Rigorous Robot Security: How Galois’s RDE Framework Is Streamlining NIST Compliance and Change Impact Analysis for Cyber-Physical Systems

In 2003, just as the invasion of Iraq was heating up, the U.S. Army reached out to the University of Minnesota’s Center for Distributed Robotics (CDR). They needed compact robots capable of providing real-time reconnaissance and situational awareness for troops on the ground. The CDR, the army knew, was already engaged in developing advanced remote-controlled robots as part of a DARPA initiative instigated by the critical needs highlighted during the infamous “Blackhawk Down” incident in Somalia.

“DARPA’s original concept was a small robot that could be launched from an M-203 grenade launcher,” said ReconRobotics CTO Andrew Drenner, then a graduate student at the U of M. “For various reasons, the university would not allow grad students to have grenade launchers. So instead, we built a Gatling gun that could shoot robots.”

Shielded by a protective shell, the little robot prototypes could burst through windows, ditch their casings, and scout with a camera, relaying live footage back to operators.

“They could do all kinds of crazy things,” Drenner said. “We had wheels that changed size on the fly; we had little grappling hooks that could fire and pull the robot onto stuff; we had a jumping mechanism that let the robot jump from onto a tabletop a meter high. The problem was, those features worked great in the lab, but they didn’t work in the real world.”

Responding to the army’s needs, CDR developed a new, simpler robot, tailored for practical use. The new design was throwable, durable, and capable of sending back real-time footage in critical situations. Soon, the CDR delivered 30 robots to the army, all of which were immediately deployed to the theater. Within a few years, the army was back. The Throwbot® Robots worked wonderfully, and they wanted more.

“That’s how it all started,” Drenner said. “We had this technology that was real-world-proven right away. Then the question became: how do you commercialize that?”

In 2005, Drenner and his classmates founded ReconRobotics, spinning the business out from the university and building on the foundation laid in DARPA-funded research. In the years since, the company has deployed between 7,000 and 7,500 robots worldwide, supporting law enforcement, firefighting, search and rescue operations, and the military.

Evolving for Modern Challenges

Over the years, the Throwbot® Robot’s relative simplicity, which requires minimal computational power, made them less prone to cyber threats than more complex machines. But when ReconRobotics was selected for a United States Special Operations Command (SOCOM) small business innovation research (SBIR) program, and tasked with developing a more complex robot for modern battlefield operations, it became clear that the context was shifting.

“Before this, everything in the robots was micro-controller-based. There’s a tiny RTOS, but nothing touches a network,” Drenner explained. “SOCOM wants this new robot on the same battlefield network as everything else, and each can be a potential relay node for other robots. It’s got higher resolution video, much higher fidelity sensing, orders of magnitude more processing capability, an open architecture framework, and may carry more sensitive payloads. With that complexity, cybersecurity has become way more important. And the process of making it secure forces a lot more formal methodology on us.”

“That’s where we come in,” said Galois Principal Engineer Tyler Smith. “ReconRobotics is great at building robots, but rigorous security for cyber-physical systems is a whole different angle.”

Complex cyber-physical systems, like ReconRobotics’ new line of robots, are made as much of software as of steel, and the complex webs of interconnected code that make the system work can be difficult to disentangle. As a result, even seemingly simple software upgrades or component changes can have unexpected performance or security impacts. As part of the SOCOM SIBR, ReconRobotics is required to meet specific attributes defined by the National Institute of Standards and Technology (NIST) Cyber Survivability framework. But without an understanding of how all the code, components, and data flows fit together, Cyber Survivability is a daunting task. 

Fortunately, over the years, Galois’s engineers have accumulated an enormous amount of experience doing cyber security assessments and working through NIST processes  to support the development of cyber-physical systems, from medical devices to aircraft to IT infrastructure and beyond.

Over the past few months, Galois has partnered with ReconRobotics, bringing our rigorous digital engineering (RDE) framework to bear on their latest robot design, mapping, analyzing, and optimizing the cyber-physical system for security, compliance, and success both now and in the future. 

Rigorous Digital Engineering

Galois’s RDE process follows four key steps: Frame, Model, Analyze, and Contain. 

Frame: In the first step, the team defines specific goals and requirements. Here, that focus has been on ensuring the robot’s functionality, security (particularly in terms of domain isolation for data flows), and compliance with NIST requirements. We collaborate with stakeholders from ReconRobotics and SOCOM to define and refine cyber survivability requirements. Although the NIST guidance doesn’t give the exact requirements for any given system, it provides a framework for rigorously defining requirements and collections of requirements to use as a starting point. 

Model: Next, we use industry-standard modeling languages, like SysML, and Galois tools, like Taphos, which automatically analyzes code, to generate a dynamic digital model of the robot’s hardware and software, explicitly tracing the dependency relationships between each component throughout the system, defining what data flows in and out of where, enumerating data flows by domain isolation class (e.g., security, fault, safety, etc.), and even overlaying NIST cyber survivability requirements for easy analysis. 

“With the model we built, I have a single touchpoint that I can automatically analyze and use to generate artifacts, requirements, and test plans,” Smith explained. Because we annotate the model with the requirements, Galois’s tools can automatically conduct verification and validation steps, such as checking that the appropriate security control requirements are allocated to the appropriate hardware and software. 

In short, with this model in hand, our system engineers are set up to analyze and test changes in a virtual environment, receiving immediate, automated feedback about the risk and impact of that change.

Analyze: In the Analyze step, we use Galois’s RMF and MADS tools to assess the model for vulnerabilities. Our engineers analyze the various classes of domain isolation in the system architecture model, identifying the components in each domain and confirming that domains do not have components in common. Components shared between domains are automatically flagged for revision —a key step in ensuring security and compliance with NIST standards.

With the Throwbot® System, we are specifically analyzing impact associated with data flows in terms of Confidentiality (What is the impact if this data is made public?), Integrity (What is the impact if this data is corrupted by an adversary?), and Availability (What is the impact if this data is disrupted or blocked?).

By analyzing the level of impact (low, medium, or high) in each of these areas for data flows throughout the system, Galois’s engineers develop a framework of understanding that informs exactly how they design their domain isolation model. For example, if the impact of the robot’s live video feed being made public (confidentiality) is low, then that data flow’s domain may not need to be isolated. If the impact of video data being blocked by an adversary is high, then that data flow may be a high priority for domain isolation, requiring more stringent security protocols.

A similar analysis and Q&A process happens with cyber survivability assessment, with Galois engineers working with the client to systematically assess questions like “If the robot’s XYZ capability goes down, does it need to be available again in minutes, hours, or days?” and “What are your adversaries’ skill sets and resources?” The answers to these questions determine the path forward. 

Contain: Finally, we are ready to optimize the system for modularity and security. Our analysis of the virtual model from the previous step tells us exactly where requirements for security controls or isolation capabilities must be applied to enforce security policy or to isolate domains for security.

Future-Proofed and Set Up for Success

“In the end you get this reusable artifact that can help ensure compliance with government requirements, and can give you capabilities to set you up for success – streamlining and automating analysis for future changes,” said Smith. 

In other words, once we’ve built that dynamic digital model in Step 2, ReconRobotics has a reusable map of their system. Next time a government standards compliance question arises, they can just check the model. If ReconRobotics wants to upgrade or make changes to the robot’s software or hardware in the future (installing a new camera, for example) they can simply add in the new component details and automatically see the impact of the change. The whole process of ensuring compliance and cybersecurity is set up for speedy success.

“It’s always good going into client meetings and knowing the expertise from Galois is there,” said Drenner. “That’s been a great part of this effort. It’s just amazing.”

Currently, ReconRobotics and Galois are closing out their work on the SIBR’s Phase 1, and hoping to enter Phase 2 soon. Our hope is that this is only the beginning of a truly remarkable project and partnership, and paving the way for a high-assurance future in the world of microrobotics.