Episode Summary

In this episode, Cole Cornford speaks to two guests on the topic of robotics: Damith Herath, a Professor at the University of Canberra, and Adam Haskard, co-founder and Director of Bluerydge, a Canberra-based cybersecurity and technology firm. Together, Damith and Adam are conducting research into Secure Robotics, an emerging field of study that addresses the intersection of robotic safety, trust, and cybersecurity. In their conversation with Cole, they discuss the growth opportunities for robotics, how someone interested in the field could pursue a career in robotics, potential risks of the common household vacuum robots, and plenty more.

Timestamps

2:00 - Robotics: definitions & applications

8:45 - The intersection of robotics & cybersecurity

10:00 - Trust & safety in robotics & cyber

15:00 - Emerging risks in robotics

18:40 - The role of cybersecurity in robotics

20:30 - Regulation and innovation in robotics

40:00 - Growth opportunities for robotics

29:00 - Future of robotics & AI

32:00 - Career pathways into robotics

39:00 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Hi, I'm Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. Today, I have a joint podcast where I've got two people coming on, Adam Haskard and Damith Herath. Adam owns a consultancy, Bluerydge, and Damith is a professor at the University of Canberra, and they wanted to come on and talk to me about an emerging field, which is robotics.

Now, we've had robotics in the world for quite a long time, and whenever everyone starts thinking about robotics, they almost always think about manufacturing cars, with giant arms and stuff. But we've started to see robotics become more of a consumer and hobbyist industry. And if history is anything to go by, what starts off as often a hobbyist participate in, eventually people start to commercialize and then figure out, "How do we make money from that?" And as soon as they start commercializing things, then they need to start considering the security implications, because they can steal money out of that.

Adam and Damith have a Center of Excellence at the University of Canberra, where they're really, really focused on the cybersecurity and physical security outcomes of robotic systems that they call secure robotics. And so, this episode's dedicated to recognizing that it's important that even as AppSec professionals, that we need to start looking at domains that aren't just purely web applications for banking and finance.

And especially when we consider things like monitoring mines or healthcare settings and how robots are used to help patients with mobility or to dispense drugs at pharmacies, or even, I think the most common one we're talking about is the Roombas and robotic vacuum cleaners going around your houses. There are a lot of cybersecurity implications because of the overlap between IT and robotic systems. And so, yeah, this a call to action. There's a lot of interesting content in there. They're both lovely people and they would love to talk to anyone about robotics. So, without further ado, here is Adam and Damith. How are you guys going?

Good. Thanks, mate. Thanks for having us.

Thanks for having us, Cole.

It's an absolute pleasure. I think that robotics is a super interesting topic. I also am really not educated in it whatsoever. Would you be able to give a bit of a good explanation, just for 101, for my audience? Because a lot of them come from the software engineering and computer science background. What is robotics and why is it cool?

I might have a crack at it first, Adam, then you can throw in.

Go on.

So, I'm Damith. So I'm a robotics professor at University of Canberra. I was really passionate about robotics since I was young. There's a inside joke, and if somebody ask what a robot is, the answer, the right answer is, "Show me one and I'll tell you whether it's a robot or not." Really varying degrees of definition of what a robot is. For most people, I think a robot is a humanoid. I mean, especially with Elon Musk touting the humanoid form a lot these days.

I think we tend to ascribe robotics being humanoid form and doing something that humans can. Robotics is much broader obviously. There is lot of non-humanoid-type robots actually been doing the rounds for almost 50, 60 years now. So the common form that we ascribe robotics is the industrial robot arm, the one that makes lot of the cars. And you would've seen the yellow industrial robots that you see in factories.

Between that and the humanoid form, there's few different variants that has evolved over the time. And one of the first robots that really, I think, reached en masse is the vacuum cleaning robots, the Roomba types. And they're the only really useful robot we still have seen in mass production. So we have really done a lot in robotics, between the industrial robot arms and the Roomba vacuum cleaning robots. And that's going to change in the next, I think, decade.

There's a lot of interesting things happening, especially in the generative AI space that actually allowing robotics to evolve more in the, especially around contextual awareness of what's happening around the robot. So we're going to see a lot of interesting things happening. And I think it's in that light, this conversation is important. Because up to now, mean, I'm a mechanical engineer by training, I never really worried about security in any form.

That's one of the last things I think about, because there's so many other things that's going wrong before you can start thinking about security, right? So getting your algorithms right, getting your cameras working, and getting the bloody thing to run on the road, just follow the path, that's already hard stuff. So when somebody tell me, "You need to worry about secure," that just, that doesn't compute in any of our minds, until now.

So the danger now is that we got robots actually entering human spaces much more than we've seen in the last 50, 60 years. The first one's obviously more advanced versions of the vacuum cleaning-type robots. So these have autonomous navigation, which request to have cameras and other sensors to let the robot know what the environment it's working in.

So just to give a illustration there, the first version of the Roomba vacuum cleaning didn't have any cameras, any sophisticated sensors, they just bump sensors, that's it. But the ones that we have these days, they can do mapping, localization and mapping, and that requires advanced sensors, cameras, and things like that. So that means you got very sophisticated devices now entering into our households, with scant regard to security aspects.

And that's for me, I used to have to vacuum all the time, and I have one of these DEEBOT ECOVACS things. It goes around my house and sometimes whinges to me that it gets trapped, which is my favorite thing, because sometimes, it just finds its way underneath the table and it locks itself in a position and can't leave. And I'm randomly at a conference or something and I just get a text message saying, "DEEBOT is trapped. Please save DEEBOT." And I am literally in Canberra, I cannot do this. So I'm sorry, DEEBOT, you'll remain trapped forever.

I love it, it makes my life so much easier. But then even, I've been thinking about the considerations of having a robot vacuum cleaner that's connected to an mobile application on my phone. And then also, it's connected to my wifi and it's using infrared or something to map out how my house looks and put it into. So there's a lot of privacy considerations, and I think that's where it's important to bring you into the conversation, Adam. So can you give us a bit of background about yourself and a little bit about what you think we need to be doing for security for robotics as well?

Yep, I can do that. You automatically fill some of the things in my imagination that made me leap into this space, because it's interesting and decorate some of the ideas Damith put forward. So yeah, my name's Adam Haskard. I've a background in military and IT cybersecurity, and I run Bluerydge, a cybersecurity and technology firm. We're five years in. We have lots of customers, lots of clients. But I'm also a researcher in secure robotics at the UC Collaborative Robotics Lab, under Damith.

To me, a robot, from an IT perspective or a computer science standpoint, is a gaming machine with arms and legs, or a gaming machine with wheels. And it's, reminds me of when I grew up building gaming machines with parts and overclocking certain, overclocking CPUs and overclocking RAM, and trying to get as much juice out of it as... So that's the enthusiasts. And when I see the robotic systems, the state it's in now, that's more or less being driven by the enthusiasts, because it's incredibly accessible now than prior to what it was to build robotic systems.

And because I saw that, that landscape in the lab during some, a course that I was doing at UC, I thought, "I wonder what else we can do with it?" And I wonder what the vulnerabilities are. I wonder what the threat landscape is. I want to know what these things are as well. And yeah, we had a conversation, many, many, many conversations about these things.

And Cole, to all your, all of your points, they are all, would be all typical considerations, from the cybersecurity lens, that literally just have not been applied to the robotic system landscape. And that's because just like back in the day, we wanted to get those IT systems and server client systems to work. We didn't really need them to be secure, we just needed them to work.

I think that one of the funniest things that pops up when I... I just opened my DEEBOT app right then, and on the very front page it just says, "We are ISO certified."

Yeah.

So there you go.

Excellent.

Well, good on them.

Well...

But there's tremendous scope for things that can go wrong. Because, I guess it's when we work with IT systems and just software, if you make a mistake, there's a good chance that you can immediately fix the mistake. But-

Yeah.

... I think that's tremendously more difficult when you're dealing with physical machines and manufacturing, because the cost to fix those problems, you have to recall a lot of time, yeah we can put over the air to change the firmware or stuff, but then your supply chain tax... I think there's so many different ways that we're just completely inconsiderate of nowadays, like, what types of cybersecurity threats do you think are the most important for us to be even looking at, to even start with? Because it could be everything from how do we manage the supply chain of the parts that we bring into build robotics, or to the software that we produce, or even just the privacy of the data that with cameras of my living room?

See how your brains exploding with the possibilities and all of the knock-on effects? This is definitely the invitation that Damith and I bring today to the cybersecurity cohort is to get involved in the robotics, because it is not just me and I do mean this, but to your point there, what are some of the threats? Well, I probably, it might just be useful if I quickly just map out how we see secure robotics and then speak, and we can just jump off that as a leap-off point.

So when I very first went in, I wrapped up some study and I said, "Damith, this is what I want to do. I want to develop some application security controls in robotic systems, I want to test these controls, and then I want to make it so that these technical controls make a direct contribution to the engineering and the safety of these systems." And Damith was like, "Yeah, but you can do that. It's straightforward, but we really need to consider trust. We nearly need to consider how cybersecurity affects trust and the knock-on effect for cybersecurity and safety." And I'm paraphrasing lots of discussions that we had.

So what we did was, is we just rifled through literature for what, for two, three years to... and we found that what emerged at that intersection of cybersecurity, human to robot trust and safety is that paradigm of secure robotics. And that is the reason, one of the reasons, Cole, that that is, because there is a safety knock-on effect, whereby if there's a vulnerability or exposure that gets from an IT system, usually that'll involve, maybe the system will get turned off, let's say, but it's probably going to be a data issue, like an exfil or some situation.

Whereas, with the robotic system, because they're cyber-physical systems, they have a real knock-on effect and they can interact with the real world, and people, and that wouldn't be excellent. It could be good, but it could also be bad.

And also if that go down, Adam, if it just could just put a little example to this. So a few years ago, some folks in China managed to hack a Tesla self-driving car by posting, putting some stickers on the road. So that, in itself, is security threat of a different kind. Situations like that haven't been really computed in designing autonomous systems. So these are other examples of where security trust and safety comes into play. So the paradigm is actually a bit broader than just cybersecurity. So I think that's one thing that I think we should keep in mind when discussing these kinds of cyber-physical systems.

I liked with, there's been a lot of situations of self-driving cars over in the states where people who've just been mucking around trying to influence the behavior of basically pen testing them, but they really shouldn't, because they don't have permission. I think my favorite one was taxi drivers who were frustrated with Waymo taking a lot of just their work away from them by providing free tests to drive between places.

They would just throw traffic cones onto the cars, and then the cars just had no idea how to respond, because they see a traffic cone, but it just doesn't move no matter how they move, because it's on the vehicle. And then they're like, "Well, I guess I've just got to stop." And then the passenger's annoyed because the car's not going anywhere and the vehicle's just being safe, because it knows well this, I'm in a construction zone always at all points. Therefore-

For the cybersecurity cohort listening, like the offensive guys, that's more or less you're denialing, a denial of service attack using a traffic cone to one of its interfaces. And it seems novel and it's like, "Wow, that's crazy." But that's... When I grew up it was like, "Oh, I'm just going to send all these malformed packets to this interface and crash my school server's website, because I have an exam coming up." And this is more or less the same thing. It's like we can't drive the exam now, but you can't drive that car.

And one of the things is, robotic systems, as Damith alluded to earlier, comparing early Roombas to now, they're always adding new, there's always going to be new sensors, not less, new interfaces, new interfaces to get information. And because there is always going to be new streams of information that is being fed into that robotic system or the cyber-physical system, augmenting what it can and can't do, all of those interfaces are critical into being secured.

Not to mention as you were speaking about your own vacuum cleaner earlier, that has an interface into the internet onto your app as well. You know what I mean? There's an interface from that robotic system from your house into your app. It's an interesting proposition for a lot of folks listening, I'm sure.

Well, I think everybody should go out and have a little bit of a play and have a think about what they can do in a space. But I wanted to move back towards safety and engineering, little bit away from cybersecurity. So you were saying that there... Because I'm considerate of what I typically have seen robots in media being used for. So things like we have warehouses and we need to be able to move. Everyone knows the fleet of Amazon drones that move all the different pieces together, or it's the arms.

I went to Hiroshima, to the Mazda factory, a long time ago before the pandemic. I thought that was really cool being able to watch how the vehicles were being created using his arms. But if I could think about the future of manufacturing, you want to be in a situation where you don't just have physically static plants and production lines. You want to have robots that could potentially change the tasks that they do, in response to changing demand. So how do we go about making these systems safe? Because cyber is a lot of time focused on the protection of data and information, but not necessarily on safety.

So few years back, this is again a bit of big news at Volkswagen factory, I think, in Germany where one of the engineers entered the robot space, and he didn't follow the protocols and the robot got activated and he was killed. And that was really devastating, and that's in a very secure system. There's protocols and he was just not following the protocols, per se.

What has happened from then and now is that we got intuitive systems, actually, that we are in the generation what we call collaborative robots. So these are cobots. These are robots designed for working in human spaces, so they are much more relatively safe. But as you said, Cole, now to make these robots work, they actually need to be connected to internet all the time. They rely on additional data. So the old-school factories, they didn't really rely on lot of data, they just have very simple sensors, just stop-start sequences and things like that.

A lot of it is programmed, pre-programmed so you didn't have any leeway to inject in new information, as it is possible in these days, in modern robotics. So modern ones are much more evolving, they, lot of the interaction happens through the interactions with people. So they're not pre-programmed, per se. So there's lot of opportunities to then intersect, interject additional protocols and things like that. So it's more like the live internet than a physical pre-programmed entity back in the day.

Unlike the Volkswagen scenario, the robots are much more loose now. They're not in really secure environments. You've got the Roomba vacuum cleaners obviously. If somebody has control of one of these things, they can easily map your environment. You can actually get, literally get a map. So if one of these robots in a secure facility, like in a defense facility or something, somebody can literally map the entire facility using one of these vacuum cleaners and nobody will notice it. So these are some of the emerging risks in that space.

So how do you work go about solving this problem? One of the difficulties right now is that, as these robots get sophisticated, so are their algorithms. Even this vacuum cleaning robot that you have right now, the DEEBOT ones, they have a number of different software systems, like they are talking to each other at different application levels.

There could be one point in this chain of interactions that is not as secure as any other point, and then that could be the place that somebody can inject. How do you maintain these kinds of complex systems to be fully secure? I think these are some of the emerging problems that we are seeing now, and that's what I think Adam's, especially Adam's piece-

Yeah. So, no, that's right. And I think, this is what I think, Cole, this is early, it's relatively early days in this field, hence why this, this discussion today is definitely an invitation to the cybersecurity community to take part in robotics. Something that I lean towards that I'm sure a lot of the audience would be familiar with is security controls being implemented, let's say in, whether administrative controls, training controls, physical controls, technical controls, probably from some control framework.

And the control frameworks that a lot of us are familiar with will usually be around data classification. There'll be like these controls are must for a TS, or if it's a JSEG or something like that, they'll be like, if it's a special access program, you have to have these controls and there'll be a bunch of more or less prescriptive security rulesets that you need to implement across those different domains. What I think with robotics is likely to occur, at least at this earlier stage, just looking around the corner a little bit is, is that some of the security controls will have direct trust and safety implications.

And I think that you, by implementing some of the controls within the secure robotics paradigm that you would've improved, you will have a turnaround and improvement in trust and safety just like we would for securing systems in the traditional IT sense, where it's like we're going to improve its, like a data holding, we're going to improve its network security. So then now it can be a secret system, for example. And I think that probably there will be watermarks for trust and safety, depending on the operational context of those systems that security practitioners will need to meet.

Do you think that we're going to go down, at least domestically in Australia, any pathway? Because I know that IoT, which oftentimes can be somewhat related to robotics, because a lot of the time you've got a vacuum cleaner, it just has a raspberry pie on it. Maybe that's a very... like a home, a very home brew variety of a Roomba, maybe probably 10 times as expensive, but whatever, let people have fun with the hobbyist activities. Do you think we're going to go down a route where we're going to have to regulate the security of these devices?

And, I guess, another thing that I'd be interested in learning more about is, I think that a lot of the assumptions that we make in cybersecurity is that we're going to just focus on the protection of data and just cut people's access. I think that the traditional approach of just saying no and stopping is actually really bad, when you consider that safety and reliability are more important in the physical environment than in the internet space.

And so, if you've got a robot arm that, I don't know, maybe it helps lift up people in hospital beds or something as well, and then it gets hacked, do you want it to shut down completely and then have someone who's potentially incapacitated?

Yeah. No, no, this is important to me, because when I was in, I was in Japan recently, at ICRO, and a lot of the effort that, it was an exceptional event. And a lot of the effort that the robotics engineering and roboticists, robotics teams are putting into an investment is in healthcare, to that example, and elder care as well, and using robot systems to augment the existing labor force. I think that's a noble thing and I think that's useful.

What I wouldn't want, what I wouldn't recommend is yeah, that shut down, like this situation's been... If there's an issue, then it gets shut down. But this is, the thing is that the gravity of things going wrong in robot, because of the trust and safety elements, might be more jarring than an IT system that gets hacked. But this is what I think about that on the regulations. All I think is that, I think that the robotics systems that are the most useful and are the most secure. And I have an analogy which I'll mention, will get the most uptake.

And what our lab believes and what the literature points to is that that, yeah, that trust is really the foundation of human-to-robot interaction, and cybersecurity is an ingredient to that trust. And yeah, it takes a long time of successful use to build trust. And the analogy I'll just quickly mention there is with online banking. When we grew up, we didn't do that. Lots of things you didn't do on the internet. You certainly didn't get some stranger's car and get in that car. That wasn't a thing.

In fact, I'm pretty sure when you grew up there was a thing called Net Nanny and it would tell you where you could or couldn't go, and you wouldn't definitely not be putting your mom's credit card in. And that would allowed that to happen was cybersecurity implementations into the interaction, increased trust over time to the point now where people are putting their license up and it's no problem.

But what didn't happen was, is that we didn't see the internet get canceled because there was early hacks, it just got improved. So my hope is, is that yeah, cybersecurity practitioners can do, can contribute security implementations. Because I do believe that robotic systems' contributions to the economy, to the global economy, is immense. It has the real possibility to be immense.

So Damith, what areas of the economy do you think, where do you see the growth in robotics? I go to hospitals, reasonable about at the moment, because I'm getting ready to prepare for a knee replacement. And so, I get to see different things like beds being pushed up and down or the different types of Siemens equipment for just facilitating and helping allied health. But where else do you see as growth opportunities in the sector?

Because obviously, people in hospitals tend to be the folk who are most at risk if there is a safety issue, because they're frail or they have some illness or they, otherwise incapacitated. We obviously want to be in a scenario where we're protecting those individuals as a priority. But there's got to be a lot of other places, like maybe in mining or in telecommunications or banking. Where else do you see the opportunities?

There's plenty of opportunities in different disciplines and different industries. Just to point to the previous question,, Cole, if I could add.

Yeah, absolutely.

I think it's really important that we get the regulation bit right, because you don't want to stifle innovation. Especially, in Australia is not really leading that pack. And if you put heavy-handed guardrails onto it, I think that will stifle innovation. So it has to be very balanced. And I saw just the Albanese government put out a new program around AI guardrails and they're looking at high-risk events being controlled first as an approach. I think that's a relatively better approach.

So you look at what are the high-risk situations that AI could be problematic and then put guardrails onto those ones, and so on and so forth. So that's quite important, I think, we get the balance right. I think there are better opportunities with AI to improve the human condition than without it. So I think we want to make sure that that's taken in consideration when you're putting guardrails on. To the point about opportunities in robotics, as I said, with this new generative AI paradigm that's emerging, there's lot more possibilities for robotics.

So one of the difficulties with robotics was that they are physical systems interacting with physical world, and humans are really adapted understanding this physical world without us being trained a lot. And if you think about a little, in a child, they learn to walk and talk in a very small amount of time, with little information, right? They would see a couple of things and then they can extrapolate from that to other information and things like that. So humans are really adapted.

And thing called Moravec's paradox in robotics, which basically means that anything that's easier for humans, it's really hard for robots and vice versa. So anything that we find repetitive and boring, these things can be easily automated and everything else is really hard. And that hardness comes from not being able to understand, perceive the world in the way that humans can do. So that's changing a little with AI. So this allows the Moravec paradigm to, paradox to be changed a bit. Because now, I think lot of robotic systems have perception abilities that reasonably come closer to human. Like computer vision, for example, it's now exceeding human-level comprehension in visual tasks. So actually machines are better at understanding images now. So this will evolve over the next five to 10 years obviously, and that allows robots to be integrated in lot of other places. So health is a obvious one, industry, healthcare, aged care. And then mining has already been automated to some extent. We've done lot of work in Australia, actually, to automate mining systems.

Agriculture as well.

Yeah, absolutely. And this can expand into all the other human industries that requires a fair bit of human labor. We would say the robots can replace lot of the dull and dirty jobs that human has to do. Just an example, in our lab, we do a lot of research with recycling. So waste recycling, whether it's in organic waste or textile, we actually working on lot of different types of robots.

One of the disgusting thing that's actually right now happening, and with one of our industry partners, they are recycling organic waste. So a lot of food waste, that's from Woolies and other places like that come to their facility to be sorted and identify all the contaminants, like metal and plastics and things like that. And that's done by human. I mean that's a really disgusting job. If you can imagine rotten meat and all that coming in and you need to put your hands to sift through it.

Have you had to take an internship there as well? It's good to get a sabbatical sometimes, so just have a good sniff?

Absolutely. Even if you just go near the facility and come back, you smell really bad. So these things, it could benefit from robotics. But problem is so complex, it requires lot more work to be done. But I think that's where robotics is heading. So a lot of these really dirty and dull problems will be solved in the next 10 years.

Yeah, Cole, on that point there, let's call, let's say robotics in the wild and systems in the wild, and I think one of the elements that makes it really possible that you're about to see an explosion of this is, because I alluded to it earlier, is the enthusiast. Because of AI assisting builders and makers, and because of embodied AI into robotic systems, the robotic systems become much more sophisticated, but that sophistication is accessible.

Because you can, enthusiasts can buy components and parts that can use robot operating system, one or two, and there's plenty of information. And all of a sudden, they have manufactured a robot that does a particular function. And it might be something small like a proof of concept, but that proof of concept, with a little more development, can be picking apples on an apple farm shortly, and it's just something that they made in their backyard.

Which, I keep alluding to IT in the '90s, that was the same for us where it's like, "No, my dad put Counter-Strike on a server that he got from work, and now we have a local thing and everyone comes around." And it was real novel at the time. And you have these LAN parties, and then people are building all these computers, LAN. But I mean, gaming was driving that. But I think in this instance, something that will drive it is the fact that building robotic systems is now way more accessible with AI assistance and the data that's out there. I think, yeah, definitely see a large uptake.

And that's mostly because of the computer vision? Is that the big, the really, really big change? Yeah, I could see that as well.

Yeah, you can buy parts for, you can buy a base robot system. Let's say it's a turtle bot, and you can buy all sorts. It's fully designed to be modular, to plug in arms, legs, computer vision, microphones. And then you just go right ahead and get an app, and you just connect it up and you get the nodes talking. And then you're like, "Wow, I just, my turtle bot can sing and it can..."

And it's, yeah, it's got, it's embodied AI as well. So yeah, it's got chat GPT in it, and all of a sudden, your turtle bot's doing all sorts of crazy things. And then what's super unique about that is, that there's hundreds and thousands of makers coming online doing this all the time, because it's so much more accessible. So I think the enthusiasts will be driving a lot of this.

And to the point that Adam's making, the other thing that actually made robotics to really flourish in the last decade is open source software. So robot operating system is the common glue between lot of the algorithms and architectures, and all the other enabling drivers and software packages. So back in the day, when I was doing my PhD, every lab is for themselves. They'll be really secretly writing their own drivers and software pieces. It's really reinventing the wheel every time somebody has to do some work. But then robotic operating system came about in the late 2000s. That really, really allowed everybody to share code. A lot of the success in robotics is due to open source movement.

So does that sound familiar, Cole? The the open source movement driving certain things?

Last night, you'll probably have a laugh, but I was recording another podcast episode with the CTO of Sonatype, Ilka. And Sonatype are a software security, open source supply chain, software security business. That's all they do. And we spent a tremendous amount of time talking about how in the early 2000s, Maven was the Java ecosystem that was able to push out and start getting people to consider how do we manage software supply chain risk? How do we stop people from entering and pulling stuff in? How do we get people to start patching components? How do we trust trust? How do we... And I'm just like, oh, it's such a deep rabbit hole of things that we need to be managing, and now we've got to do it for robotics too-

Robots.

... like-

Robots. Too much. [inaudible 00:32:34]. Well now, open source element has just really supercharged it and, which is a good thing. Why I see it an excellent. I think there's tremendous opportunity for people to take on, like people with an IT background or a cyber background, to just think if I... For me, I just think about it as a gaming machine. I'm like, I'm going to build this thing.

It's been a while since I've been able to build a machine. I think the last time I built one would've been 2010. Just dating myself, I guess, because I used to play heaps of Team Fortress 2 competitively. And so, that was my cup of tea. I actually know a lot of people who work in the APS, or in cybersecurity, who recognize me from TF 2. So I guess, I don't know, everybody ends up in cybersecurity after playing Team Fortress 2.

I'll tell you, Cole, what I think, if I could for the audience that, I know a lot of your audience will be familiar with a SOC environment and, security operation centers, where you're triaging logs from apps, from various data points and there's instant response. This is where I think just around the corner we'll see when there's a fleet of robot systems in an agriculture setting or a mining setting, and they're basically assisting the economy.

I think there is an opportunity for a human on the loop, for traditional cybersecurity SOC models to be bolted onto the top of those robot systems to do, like how SOC analysts would traditionally monitor those events and incident response, but also, probably likely have some kind of integration with the fail-safe and engineering mechanism, because they're going to be seeing engineering logs as well, and then triage that from an incident response standpoint.

All I can think about is having an apple orchard, and then there's just 20 machines running around with 70 arms, collecting apples, and then 10 drones flying above them using computer vision, looking at them like a prison yard, staring at all of these robots, being like, "Are you being, are you doing anything dodgy?" Right? Yeah, I agree. Every single one of these devices can produce telemetry across so many different senses.

And then we need to be, the way we're traditionally dealing, I guess, with devices, the telemetry is going to be significantly higher throughput. Because, if I think about MQTT and just managing streams of data rather than requests and responses, which is what I imagine most SOCs are traditionally used to, is a computer makes a call or makes a bunch of calls and we look at logs. That's hard when you're looking at thousands of logs per second, because of the temperature of something.

Well, also, Cole, to that as well, it's true. Normally, in a SOC environment you'll see the call from one app to another app or a call from one interface to another interface, across a network or multiple networks, and then you're just bouncing around to see where was the source, and where was the origin, where did it end up?

The thing with robotic systems, it makes calls to itself, because it's got nodes. And in those nodes, it's like a little network where it makes calls to itself. So this is where I see, it's like, I think there's a real possible evolution for cybersecurity SOC analysts to be able to monitor that, because that to tie into our actual first point, that human on the loop most certainly does in that format, which we see with the SOC, with banking, would increase trust and use.

And it's also that jobs point too. I don't believe that robots are going to be taking people's jobs, because it's going to be creating new supply chains and new jobs in order for the trust and safety to do those jobs.

It's either that or people start paying to go pick apples as a family outing.

Ah. Yeah, yeah, yeah.

It's better... I don't want to give you a job. This is actually a retreat.

Yeah, like homestead, it's like homesteading. People buy houses and homestead them with hobby farms now. And that used to be, that was the daily grind, but now that's a hobby. I can't believe there isn't, a hobby farm is even a thing.

So I see a lot of heuristic analysis as being a way to be detecting if there's issues with either individual robots or the behavior of those robots, and then we can bring that into a security operations center. That's the way to, I think, a different paradigm shift for how traditional security operations works. Let's think about maybe governance risk and compliance. What are we going to be doing to just help the GRC professionals prepare for a secure robotics/robot world?

Yeah, well, what I think about that is, so we submitted a paper to a journal, it's a tail end of peer reviews, but it's based more or less a wide range of literature review across the three domains. But in that, we proposed a composite security measure and model, and that composite security measure and model has, more or less, is an aggregation of the different domains that a GRC professional would look at, within the operational context, to achieve it and what we describe as an R value.

So what all that Swahili means for a GRC's professional is that we think that likely, you would be able to achieve a security level of a robot system, in a particular operational context, which is not too different to how GRC experts will work now with risk. You know what I mean? Say it's a disconnected system, you've got disconnected IT system, but it's got no security controls, but it's disconnected. So there would be, in that risk management component, it's like, well, maybe we don't need that much, as much as we, unless you're stuck. And I get it, I'm just saying. You know what I'm... You know what I...

Yeah. So the operational context matters a lot trip for these robots. So obviously, a vacuum cleaner that is traveling around a data center, that's our app assessed is, probably that's hosting T4 data, is probably going to be, have a lot more scrutiny than my vacuum cleaner.

Yes, it would need to achieve a much higher R value for that. But in the algorithm we've opposed, there's a priority. So, for healthcare robots, safety of patients, so safety is the number one thing for those robots. So that means the security controls that get implemented wouldn't have to contribute to safety to achieve that R value to be prioritized.

So, for GRC professionals, we see secure robotics as a new paradigm, but it would be with more greater level of difficulty, but with more resources. I think you're going to be more resourced to be able to triage these things. And yeah, I think you can see that the bridge that we're creating here.

That's, see guys, you've got to get into robotics. So speaking of that, I figure side to shift gears a little bit to some of the faster questions. So I've got one for you that's just pretty straightforward. Someone wants to get into robotics, where do they start? What would you recommend?

You need to have good passion, I think. Because it requires some tenacity, because you are dealing with hardware. And what I see with a lot of students coming in, they're really excited about the proposition of robotics. Then they don't really put the hard yards to actually really get into it and really get your hands dirty, build your circuits, build your... do your programming, because it's multidisciplinary, right? So you got to do not just programming, but you also, you have to play with your hardware.

So enthusiasm and grit is number one. You want to really persist and push through. Because there are going to be a lot of failings down the track and you want strive through them. So that's at a really, at a base level, you need to really have that passion inside of you to really be inquisitive and exploratory. And then, a more, and I think boring one is, you need to have a bit of maths, unfortunately. You got to have some reasonable amount of interest in maths, and to really, if you want to get into it.

And then the ability to think logically is quite important. So programming skills comes from that. So really my intention is just tinker with hardware, get some [inaudible 00:40:31], put some motors together and control, and see if you are really interested in that and getting that work happening. So that's the basic level, I guess, entry requirements.

And then, if you want to really pursue that, obviously in bachelor's level degrees is a good place to start, of which we just launched a new intelligent robotics program at University of Canberra. It's a four-year honors program, and I'm really proud that I think it's one of the coolest programs, because it's really interdisciplinary. I mean, you got to also be careful about which university you select to do your robotics degree, because we have different flavors of it.

So if you're more interested in software side of it, some of the degrees that are offered by faculty working in software side of things is important. But if you're more hands-on type person who actually want to work with the hardware, then you want to find a degree that actually alludes to that. So mechatronics and hardware robotics is a good place to start.

So our one is actually in the middle, so we are bringing lot of the AI and software part as well as the hardcore engineering, chemical engineering into it. So if you're in Canberra and the surrounds, we actually got open day happening as well.

And not long, you'll have a new vice chancellor I hear.

Absolutely. We are excited.

Can I add one thing to that question? You asked of me? Cole, is that all right real quick?

Yeah, absolutely.

I think for all the people with IT backgrounds listening, I think that everything Damith said is true. I think that for all the people who have an IT background, they're very well-positioned into, because they're used to grinding their head in the glass, trying to get stuff to work. That's what IT people do. That's what I do and it's what Cole's done, whether it's applications or servers. It's just how it is.

If they were interested, I would encourage them to get, buy any robot, it's based on ROS, and then get it to do stuff. And then keep bolting more stuff on it and get it to do stuff, just like you did with your gaming PC back in the day. That's what I would say. And then use all the resources online that you normally would when you're grinding your face in the glass to get stuff work, and you're going to have a good time.

It's funny, because obviously, my background's super heavily software engineering. Obviously, application security is you just have to learn how to build applications. And for me, it's, everything about environment parity, build reproducibility, scale, all that stuff, as well as maintenance code, hire the right resources, use the right technologies, all that jazz.

You only get to worry about that kind of stuff after you get past what I call the cliff. Because when you go to study programming for the first time, everybody encounters the cliff, and then at some point they're like, "Oh, I finally understand how to decompose a problem and then turn it into a series of steps that a computer would understand." And I think it's exactly the same in robotics by the sounds of it.

And I think with, you've got a software background or a hardware background, a mechanical engineering background, an IT background, with IT, it's just really, just integration, that you've got a perfectly good jump-off point to dive right in. I believe that.

Yeah, the only thing I can add to that is, it's actually quite multidisciplinary. So you need to have a really open mind about working with other folks in the other side of it. A lot of, especially with a lot of IT grads, they're really reluctant to get their hands dirty on the hardware side. And so, like, "I don't want to touch it," and then they veer off. I mean, we lose lot of good programmers because of that, their fear of really integrating with the hardware side. So really got to have an open mind and really talk to each other.

It's funny, people don't really, I think, appreciate this outside of the domains, how different we are, the mechanical engineers and the computer scientists, but we need both of them to really make things happen in robotic. It's software plus hardware. So anybody who's interested in, I think, one or the other side of the spectrum, I think you've got to be a bit more open-minded. I want to talk to soft tech guys or I want to talk to the engineers as well. So that's how we get robots built.

So if you're interested in secure robotics, why not go, have a look at either Bluerydge Consulting, you can go work with Adam a bit, and just get into this new interesting niche field, or go to the University of Canberra, taking new students now.

Cole, I'm pretty confident that in the future, I think we'll be having discussions on this. And I think that a lot of the security firms, including your own, will be doing work on these things. And we might even see a period where the ANCAP rating includes a cybersecurity component.

For those who don't know, that's safety.

Yep.

Well, Adam and Damith, thank you so much for coming onto Secured. It's been an absolute pleasure.

Thank you.

Thank you. Appreciate it.

Thanks a lot for listening to this episode of Secured. If you've got any feedback at all, feel free to hit us up and let us know. If you'd like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.