Cybersecurity Roboticsthe leading robot cybersecurity lab

DevSecOps in robotics

arXiv · 2020

Abstract. Quality in software is often understood as "execution according to design purpose" whereas security means that "software will not put data or computing systems at risk of unauthorized access." There seems to be a connection between these two aspects but, how do we integrate both of them in the robotics development cycle? In this article we introduce DevSecOps in Robotics, a set of best practices designed to help roboticists implant security deep in the heart of their development and operations processes. First, we briefly describe DevOps, introduce the value added with DevSecOps and describe and illustrate how these practices may be implemented in the robotics field. We finalize with a discussion on the relationship between security, quality and safety, open problems and future research questions.

Full text transcribed from the arXiv (ar5iv) HTML of the original paper.

Abstract

Quality in software is often understood as "execution according to design purpose" whereas security means that "software will not put data or computing systems at risk of unauthorized access." There seems to be a connection between these two aspects but, how do we integrate both of them in the robotics development cycle? In this article we introduce DevSecOps in Robotics, a set of best practices designed to help roboticists implant security deep in the heart of their development and operations processes. First, we briefly describe DevOps, introduce the value added with DevSecOps and describe and illustrate how these practices may be implemented in the robotics field. We finalize with a discussion on the relationship between security, quality and safety, open problems and future research questions.

Introduction

Refer to caption
Figure 1: The DevOps cycle and its four phases: a) development, b) deployment, c) production and d) post-production

Where waterfall development once dictated the process of "handing off" from developers to Quality Assurance (QA) to operations, these responsibilities now have blurred borders with most engineers’ skill sets spanning multiple disciplines. Enter DevOps, a set of practices that combine software development (Dev) with Information Technology operations (Ops). They aim to shorten the development life cycle and provide continuous delivery while ensuring the quality of the software (Quality Assurance or QA). Most sources agree that this idea began around 2008, with a discussion between Patrick Debois and Andrew Clay Shafer, concerning the concept of agile infrastructure. According to Roche , no standard definition exists for DevOps. What seems clear is that the design phase has been replaced by a less cyclic and more integrated flow evolution from development to demonstrations.

In Robotics, as in many other areas closely connected to Computer Science, there is a set of adopted common practices, including DevOps. Figure 1 pictures the DevOps cycle most roboticists use and split into 4 phases: Development, Deployment, Production and Post-Production. In the DevOps philosophy, these phases are all connected in a continuous, never-ending, loop. The waterfall is now a river; development and operations flow together but, where is security in such a landscape? As pointed out by the UK’s National Cyber Security Center , having a secure approach to development has never been so critical, when it comes to cyberphysical systems and, of course, robotics. The way roboticists build software and systems is rapidly evolving, becoming more and more automated and integrated. Many roboticists today define, prototype and develop an entire robotics system architecture in simulation and tie it to tooling which will automate both testing and deployment.

Over the last couple of years we have seen big changes on the arrival of cloud services to robotics and to ’robot infrastructure as a service’ including simulation, fleet management systems, or teleoperation capabilities among others. The promise is that robots of almost any size and complexity can be called into virtual life, changed, or terminated without leaving the desktop. On top of these new capabilities, a process of quick and regular deployments has evolved. Often referred to as Continuous Delivery, this iterative approach is powerful, flexible and efficient, but these strengths bring new sets of risks which your security practices must address. To do so, roboticists will need to consider security as a primary concern throughout your development and deployment processes.

To the best of our knowledge, while there is some prior work studying DevOps in the embedded systems field , there is no literature available to date formalizing the adoption of DevSecOps in the robotics domain. In this article we introduce DevSecOps in Robotics as a set of best practices designed to help roboticists implant security deep in the heart of their development and operations processes. The content provided below is not an in-depth guidance on how to avoid implementation vulnerabilities in the code you write, this topic is covered by other pieces of research and we kindly refer the reader to . The principles provided below are intended to help secure the entire process of software development in robotics, from establishing a security-friendly culture in your organisation through implementation and ongoing management. It must be noted, however, that using these principles do not guarantee a secure final robot, but should help you gain confidence and insights that the code you deploy is built with a security mindset.

From DevOps to DevSecOps

Roche argues that developers work mostly on code while operations people work mostly with systems. Security, well identified as a continuous process, needs to be applied individually to each one of these phases and then holistically to the complete system. Security is a challenge and with each interface, the complexity increases.

DevOps is presented with a mix of the two skill sets mentioned above, developers and operations people. When adding security to the DevOps tuple we dive into DevSecOps. Often times called "Rugged DevOps" or “security at speed”, DevSecOps is a set of best practices designed to help organizations implant security deep in their DevOps development and operations processes . DevSecOps, also known as SecDevOps and DevOpsSec, seeks to embed security inside the development process as deeply as DevOps does with operations.

Turning again into robotics, security –identified as a process that needs to be continuously assessed both in hardware and software– is a highly time and resource-consuming task. As was proven before in Computer Science, including security –across the development, deployment, production, and post-production phases– results in a more secure output. Figure 2 depicts our view on how DevSecOps could be implemented in robotics. We list phases, tasks, and activities while providing descriptions to further clarify the effort required.

Refer to caption
Figure 2: A flowchart of DevSecOps for robotics

Development phase

Plan task

Code task

Build task

Test and simulate task

Flaw management task

Deployment phase

Production phase

Post-production phase

Analyze task

Figure 3 presents a graphical representation of the DevSecOps cycle in the robotics domain.

Refer to caption
Figure 3: A graphical representation of the DevSecOps cycle for robotics.

Discussion and future work

With DevOps, engineering efforts now serve multiple masters. Where the focus used to be purely on precision, now longevity, scalability and security (with DevSecOps) hold equal footing in product requirement discussions. Where Quality Assurance (QA) had traditionally held the line on risk definition and maintainability, Security now has an equal, if not dominant, role.

Quality (Quality Assurance or QA for short) and Security are often misunderstood when it comes to software. Ivers argues that quality "essentially means that the software will execute according to its design and purpose" while "security means that the software will not put data or computing systems at risk of unauthorized access". Within one relevant open question that arises is whether the quality problems are also security issues or vice versa. Ivers indicates that quality bugs can turn into security ones, provided they are exploitable, and addresses the question by remarking that quality and security are critical components to a broader notion: software integrity. Coming from the same group, Vamosi argues that "quality code may not always be secure, but secure code must always be quality code". This somehow conflicts with the previous view and leads one to think that secure software is a subset of quality. The authors of this article reject this view and argue instead that Quality and Security remain two separate properties of software that may intersect on certain aspects (e.g. testing).

As nicely indicated by Lopez for the DevOps scenario and extending it for security, in the DevSecOps scenario, both security and QA integrate into the testing and development processes and take a collaborative approach. Quality and Security are ensured throughout the testing and delivery cycles and both the testing and development teams are responsible for them. In other words, compared to the traditional waterfall pattern where quality creeps in toward the end, with DevSecOps security and quality come in at every level.
In robotics there is a clear separation between Security and Quality that is best understood with scenarios involving robotic software components. For example, if one was building an industrial Automated Guided Vehicle (AGV), Autonomous Mobile Robots (AMRs) or a self-driving vehicle, often, she/he would need to comply with coding standards (e.g. MISRA for developing safety-critical systems). The same system’s communications, however, regardless of its compliance with the coding standards, might rely on a channel that does not provide encryption or authentication and is thereby subject to eavesdropping and man-in-the-middle attacks. Security would be a strong driver here and as remarked by Vamosi , "neither security nor quality would be mutually exclusive, there will be elements of both".

Quality in robotics, still on its early stages (though much more developed than security in the author’s opinion), is often viewed as a pre-condition for Safety-critical systems. Similarly, as argued by several, safety can not be guaranteed without security . Coding standards such as MISRA C have been extended to become the "C coding standard" of choice for the automotive industry and for all industries developing embedded systems that are safety-critical and/or security-critical . As introduced by ISO/IEC TS 17961:2013 "in practice, security-critical and safety-critical code have the same requirements". This statement is somehow supported by Goertzel but emphasized the importance of software remaining dependable under extraordinary conditions and the interconnection between safety and security in software. This same argument was later extended by Bagnara who acknowledges that having embedded systems, non-isolated anymore, plays a key role in the relationship between safety and security. According to Bagnara, "while safety and security are distinct concepts, when it comes to connected software" (non-isolated) "not having one implies not having the other", referring to integrity.

Acknowledging that both Security and QA are embed into the DevSecOps cycle brings us to question whether safety –connected to Quality– could also fit in. Myklebust et al. argue that DevOps, with its frequent changes, make systems’ maintainability – e.g., change impact analysis – a more challenging topic, which makes it more difficult to integrate safety within the DevOps cycle. They do acknowledge though that DevOps is also a considerable trend for non-critical systems and make an interesting connection between safety and security, which indirectly leads to DevSecOps. In a similar line of thought, Johnson indicates that the time and cost involved in this process makes the DevOps paradigm of continuous release challenging for safety-critical software, especially in delivering to the end customer. He, however, points out that despite this, "aviation and defense teams have embraced the principles of DevOps, especially at the pre-certification stage, because of the potential for the higher overall quality it offers".

Altogether this leads us to the following questions: how do we apply safety-critical practices to the DevSecOps cycle in robotics? And more importantly, if safety and security coding (software) standards do not guarantee that the final robotic system will be secure, will it be safe given the safety and security connection? Some preliminary work tackles the first question and indicates that Model-Driven Engineering (MDE) frameworks might allow a mix of DevSecOps with the functional safety process. Further research on these questions remains open for future efforts.

Acknowledgments

We thank Lander Usategui San Juan and Mike Karamousadakis for their feedback and useful discussions. This work has partially been funded by the ROS-Industrial Quality-Assured Robot Software Components (ROSin) RedROS-I and RedROS2-I FTPs which received funding from the European Union’s Horizon 2020 research and innovation programe under the project ROSIN with the Grant Agreement No 732287. This research was also financially supported by the Spanish Government through CDTI Neotec actions (SNEO-20181238). Special thanks to the Basque Cyber Security Centre BCSC (Basque Government’s agency SPRI) for the support in actions fostering awareness in robot Cyber Security. Last but not least, authors are grateful to the local administration Diputación Foral de Álava for the support to entrepreneurship in innovation actions (EMPREM-2019/00002).

Read the original paper ↗

Citation