RPA Is Evolving but Risk Still Exists

RPA Is Evolving but Risk Still Exists - robotic hand and gears
Author: Larry G. Wlosinski, CISA, CISM, CRISC, CDPSE, CISSP, CCSP, CAP, PMP, CBCP, CIPM, CDP, ITIL v3
Date Published: 8 March 2023
Related: Implementing Robotic Process Automation (RPA) | Digital | English

Figure 1

In the past, robotic process automation (RPA) referred to software programmed to automate activities by performing rules-based tasks.1 However, the concept has evolved to include the individual programs and routines running the network/botnet and the command-and-control (C&C) center. Now, the term “RPA” more often refers to oversight products (e.g., a C&C center) for managing individual automated tasks that can produce multiple business benefits along with some risk. Figure 1 categorizes programmable robots by type (i.e., continually running, scheduled programs and routines, on-demand) and shows how far-reaching they can be in the enterprise.

Continuous running robots ensure that a process is running, such as with continuous monitoring systems (e.g., virus protection at the perimeter, email link and attachment scans, robot factory functions) and threat detection with artificial intelligence (AI). Scheduled programs and routines are those that have a set frequency, such as special focus vulnerability scanners (e.g., weekly for critical devices). On-demand routines support functions used for spot checking (e.g., auditing for fraud and abuse) and information security incident analysis. They can access authorized parts of the network and affect computing devices and applications.

When evaluating RPA products and discussing them with vendors, it is vital to be thorough. There are many benefits and uses of RPA and the newest addition of C&C centers; however, implementing these tools can lead to risk. Therefore, understanding how to choose the correct RPA product and tool while protecting an organization’s internal computing environment is vital for IT professionals.

RPA C&C Center Benefits, Capabilities and Examples

The latest enhancement to RPA is the C&C center, and it comes bundled with the RPA product. An RPA C&C center initiates and monitors software programs and ensures that they keep running. It orchestrates workflows across locations, environments and systems. Typical components of the RPA C&C center include a dashboard, sample scripts, a launcher interface, sample chatbot mappings, queue management, machine learning (ML) templates, storage and database management, and service management, which can include file directory controls for log files.

The RPA C&C center can initiate, reinitiate, maintain and monitor routines and processes on a continuous, scheduled or on-demand basis. The C&C center makes it easy to build, deploy and manage software robots that emulate human actions. RPA-managed software programs, processes, subroutines and tasks can utilize AI2 logic to adapt to computing environments, integrate with and manage RPA code and scripts, and manage devices to fulfill a variety of purposes.

RPA Benefits

The uses of RPA have been increasing with the changes in technology and the benefits are many.

In the business environment, RPA programmable components can reduce wage costs by reducing the number of mundane tasks or those difficult to automate, improve returns on investments (ROIs) by performing repetitive tasks in-house as opposed to outsourcing them and reduce the risk of poor business performance that could damage the organization’s reputation. For example, there are new systems that can scan paper and digital documents and quickly convert them into data, making the information available in databases and reports. This is a great time-saving capability that also reduces human error. In addition, moving devices, such as robots in manufacturing, are another example of a newer technology that can eliminate error and improve productivity.

Satisfying compliance requirements is another benefit because RPA routines can minimize exposure to sensitive data and maintain an audit trail.

RPA can also benefit management by improving data quality (because analytics have been automated), increasing the scope of data analyzed for information collection and providing timely reporting. Operational monitoring provides the benefit of real-time activity-monitoring dashboards and alerts that can report when processes fail or cannot be performed.

Improved customer satisfaction is another benefit of the reduction in manual errors (such as in data entry and manual processing) and faster service. Technological advances allow continuous running of interactive voice response (IVR) for phone communications, screen scraping (i.e., capturing displayed information), and optical character recognition (OCR) for accessing and processing retrievable information.

Using RPA to complete the IT team’s repetitive and tedious tasks and to monitor behavior via programs that conduct staff anomaly analysis (e.g., unauthorized access, inadequate implementation of least-privilege configuration) reduces staff workload. RPA can conduct speedy identification of looming information security and privacy threats from threat intelligence data. The removal of tedious tasks enables improved focus on IT innovation. And using RPA on-demand routines to format new computers (e.g., configuring security and privacy settings) and perform direct installation of specialized software saves time and effort.

Satisfying compliance requirements is another benefit because RPA routines can minimize exposure to sensitive data and maintain an audit trail. RPA can be used to support cybersecurity3 by automating data enrichment and data management tasks, eliminating unauthorized access, running cyberthreat hunting routines, ensuring credential management for endpoints, and running penetration tests on a regular or on-demand basis. These are all good justifications for considering the implementation of RPA.

Product Features and Capabilities

Understanding the features and challenges of different RPA products can aid in the preparation of product and vendor discussions. There are many RPA products that the customer can review via vendor demonstrations once the requirements have been identified and the intended use understood. RPA products have desirable features and problem areas that can be categorized by management, pricing, deployment, operations, security, interfaces, usage, development, support and training (figure 2).

Figure 2

There are many vendors that sell RPA software and their capabilities vary; therefore, it can be helpful to review vendor comparison reports.4, 5, 6, 7

Choosing the most suitable RPA product is an important step toward the implementation of RPA. Suitability is dependent on many factors including network infrastructure, cost, vendor support, product capabilities and intended use.

Network infrastructures can be a single platform or a hybrid environment depending on the operating system, custom vendor products and programmer skills. Costs can vary due to the number and location of devices involved, and vendor support can be comprehensive, partial or nonexistent depending on the contractual agreement. Product capabilities may also be limited by the vendor depending on product maturity and vendor market focus. Intended use is driven by the benefits sought.

Once the selection parameters have been decided, it is helpful to ask vendors to explain and demonstrate their products. Then it is useful to do a vendor comparison, write a cost-benefit report and make a management presentation.

RPA Business Applications

There are many uses for RPA including in finance, retail and manufacturing.

An example of RPA use in the financial environment is the processing of insurance claims to expedite claim verification and data extraction from diverse formats. Banking applications can use RPA for financial statement processing and merging, bank statement reconciliation, daily profit-and-loss statement preparation, loan processing suitability investigation and audit record compilation.

Retail business uses of RPA include updating orders, sending processing notifications to customers, shipping products and tracking shipments. The manufacturing industry uses RPA for supply chain processes such as handling billing for materials, providing customer services and support, reporting, data migration and robotics. Matching invoices to general ledger accounts is another common application.

Utility enterprises that provide electric, water and communications can automate payments and customer service inquiries. Monitoring telecommunications connectivity, issuing refunds, sending emails and updating device configurations are other examples in the technology industry.

Applications that can be automated and are common to many industries include data extraction, validation, compilation, reformatting/migration and processing, and report generation and distribution. RPA applications are capable of opening emails and attachments, which can reduce time and effort but increase the risk of unleashing a hidden malicious virus. Logging in to apps can save time via automation but introduce a risk of unauthorized behavior because of the elevated access privileges used. Moving files and folders to automate tedious tasks is a benefit, but it can introduce the risk of harming the application environment if sufficient testing is not performed. Automating reading and writing to databases and connecting to application program interfaces (APIs) can allow for malicious and unauthorized activities if controls are not in place to test for these types of weaknesses and implement preventive controls.

These are just a sampling of applications and risk that should be considered when determining use.

Internal Risk

As expected, there is security risk associated with RPA. The risk is related to access, disclosure of sensitive information and staff performance.

Access
RPA C&C software applications can pose internal risk to organizations because they require privileged access to multiple systems across the network infrastructure, and they are capable of copying and pasting information from one process step (i.e., database) to another. It is common for access credentials to be hard-coded into scripts or rules-based processes, and they are often shared, unchanged and unsecured. If processes are not monitored, bad actors may be able to establish a backdoor to gain access and conduct malicious activity, such as installing and implementing ransomware.

Disclosure
Disclosure of confidential information about an organization and its operations—such as financial information, marketing campaigns, planned initiatives or other private content—can cause considerable harm to an enterprise. Therefore, it is essential for organizations and those that support the RPA environment (i.e., system owners, system administrators, developers) to be aware of the privileges granted and the data obtained and handled.

Due Diligence
Irresponsible behavior of staff members—for example, failure to implement data encryption, use of unsecured passwords, improper account authorization and misuse of access—is another risk area that can cause irreparable harm to an organization if not controlled.

Governance activities should include regular audits along with periodic risk assessments and maintenance of the change management control environment.

Defensive Measures

Aside from continuously monitoring the RPA C&C center dashboard, there are many preventive and protective measures that can be taken to protect business systems, including implementation of better access controls, audits and change control to monitor for misuse and mismanagement.

Access Controls
Implementing access controls is an important component of RPA information security management. Controls include removing privileged credentials from scripts and other unsecured environments and storing them in a centralized, encrypted location (e.g., a password vault). Bot (i.e., RPA program or script) access should be limited according to the principle of least privilege, with privileged access granted only to the specific applications that need it to perform their tasks. Automated access should be limited to read-only wherever possible, and privileged session management should be enabled to prevent unauthorized changes to data and script files and guard against abuse and fraud.

Automatically rotating credentials at regular intervals according to organization policies helps to limit access. Authenticating individual robots/processes before serving up credentials ensures accountability. It is advisable to secure the RPA C&C center console by managing the credentials leveraged by the RPA administrators to isolate and monitor activity and suspend or terminate suspicious sessions, thus minimizing the risk of unauthorized access and processing.

Audits
A protective measure that can be implemented via network and system configuration is to establish an audit trail of administrator/privileged account activity to ensure accountability and to support forensic investigations. Accountability for robot routines can be ensured by assigning a unique identity to each RPA bot (and process) and by frequently rotating bot credentials.

Operationally, it is important to protect the integrity of the system by ensuring the RPA product provides comprehensive audit capabilities. Governance activities should include regular audits along with periodic risk assessments and maintenance of the change management control environment.

Change Control
To ensure that RPA developed and implemented routines have not been maliciously changed, it is advisable to implement review and change control for RPA scripts. Prior to production implementation, the RPA C&C center software should be tested in a sandbox to determine if it is performing unauthorized or hidden tasks such as data exfiltration or communications with external sites.

Management
Agreements should be established concerning the purpose, use, access and processing requirements of each bot/program in use. Having a bot inventory and conducting individual and regular audits of the bots should be required to ensure accountability.

Conclusion

RPA has evolved from simple task automation to a system that can provide great benefits when implemented securely. Only by determining the business uses, evaluating the products available, and eliminating as much risk as possible can the benefits be gained.

Endnotes

1 Toor, H.; “Robotic Process Automation for Internal Audit,” ISACA® Journal, vol. 6, 2020, http://h04.v6pu.com/archives
2 Wlosinski, L.; “Understanding and Managing the Artificial Intelligence Threat,” ISACA Journal vol. 1, 2020, http://h04.v6pu.com/archives
3 Dilmegani, C.; “Ultimate Guide on RPA for Cybersecurity With Top Seven Use Cases,” 24 August 2022, http://research.aimultiple.com/rpa-cybersecurity/
4 UiPath, “Top 10 UiPath RPA Alternatives and Competitors,” http://www.g2.com/products/uipath-rpa-robotic-process-automation/competitors/alternatives
5 aiTechPark, “Top RPS Companies in the World,” 2 December 2021, http://ai-techpark.com/top-rpa-companies-in-the-world/
6 Maguire, J.; “Top 15 Robotic Process Automation (RPA) Companies,” Datamation, 11 May 2020, http://www.datamation.com/artificial-intelligence/top-15-robotic-process-automation-rpa-companies/
7 Software Testing Help, “10 Most Popular Robotic Process Automation RPA Tools in 2022,” 5 December 2022, http://www.softwaretestinghelp.com/robotic-process-automation-tools/

LARRY G. WLOSINSKI | CISA, CRISC, CISM, CDPSE, CAP, CBCP, CCSP, CDP, CIPM, CISSP, ITIL V3, PMP

Is a senior consultant at Coalfire Federal. He has more than 23 years of experience in IT security and privacy and has spoken at US government and professional conferences on these topics. He has written numerous magazine and newspaper articles, reviewed various ISACA® publications and written questions for a variety of information security examinations.