Robots aren't taking over the world, hackers are!

Unknown: Okay, so up next we have Christina Lawson. Robots aren't taking over the world. Hackers are. Thank you. Christina Lawson: So hi everybody, like you said, robots aren't taking over the world, hackers are. I'm Christina Lawson. A little bit about me. I'm a research engineer at EPRI, which I'll kind of talk about next. I have a bachelor's in electrical engineering, so I have a very engineering background, but now I currently focus on cybersecurity, specifically for generation plants. I'm also a lab manager in the lab that I do a lot of the cybersecurity research and that I'll kind of talk about. And I'm also a certified drone pilot. So I pilot some of the drones that we have at the

company, and try to kind of supply that skill need in doing investigations and other things like that. So a little bit about EPRI. So EPR stands for Electric Power Research Institute. We are a very large Institute worldwide. We do power system research from pretty much any topic you could think of. If you think of power systems, we really try to touch the level of inside the power plant to all the way to environmental aspects, such as research on how octopuses might get stuck in hydro plants, or how bees are affecting our work, or how power plants are affecting these stuff like that. We really focused on trying to do research where we can supply back to the public.

We are a nonprofit, so we really try to give back to public benefit, and heavily focus on doing research to make the power industry safer, more reliable, more resilient and very flexible for the future. So our research also really focuses on, what are problems today, and how can we make plant problems better today, as well as where do we need to make sure our plants are in 1020, 30 years so we're ready for kind of the future states ahead. We engage with a lot of different entities, mainly utilities, a lot of PowerPoints, like I said, a lot of different companies in that area. We also engage with academia, so we partner with a lot of different universities, participate in

senior design and stuff like that, so we can really boost our research and also have different engagement with different organizations that might be looking at topics that are of interest to us. We also look at manufacturers of equipment that go into power plants. We work heavily in trying to understand their side of it, as well as how can we aid them in understanding power plants and what they need in the future, what they need to be looking at, as well as regulators, that's a huge part of how power plants have to be compliant, and where we kind of meet them, there. We also listen to a variety of other places as well to kind of inform our research. So going kind of in

the talk with topic of today, I lied so robots actually are taking over the world. They're kind of moving a lot into the industry. We're seeing them more and more, especially industrial processes. We're seeing them more and more in power plants now, in a lot of power grid things just to do automation in general, they're a large push of the automating and making sure that we have information very quickly. There are a lot of times a lot safer power plants. If you've ever been in one, or ever seen those, they're very dirty. They're usually like out in rural areas, very like farmland. And a lot of them have very heavy, big equipment that's very industrialized and is not always safe. Sometimes they're

very hot, over 100 degrees, and sometimes they're very high up off the ground, or they have a lot of stairs. They're following hazards. There's a lot of different hazards that are there on them. So robots are really a great place to kind of put these in and automate and save some human lives. But hackers are also getting more advanced. We kind of heard today in a lot of different talks how hackers and how people are looking at hacking and aiding their skills. So hackers are using AI, hackers are targeting more critical infrastructure, and we're seeing the attack landscape kind of change as there's more digitalization and integration of technology into these facilities.

So specifically, robots that are used in the industry. We don't really see humanoids yet, but we see a lot of these different types of robots, a lot of ground robotics, like spot the robot, from bossing dynamics. We see a lot of indoor drones that kind of have these cages on them, from flyability, if you've seen them. We also see outdoor drones that can be large or smaller, a lot of different unmanned aerial systems, as well as underwater ROVs that are utilized at our hydro facilities or in our water systems that go to our power plants, and these provide us with a lot of different sensors, a lot of audio, visual, environmental sensors manipulate our arms that give us a lot of

ability to do things at our power plants that humans would normally do, and automate those mundane tasks. They also have a lot of different communications in navigation abilities. So indoors doesn't necessarily mean GPS. Some of them do have GPS, and so they provide a lot of that data and connectivity that we kind of need to think about. They also have a lot of different computing power. A lot of them are starting to integrate more AI into them to be able to identify objects and stuff like that. And so that's kind of consideration piece when we utilize them. And so the way we utilize them, you see a lot of different use cases where they're very helpful. A lot of

its inspection is kind of the main one, as well as kind of that health and safety work. So like normally, I've heard stories of people will send the smallest guy into a confined space, because he's the smallest guy. He can fit there. He can kind of crawl through and see that data. He can take a camera with him. Instead, you could send a robot or something like that, kind of into a confined space. Or if, oh, yeah,

sorry. Is that better? No, I don't think so. Okay, I can try to speak up. Is that better? Okay, my bad. So a lot of these drones are used for inspection as well as work and health, for safety. We've seen a lot of that, so we kind of, like, I was saying, with a lot of power plants, but send, like, the small sky, where they would send, like, they would send somebody that they thought was, like, at a lower tier in the job, they'll be like, Hey, I know this piece of equipment is like 100 degrees or like 200 degrees, but do you mind, like, scooting past it to get this piece of data that we kind of need for inspection, or they

send guys around the plant to just, do you know, paper rounds, or input data from from gages that are on plant pieces, because they need to monitor that type of data that's around, but they don't have that type of connectivity necessarily. So robots are something that can kind of be utilized in the space to do more of those inspections and to take away a lot of that manpower, or give them the ability to do them faster, something that a human would do in like an hour, maybe even three hours, a robot could do in 20 minutes and get that data back a lot easier. So what we're really concerned about, and these are some kind of examples, not in PowerPoints necessarily,

but what we're concerned about is kind of these use cases. So ecovac motors and vacuum packing. Has anybody heard about these? Or the Penn State hacks? I see one. Okay, so the ecovac mowers researchers found that they could kind of just connect to them pretty easily through Bluetooth, and really with no barriers. And that's kind of scary, where you can just download nap, see something be like, I'm going to connect to this. And all of these can be used to spy and kind of manipulate data within the mower. So you can make a mower change direction. You could be spying on people's pets, kind of as an example. But in industrial space, you could be spying on

sensitive data. Penn State recently did a research where they hacked into robots that used llms and were able to prompt them and basically bypass those safety guards that most llms have, where you say, hey, I want you to do something dangerous, like take a bomb over here, or I want you to impale a human with something. They were able to bypass those and say, do it. And the robot would be like, Absolutely. Why wouldn't I do that? That's great. And so really, this leads us to a lot of different consequences that we're kind of worried about, specifically for power plants, because they have so much sensitive data. We've seen a lot of attacks on them in the back.

If you've heard of Has anybody heard of STUXnet? Yeah. Couple of people so like stuff like Stuxnet, getting that kind of data out of like, what kind of plant equipment you have, what kind of other equipment may be available, and knowing what types so people can write attacks to get down to that level and cause damage. We're also worried about it just causing impact. We don't want to see major power outages or anything like that around and also causing worker safety. It's a big one. While robots may save safety, having a hack could really impact safety on the workers as well as other people, or cause equipment damage as well as, like I said, spy on

operations and cause data loss. So kind of how we look at different methods for robotic systems, and how we kind of look at securing them, is understanding the robotic system, identifying use case, where they are, so we can kind of identify what's important about that system, to be able to right size your cybersecurity program and controls, to build a defense in depth strategy, and then be able to continuously monitor that process, as well as operations, to be able to iterate on this kind of cycle. So kind of understanding your system. There's a lot in robotics. A lot of them have a lot of components as cyber physical systems. So they have their ROS ROS two. They have an Android OS that may be on a

tablet that's connected or a cell phone. They have single board computers in them sometimes, or can be integrated with single board computers as well. On top of that, a lot of these robots have custom payloads. So you also have to think about that you have a custom payload. It might have a computer in it. It might have different chips in it. And something that we've also seen about seeing is some manufacturers, you may not always get the same robot every time, internal components may change, even though the final product operates the same. We also look at open source coding libraries as well as SDKs. A lot of these libraries have libraries on libraries on libraries on libraries that we

really have to think about, those independencies. And we also do this and kind of identify those attack pathways and use cases through strategies such as a technical assessment methodology. This is an every specific use, every specific tool that basically allows us to go in depth and understand the communication pathways of a specific device and system to be able to identify attack pathways, as well as where things may be unmitigated and need to be mitigated to be able to put controls in place to right size cyber security for it. So we kind of look at things such as spot the robot. Where are these wireless communications connecting through the the actual controller to the robot. We also

look at things like the API and the different API, so there's the orbit API, as well as a spot API that kind of go to the robot, telling the robot what to do in managing the processes of the robot, as well as internal mobile device management that might be on the actual tablet itself to kind of see what controls it already has in place, as well as what attack pathways it has in place. We also kind of look at different wireless connectivity. So is it connected to a network, or is it going to be connected to a network? Is it connected to cloud services, or will it be connected to cloud services? Cloud services. Other methodologies that you can kind

of use, as well as red teaming, you can kind of go through, is red teaming the actual system as well as the network you might be connected to, to make sure that those pathways are kind of secure. Other things that we kind of look at are hardening robotic systems. So really making sure, because they use tablet systems, it's really easy to say change the password. A lot of these robots also have their default passwords, like spot the robot has it on its belly, so it's open to the public. You can kind of just see it if you have physical access to the robot. So changing those passwords, disabling unnecessary communication points, either through software or hardware,

removing apps from the tablet that might be below where that you don't need, and trying to really minimize any communications as well as enabling logging as well and making sure you kind of have track of any processes that are going through that you can one thing that you can use for spot as well as you may be able to use the API to kind of understand what spot the robot is doing, as well as what kind of hardware it kind of has, to see If any hardware has been integrated lately, any different payloads and stuff like that.

Other things we'll look at, encrypting communications, where you can is super important for these systems, making sure that data is secure, so just in case it does get hacked, you know, it's secure, as well as having out of band. A lot of these, a lot of the PowerPoint systems are because they're very sensitive. Having those devices out of band and having that data not go through a sensitive network, but instead go to a network that you know is just going to touch like your corporate is very a safer way than we usually utilize

detection is also a very big one in threat hunting. So being able to understand your system to properly vulnerable, properly monitor vulnerabilities, as well as properly monitor authentication methods where you can so who's logging in? How long are they logged in? Where are they doing stuff like that, as well as monitoring what endpoints are connected places. So where is your tablet connected? And just seeing different information flows. Also other methods, kind of on top of that, are response and recovery plans. So having playbooks in place after you've kind of done all this backward to say I know if and when I get attacked, I have something to back up. To say I know I have a safety shutdown on my spot robot

or something like that, to say it won't impact anybody, and

kind of Finally, some potential future research that we kind of look at is we've noticed, or I've noticed that, like, there's not a whole lot of detection out there, specifically for robots. There's some mobile management. A lot of the vendors that go into these robots don't really communicate around their actual cybersecurity solutions, and so there's not a lot of standardization. There's not a lot of baked in cybersecurity, actually, into these products. Boston Dynamics is like a golden child, and they really think about cybersecurity. But not a lot of other vendors that I've seen have really thought about cybersecurity in the robot and really making them secure. It's really on the end user. And so that's really something that I

think is a gap that kind of needs to go through the robotic industry of standardizing as well as baking in more security.

And with that, I really appreciate your time, and thank you for listening. Applause.