Robotic process automation helps FMs do more with less, but attention must be paid to the risks. Thomas Fikentscher outlines the technology and necessary security measures.
Robotic process automation stands to have a transformative effect on facilities management. To drive the greatest impact, proper attention must be paid to the security considerations that come with handing over tasks to software bots.
In facilities management today, changing business processes and the demands of digital transformation coupled with the growth in data points and global regulatory requirements make for a complex environment. Without expanded budgets or head count, more needs to be done with less.
To address these challenges, enterprises (within their facilities) are deploying robotic process automation. It is one of the key technologies fuelling digital transformation, driving automation across many processes and even challenging conventional thinking.
It involves the deployment of software bots to perform routine, repetitive tasks; thus it frees up time and resources that can be assigned to other higher value, critical roles. Bots can be deployed to process data, perform calculations, scrape social media, handle file and folder tasks and carry out workflows. As the basis for deploying more sophisticated digital management applications, RPA can enable machine learning to augment human decision making and undertake more complex tasks.
In FM, in particular, software bots can be tasked with scheduling FM activities, processing billing of utilities, monitoring utilities consumption, creating inventory lists and managing security access. Robotic process automation has the power to have a transformative impact, increasing efficiency, improving productivity metrics and enabling more sophisticated applications.
What is the risk in deploying robotic process automation in facilities management?
As enterprises deploy robotic process automation, enabling automated bots also provides new and attractive attack surfaces for exploitation. Given the number of bots that can be deployed across all areas of FM, it’s alarming to consider the scope for unsecured credentials to expand the attack vectors exponentially. It is why due consideration needs to be given to the essential security questions and vulnerabilities within the facilities.
Robotic process automation bots are often given access to a variety of highly sensitive business applications, and if the bot’s credentials can be obtained, they can be reprogrammed — potentially giving attackers enormous power. A robot tasked with processing invoices, for example, could be reprogrammed to send payments to an attacker.
The privileges assigned to software bots, if compromised by attackers, can also enable virtual intruders to move laterally, expanding their attack into potentially vast layers of networks. Where RPA credentials are managed manually, because of a lack of suitable tools or convenience, oftentimes the same credentials enable access to multiple systems – widening the scope for attackers.
How to mitigate the risks
There are proven ways to approach security when handing over certain tasks and workflows to software bots. From the outset, implementing privileged access management controls directly into the RPA workflows and processes creates a secure, centralised home for managing access credentials.
Bots need to be granted access to just the specific applications required to perform their tasks by using privileged access management solutions to safeguard robotic process automation administrative accounts. Robotic process automation administrative sessions should also be isolated and monitored. It’s also vital to establish secure connections and place time limits on access permissions.
Furthermore, a robotic process automation system needs consistent, traceable identity security policies such as automatically rotating privileged credentials at regular intervals or on demand to reduce security vulnerabilities and mitigate risk. Consequently, integrating robotic process automation with security solutions can ensure privileged, secure access management.
By utilising a unique account for every target system that needs to be accessed by a software bot, it eliminates the risk from having the bot access credentials from the application’s server. In this case, if there is a breach, it will be discreet within that system and prevent it becoming a gateway to deeper system access.
To protect credentials, it’s advisable to store this information in an encrypted vault where the software bots request and access the credentials each session. Along with driving automation security awareness across the enterprise, this mitigates the risk of credential-based attacks.
While robotic process automation is a promising solution to many of the challenges facing facilities management, it should not enable new threat vectors. Integrating security considerations as part of any robotic process automation undertaking is vital to gain the benefits of innovation without compromising security.
Thomas Fikentscher is the regional director ANZ at CyberArk.