Don’t Be Robotic About Your Robots’ Cybersecurity
AI-powered robotics surged in 2024, expanding nearly 30% over the year. Generative AI provided a critical boost to this industry, as the iterative learning of large language models (LLMs) enabled robots to operate with far greater flexibility than prior versions and led to “large movement models” (LMMs) that are more capable of performing a wide spectrum of complex tasks spanning logistics, healthcare and even home assistance.
The manufacturing industry has been an early adopter and champion of AI applications across the sector, with 75% of large manufacturing companies expecting to use AI-driven robots by next year. Addressing labor shortages with speed and safety is among the shift’s many benefits. Symbiotically, robotics companies benefit from access to the structured, low-risk LMM training ground that manufacturing warehouses present, helping to iterate and improve robotics technology and set the stage for bigger gains in their automation, where the real potential lies.
But if AI-powered robotics companies do not increase their investment in privacy and cybersecurity, they risk the promise of their innovations. Regulatory and industry red tape threaten to stifle innovation and chew through scarce internal resources, while the high-profile intersection of AI and supply chains makes it a darling of enforcement discussions and threat actors alike. This is why all robotics startups must make privacy and cybersecurity a priority from the beginning. Consider this article a starter’s guide to how.
Robots See More Than We Think
AI-powered robots typically “see” by a network of camera sensors positioned throughout their environment. The cameras are deployed to capture specific telemetry and other dimensioning data needed to train and fine-tune the underlying foundation models so that robots can execute highly complex tasks.
Frustratingly, these sensors can also capture unintended “ambient data” from the surrounding environment. Perhaps someone’s name and address on an item that is being shipped. Or maybe a warehouse employee, whose facial image triggers an “auto-stop” safety function after they’ve come too close to the machinery.
This raises a host of questions for developers of these systems.
· How do you manage this inadvertent and sometimes unavoidable collection of passively collected “ambient data,” especially when it’s personal information?
· If your technology is powering a warehouse in highly regulated geographies like the European Union, does that make you a “data processor” subject to laws like GDPR?
· If so, can you move data across borders to your cloud infrastructure in another country?
Robots Power Critical Supply Chains
Robotics companies must remember that, regardless of the application, their system is part of the global supply chain. During the pandemic, we all learned too well how inconvenient and often dangerous global supply chain bottlenecks can be. The specter of “ransomware” cyberattacks has driven much anxiety that malicious software might paralyze entire networks, grinding everything, including warehouse and other supply chain automation, to a halt.
Sticking with the EU warehouse scenario, we see several more concerns:
· Are your robots helping critical goods reach their destination on time?
· Are you aware of the EU’s new cybersecurity requirements for critical supply chains, the Network & Information Security Directive (dubbed “NIS2”), a law that many are calling GDPR for cyber?
· Are your customers concerned about the same risks? What about your investors or prospective buyers?
When the most fundamental ability of your business is availability, it is critical to actively demonstrate cyber resilience as part of your day-to-day operations.
Start Here to Mitigate Your Risk
Even if your startup has meaningful financial backing, the costs of security and compliance can strain resources. This reality demands efficient and effective risk mitigation.
Starting with your data, consider these baseline actions:
· Identify potential ambient data that could be captured by your system and considered sensitive; limit that pool as much as possible.
· Explain the business case for whether, why and how long ambient data is retained; purge anything you cannot justify keeping.
· Limit ambient data handling to only specific locations; designate who is personally responsible for managing that data in that location.
· Protect your fenced-off ambient data; consider pseudonymization, encryption at rest, limited access based on business needs and tracking who uses that access.
· Prioritize transparency where practical; for example, preemptively tell warehouse employees that safety cameras may capture their facial images, so its common knowledge.
Then consider the broader security of your system, such as:
· Maintaining a safety net of offline backups, especially for operationally critical information like source code or robot images; storing those backups with cloud and operational infrastructure that prioritizes compliance and accessibility.
· Staying current with software and operating system updates, fixing newly discovered vulnerabilities before they can be exploited.
· Assessing the necessary scope of your system functionality; less functionality equals fewer features to protect.
· Restricting access not just to your ambient data, but also to other critical functions within your network, like credential management or audit trails; building layers into your security structure.
· Investing in an endpoint detection and response (EDR) tool; this can help flag, stop and cleanse ransomware from your network.
Foster the Right Culture
Ultimately, success starts and ends with your culture. This maxim holds even truer in the context of data handling and network protection, which should never be overlooked or considered luxuries. The most effective and efficient approaches to privacy and cybersecurity are those that are deliberately baked into your corporate culture and technology from their inception.
This last point bears repeating. Your final product will be more trustworthy and more resilient when these considerations are not bolt-on afterthoughts. Your customers, investors and regulators all expect that any well-conceived technology will have considered and designed privacy, security and, ultimately, resilience into its value proposition. This includes an assumption that you are revisiting your security and data management processes regularly and adjusting to match your evolving technologies and risks.
No one said that it would be easy. But these recommendations should give you a head start. Supply chains everywhere and the stakeholders they serve, will be glad you took them to heart.
Kate M. Growley (CIPP/US, CIPP/G), a director with Crowell Global Advisors, co-wrote this article.
