My motivation for writing an article on robotic process automation (RPA) came from an information security assessment I was doing for a customer. As I reviewed the system (that was acquired from a vendor) it occurred to me that it had features of a malicious botnet command and control tool, but it was used internally to ensure that software scripts were continuously running.
I consider myself a white hat warrior, but I realized that this product came from a progressive thinker who could market it to both commercial businesses and black hat actors. To that end, the originator/developer of this RPA product could be labeled a gray hat because they could market software products to good businesses and bad/criminal enterprises.
My concern with RPA products used by businesses is that they contain software scripts that run at an administrator level and can access many parts (i.e., components and systems) of the organization’s IT infrastructure. If malicious scripts were inserted into an RPA and deceptively labeled, they could affect the organization (and even personal privacy) for a long period of time. The scripts could be used to extract, modify and delete data, plant malicious software (i.e., bots) on many types of devices without customer knowledge, and affect system log files by deleting their activities/tracks. They could even delete, corrupt and encrypt backup files. And the RPA product could contain hidden or disguised malware possible labelled as templates or examples.
To prevent these events, it is essential to review vendor-provided scripts and test the system in a contained environment before implementing it into production. In addition, deep-dive audits of the old and new scripts should be conducted on a regular basis. Verifying backups on a frequent schedule is another practice that can prevent catastrophes such as a ransomware event.
RPA is used in myriad business applications including the financial environment, retail businesses, utility enterprises and many other common uses. It is helpful to understand the benefits, capabilities, features, problem areas, and risks associated with RPA products, as well as defensive measures and safeguards,
Editor’s note: For further insights on this topic, read Larry Wlosinski’s recent Journal article, “RPA Is Evolving but Risk Still Exists,” , ISACA Journal, volume 2 2023.