Digital Dangers in RPA and the need to fortify cybersecurity
Robotic Process Automation (RPA) is one of the most trending, new and emerging technologies in our modern, digital-first culture and its popularity is steadily rising. RPA and cyber security risk management principles are complimentary to each other. Applying RPA in cyber operations improves its efficiency and effectiveness and the Cyber Security Controls in RPA offers secure digital operations. In many organisations, a typical RPA enablement team consists of process consultants, developers and a lean IT infra team. However, no matter how strong the security practices are, it is difficult to understand and capture all possible cyber risks and controls needed, and for that you need a Cyber or Risk Management expert to ensure Robotic Process Automation security. Habitually teams fail to include “defence in depth” controls in the process even though the Infrastructure Security best practices are followed during deployment.
Why do you need a Cyber Security Expert?
Let’s go into more detail, for example, let us consider automating the Account Payable (AP) process of an organization XYZ. A typical AP process at XYZ starts with a vendor uploading the invoice to their vendor portal, followed by procurement department verifying invoice against the master agreement, forwarding it to AP department for three-way matching from a generic internal mail box, and AP team accounting it in the system to process the payment. XYZ decides to automate the process using RPA and, in this endeavour, the current and future state is defined by process consultants. A bot is then configured by the developers and is deployed in a live environment. RPA Enabled Process takes off and a bot now checks the vendor portal for any invoices, matches it with the master agreement and shares it from a generic email to the AP mail box. A bot regularly checks the AP mail box and upon receiving the mail from the specific user/ID (Note this control), processes the request by doing a three-way matching to process the payment. So, process steps are well captured, bots are executing the same steps as humans but with much faster turnaround. Seems like a happy ending, right! But the story does not end here, let’s explore further.
Now consider another scenario, XYZ receives an email to AP inbox as if originated from Procurement generic mailbox but was a spoofed email. There were no such invoices uploaded to the vendor portal and vendor master agreement is not verified. The email arrived directly from an external source with spoofed procurement ID and the email security gateway failed to block it. The email security gateway however added a warning in the email ribbon “CAUTION: This email originated from outside this organization. Do not click on links or process the request or open attachment unless you recognize the sender and know the content is safe”. Unfortunately, this scenario was not considered while defining the process steps as it occurs rarely or probably the first time in XYZ. Robotized process design clearly lacks the foresight and an eye for detail that a Cyber Security Expert provides. If it was handled by an expert, he would have been more cautious. A bot follows what XYZ developers have instructed it to do and proceeds with process steps including payment. We could still argue that the process could be improved, could have implemented maker-checker controls before payment.
Potential security perils in RPA
Another typical security design gap is utilizing a custom “dll” (Dynamic-link library) to execute certain repeatable tasks but placed in an insecure folder or common areas. It’s quite possible for a hacker or an adversary who identified such a design gap (especially in desktop environment) to easily execute the “dll” injection. He can modify or replace the “dll” with a malicious one and instruct the bot to utilize sensitive information to perform harmful actions and may even convert the bot to a destructor. Agreed there are security measures such as File Integrity checker, Anti Malware, Anti-virus, Sandboxing and others to mitigate such risks but we have witnessed RPA environments running without any such controls. Surprisingly, these organizations expect bots to take care of their own security.
EternalBlue, an exploitation tool that was leaked by “The Shadow Brokers” is one of the dangerous vulnerabilities recently discovered. EternalBlue is based on multiple vulnerabilities in the Windows implementation of SMB protocol. An RPA environment where latest operating system/database/network minimum-security baselines (MSB) are not considered will certainly increase the risk of privilege escalation and administer account hijacking which may result in attackers taking over bot control and exploiting them for such vulnerabilities. They are now commonly available in GitHub and other sources.
Enable secure digital transformation
These are just few in huge list of potential cyber security risks we have observed in our RPA gap assessments and audits. Digital enablement is always a requirement and priority for all the businesses to stay relevant in the market and to aim for an exponential growth. However, organizations should understand and acknowledge that RPA is not immune to risks and unsecure deployment will defeat the very purpose of digital transformation and negatively impact any business. Done right, you can reap the benefits of a successful and secure RPA implementation. The Digital Workforce is here, take advantage, securely.
Want to gain further insights into the security risks involved in RPA implementations? Talk to our cybersecurity experts!