To Make a Robot Secure: An experimental analysis of cyber security threats against teleoperated surgical robotics

Remotely operated robots have an increasing number of applications, among these providing surgical care in remote locations and extreme conditions. Access to these medical services can bring enormous benefit, but must also be considered as being vulnerable to disruption. Robots that rely on public converged networks can be targeted in cyber attacks that could pose a risk of numerous harm to: a patient`s health and privacy; the legal responsibility of the surgeon; equipment; and even public confidence in telemedicine.

Bonaci et al. used the Raven II surgery robot to evaluate the impact of possible cyber attacks on telemedicine. They put student ‘surgeons’ at the robot control console to conduct a simple exercise that is used to train and test surgeons. The attack observed and modified the communication between the control console and the robot.

Three types of attacks are particularly relevant to teleoperated robots:

• Intention modification – The attacker changes the message sent from operator to the robot, with noticeable results (e.g. unexpected or unusual movements or delays);
• Intention manipulation – The attacker changes the feedback message sent from the robot back to the operator, with less obvious indicators; and
• Hijacking – The attacker overrides operator instructions and the robot engages some other action.

Under experimental conditions, all types of attacks made it harder to get the job done. Robot movements were delayed and less fluid, or more ‘jerky’, and, when under attack, the robots were more likely to perform movements with errors. When the communication was hijacked, the operator lost complete control of the robot. It is reasonable to assume that the same challenges would apply to experienced surgical teams when the system is under a cyber attack.

Existing security solutions could feasibly address some of these challenges:

• Robots could accept instructions only from legitimate command sources
• Data streams could be encrypted and then authenticated through another communication medium (e.g. text, or phone call). Based on initial testing, this encryption requires no noticeable increase in CPU usage, but some increase in memory usage
• The instruction processing rate could be limited to prevent a machine acting on a flood of commands in a short time
• The existing communication standard for surgical teleoperation, the Interoperable Telesurgery Protocol, could be updated with additional security specifications
• Link and network status could be monitored to identify and raise alarms about multiple streams of data or large numbers of out of order packets.

Some challenges are not so easily addressed. Future design decisions for teleoperated robotics must reconcile the intended benefit of any added function with the potential harm from its intended use. Consider, for example, the emergency stop feature of surgical systems. This mechanism is important for safety during normal operating conditions, but it is highly vulnerable to disruption and possibly dangerous if hijacked. These tradeoffs should be evaluated carefully.

Surgery is a powerful application for teleoperated robotics, however the potential harms from cyber attack apply to all remotely operated technology. Existing security mechanisms could prevent attacks on remotely operated systems, but must be carefully studied for the unique circumstances of use. Overall those who manage or teleoperate robotic systems must recognize the potential harm of the tools within their control, and be capable of weighing the costs against the benefits.

Vous pourriez également aimer

Mots-clés