities at the firewall/gateway before the vulnerability can be patched at the robot — buys time for planned maintenance windows). Establish a robot software inventory and vulnerability tracking programme to prioritise which vulnerabilities require expedited out-of-cycle patching versus can wait for scheduled windows.

Securing robot AI models against adversarial attacks requires a multi-layer approach. At the model level: adversarial training (including adversarial examples in the training set to improve robustness), input preprocessing to detect and filter adversarially perturbed inputs, and ensemble methods (multiple diverse models that must agree before high-stakes actions are taken). At the deployment level: input validation against physical plausibility constraints (a camera frame with unusually high pixel perturbation compared to the previous frame may indicate an adversarial patch), anomaly detection on model confidence scores (low confidence or anomalous confidence patterns may indicate adversarial input), and human-in-the-loop requirements for high-stakes decisions that ML models flag as uncertain. For perception models specifically, multi-modal sensor fusion makes spoofing attacks harder — simultaneously manipulating camera, LiDAR, and radar in a consistent, physically plausible way is significantly more difficult than spoofing a single sensor.

Collaborative robots operating in shared human-robot workspaces introduce safety-security interactions that pure IT security frameworks miss. Cobots rely on safety-rated monitoring systems (speed and separation monitoring, force limiting) to prevent physical harm to human co-workers — if these safety systems can be disabled or manipulated through a cyber attack, the consequence is direct physical harm risk rather than data breach. Cobot security must therefore include: integrity protection for safety-rated software (using functionally safe OS components and runtime integrity checking), secure configuration management for safety parameters (force limits, speed limits, safety zone definitions), audit logging of safety configuration changes, and separation between production control and safety control functions such that a compromise of the production control system cannot disable safety functions. IEC 62443 security level assessments should be applied at the safety function level, not just the operational level.

Drones and UAVs share most security challenges with ground robots but add a critical additional attack vector: RF communication security. Drone telemetry and control links (typically operating on 900 MHz, 2.4 GHz, or 5.8 GHz) are wireless and therefore inherently exposed to RF attacks — jamming, spoofing, and link hijacking. GPS spoofing is particularly concerning for drones since GPS is often the primary positioning system — a spoofed GPS signal can redirect a drone to an attacker-controlled location. Mitigations specific to drone deployments include: encrypted control links (MAVLink 2.0 with signing, dedicated encrypted RF links), GPS-independent positioning for safety-critical applications (visual odometry, LiDAR-based positioning as GPS backup), return-to-home safety defaults that activate on command link loss, and geofencing with local enforcement (not purely GPS-based). Regulatory compliance (BVLOS, remote ID requirements) adds additional security-adjacent requirements for commercial drone operations.

A comprehensive robot cybersecurity assessment covers: (1) asset inventory — cataloguing all robot systems, software versions, firmware versions, and network connectivity; (2) vulnerability assessment — scanning robot software and OS for known CVEs, assessing vendor security advisory databases; (3) network architecture review — validating segmentation, traffic flows, and authentication between robot systems and other networks; (4) communication security — protocol analysis of robot control communications for encryption and authentication deficiencies; (5) physical security review — tamper protection, port security, secure boot; (6) access control review — authentication requirements for robot management interfaces, principle of least privilege in service accounts; (7) patch management assessment — current patch status and patch management process adequacy; and (8) incident response capability — ability to detect, respond to, and recover from robot system security incidents. Specialist OT/ICS security firms with robot-specific expertise (Claroty, Dragos, Nozomi Networks) provide the most relevant assessment capability for industrial robot environments.

The EU Cyber Resilience Act (CRA), fully applicable from 2027, imposes mandatory cybersecurity requirements on connected product manufacturers including robot manufacturers selling into the EU market. Key requirements include: security by design and by default (product must be designed with cybersecurity properties from inception, shipped with secure default configurations); vulnerability disclosure programme (manufacturers must establish and maintain a coordinated vulnerability disclosure process); security updates obligation (manufacturers must provide security updates throughout the expected product lifetime, which for robots may be 10–15 years); conformity assessment (robots classified as 'important' or 'critical' require third-party security assessment); and CE marking restrictions (CRA compliance required for CE marking and therefore EU market access). For robot manufacturers, the most operationally significant requirements are the long-term security update obligation and the vulnerability disclosure programme — both require new operational capabilities that many manufacturers have not yet established.