Integration scenarios are in the RPA context very important. Here I would like to look in particular at the use of execution platform capabilities, the bots. In our automation workflows we are free to use e.g. VBScript or PowerShell. Also we can use any software via the Invoke Process activity, e.g. CMD with a batch file. However, this freedom also includes responsibility.
In the course of the RPA operation we are responsible for the safety of the automation process. This means that we ensure that the automation workflow only does what it is supposed to do, not more or other things. However, the integration scenarios mentioned above provide opportunities to manipulate automation workflows, after they have been deloyed.
An example: My automation workflow contains an Invoke Process activity which calls CMD with a batch file from a network drive. The network drive and the files it contains are available to every colleague and can be modified as desired, it can also change at will. Operating system commands could be executed on this way. This could change the automation workflow. The use of this kind of integration scenarios contains a high risk potential.
Here an interesting view to a knowledge base of adversary tactics and techniques based on real-world observations.
Moreover, this kind of approach is also completely out of the control of the RPA platform. We know only start and end, but what happens in between is beyond “our knowledge”.
Here are some points to mitigate this risk:
- Prohibition of the use of fixed paths.
- All files, e.g. like VBS, PS1, BAT or CMD, must be part of the automation package.
- Automatic integrity checking of the automation package, keyword signature.
- Use of the four-eyes principle in the development of the automation workflow.
- Useful dismantling of the integration scenario into single components, so that the RPA control can also reflect a realistic overview.
- If it is not a too high effort, migration of the integration scenario into activities of the automation workflow.
Do you know any more points?
Also I think the items 1. and 2. of the above list can be realized as custom rules in the Workflow Analyzer. Have you already implemented corresponding rules?
Let us talk to look at this perspective more intensively.