Cyber Physical Systems Security Applied to Surgical Robotics

Gregory S. Lee∗
Mechanical Engineering, The University of Texas at Dallas, Richardson, TX 75080, USA

Bhavani Thuraisingham
Computer Science, The University of Texas at Dallas, Richardson, TX 75080, USA

Abstract
Next generation surgical robots capable of teleoperated surgery are being developed by the BioRobotics
Laboratory at the University of Washington and SRI International. Using these robots, surgeons may
perform surgery on patients at remote locations. The robots are being developed with the intended purpose
of being deployed to the battlefield to provide immediate medical assistance to injured soldiers by surgeons
in safe and remote locations. These two research groups have begun developing an open standard called
the Interoperable Telesurgery Protocol (ITP) which provides a standardized framework for communications
between the surgical robot and the surgical robot controller. A collaboration between the BioRobotics Lab
and The University of Texas at Dallas has been established to design and implement a security enhancement
for the surgical robot cyber physical system. The Advanced Encryption Standard (AES) algorithm enciphers
data exchanged between the surgical robot and surgical robot controller using the Transport Layer Security
(TLS) protocol for Transmission Control Protocol (TCP) packets and Datagram Transport Layer Security
(DTLS) protocol for User Datagram Protocol (UDP) packets. The controller and robot are authenticated
using X.509 certificates. Certificates also provide authorization levels for both robot and controller upon
which security policies governing the operation of the surgical robots are constructed. The Secure ITP
will facilitate the adoption of surgical robotics in military and civilian applications by providing security to
prevent adversarial intervention and provide Health Insurance Portability and Accountability Act (HIPAA)
compliance. The open source software package OpenSSL was used in the development.
Key words: Cyber Physical Systems, Security, Surgical Robotics

1. Introduction generation surgical robots allow surgeons to con-

trol the robots from locations great distances from
ext generation surgical robots are under de-
N velopment at the University of Washington
(UW) BioRobotics Laboratory (BRL) and at SRI
the robots themselves over a variety of communi-
cations links, including the Internet and even pro-
vide for the ability to perform some open surgery
International. Both surgical robot prototypes have
techniques[1]. Both prototypes have been success-
been designed to be teleoperable. The projects fo-
fully deployed into the field and simulated surgical
cus on designing surgical robots capable of perform-
tasks remotely. Remotely deployed surgical robots
ing remotely controlled surgical tasks over great dis-
allow highly trained medical personnel to provide
tances.
skilled care while remaining at a safe location. This
Previous surgical robots required the surgeon to
capability will ultimately allow surgical robots to
be physically near the patient and rely on the Mini-
be deployed into the battlefield to provide nearly
mally Invasive Surgery (MIS) techniques. The next
immediate medical assistance to wounded soldiers.
∗ Principalcorresponding author Such robots will also be used in civilian settings to
Email addresses: leegs@utdallas.edu (Gregory S. allow surgeons to provide care for patients in un-
Lee), bhavani.thuraisingham@utdallas.edu (Bhavani derserved remote locations or in disaster areas.
Thuraisingham)
Preprint submitted to Computer Standards & Interfaces February 9, 2010

Figure 1: The software simulator uses the same code as the
actual Raven Surgical Robot. The software simulator allows
two Falcon haptic displays manufactured by Novint Incorpo-
rated to send position information over the network to the
surgical robot which displays the position of the robot on a
different computer.
The BRL and SRI have established a collabo-
ration to standardize communications between a
surgical robot controller and a surgical robot, also
called the master and slave. The standard, named
the Interoperable Telesurgery Protocol (ITP), al-
lows surgical robots to be operated interchange-
ably by different controllers[2]. The existence of
such a protocol also simplifies the development of
new controllers. Many surgical device and surgi-
cal robot researcher have entered the collaboration
and adopted the standard and an early version of
the protocol has been tested among a number of
surgical robot researchers[3].
Security must be applied to these robots before
they can be used to perform telesurgery. Surgical
robots fit the definition of a Cyber Physical System
which is a class of device defined by the Department
of Homeland Security as being under secured. The
University of Texas at Dallas (UTD) and the BRL
have begun a collaboration to develop a security en-
hancement to the ITP, the Secure ITP, to address
these issues at an early stage of development. This
development has used a software simulation based
on the actual code base from the Raven Surgical
Robot[4]. (See Figure 1.) Four areas have been ad-
dressed in this preliminary Secure ITP standard:
authentication, authorization, encryption, and ba-
sic policy development and enforcement.
The Secure ITP uses X.509 Version 3 certificates
to authenticate both the master and slave equip-
2
ment of the surgical robot. The Transport Layer
Security (TLS) and Datagram Transport Layer Se-
curity (DTLS) protocols uses these certificates, the
included public keys and other available informa-
tion to negotiate a secure connection including a
sharing keys used to encipher and decipher informa-
tion1 . Once both the master and slave have agreed
on a cipher key, the communications between them
is enciphered using the Advanced Encryption Stan-
dard (AES) algorithm. These are the protocols
used in secure web servers which protect countless
Internet-based transactions daily.
2. Background
°
R
urgical robots, such as the daVinci by Intu-
S itive Surgical Incorporated, are being used for
a growing number of surgeries. These robots al-
low surgeons to perform MIS by providing robotic
arms which a surgeon controls from a console. Sur-
geons perform MIS using the daVinci surgical robot
on patients in a manner that reduces fatigue be-
cause the robotic system provides a standardized
and ergonomic interface from which the surgeons
may control the surgical robot. The arms of the
surgical robot may then be placed in whatever con-
figuration necessary to manipulate the tissues and
structures of a patient. These robotic arms can hold
the surgical tools in configurations impossible for a
human surgeon to reach, thereby allowing surgeons
to perform procedures which were previously im-
possible. In fact, current surgical robots even allow
surgeons to use more complex and dexterous tools
than are available for non-robotic MIS surgery.
The surgical controller station allows surgeons
to perform surgery from a standardized and com-
fortable control station. This allows a surgeon to
manipulate tissue through input to the controller
and based on information viewed on a monitor.
This abstracts surgery to the point that it becomes
an exchange of information between the surgeon
and robot through the surgical robot instrument[5].
This abstraction renders the physical location of the
surgeon virtually irrelevant[5]. As a result, teleop-
erated surgical robots have become the focus of next
generation development to the point that robotic
surgery and telesurgery have become nearly syn-
onymous. The focus of many of the development
1 Diffie-Hellman parameters create shared secret cipher
keys between a client unique to each session.
efforts is designing a surgical robot capable of being
deployed to a battlefield. This is one of the many
elements of the DARPA TraumaPod Project[6].
Such a medical presence in the battlefield will
provide even quicker and more highly trained med-
ical assistance to injured soldiers while simultane-
ously keeping medical personnel in a safe location.
Teleoperated surgical robots will one day benefit
civilian medicine by allowing highly specialized sur-
geons to intervene where typically they could not;
or it could allow groups of surgeons to provide care
in disaster areas without detracting from other aid
services. The usability of telesurgery, however, de-
pends not only on the design of the robot mecha-
nism and timely communications, but the ability to
exchange information with the surgical robot in a
safe and secure fashion.
Current surgical robots approved by the United
States Food and Drug Administration for surgery
on humans have been adapted for telesurgery, but
only in rare, specialized and dedicated instances[7].
Without special adaptation these surgical robots
require surgeons to be located physically near the
patient during the surgery. Next generation sur-
gical robots aim to provide the ability to perform
telesurgery using robots over a generic communica-
tions link. They are specifically designed to allow
the master and slave to be placed in arbitrary ge-
ographic locations and to communicate on every-
thing from dedicated private communications net-
works to the public Internet2 .
The BRL at the University of Washington has
developed a next generation surgical robot proto-
type named the Raven[8]. The design of this new
surgical robot leverages measurements collected by
BRL researchers from surgeons performing surgi-
cal techniques using instrumented tools[9]. The
measurements resulted in a surgical robot system
that was specifically designed to perform well over
the dexterous workspace of a surgeon and capable
of the necessary force output applied by surgeons
while also minimizing many physical properties of
the robotic arm.
SRI International has also developed a next gen-
eration surgical robot, known as M73 . The M7 is
also a surgical robot of greatly reduced size when
2 Many other factors such as distance, delay, etc. also
govern these abilities, however.
3 SRI International developed the daVinci and formed In-
tuitive Surgical Incorporated to commercialize the technol-
ogy.
3
compared to the daVinci surgical robot. Both M7
and daVinci surgical robots have been controlled
over dedicated communications networks and the
public Internet by surgeons using a master con-
troller located hundreds and thousands of miles
away from the surgical robot[10, 6].
Both projects have begun collaboratively devel-
oping a communications standard for exchanging
information between the master and slave of the
surgical robot called the Interoperable Telesurgery
Protocol (ITP). The specification details how the
master and slave components communicate and
provides the ability for masters and slaves to be
operated interchangeably and developed indepen-
dently of the surgical robot platforms themselves.
The protocol is relatively new and still under devel-
opment, however, a number of other surgical robot
developers have adopted the protocol and a prelim-
inary test of interoperability has taken place[3].
The ITP focuses on device operation and interop-
erability. No specifications have addressed securing
the communications or the design of security poli-
cies necessary for telesurgery using surgical robots.
The ITP does not validate or verify information be-
ing sent or received beyond a checksum. Also, the
protocol only includes the control of the robot; the
streaming of video is currently handled separately.
Cyber physical systems, like surgical robots, have
been identified by the Department of Homeland Se-
curity as a class of device which should be developed
to be secure from the early stages of development.
The research conducted at the BRL and at SRI
has the stated purpose of developing a surgical
robot capable of being deployed to the battlefield.
The nature of such an environment necessitates a
safe, secure and resilient communications channel.
As non-military adoption of teleoperated surgical
robots increases, many other rules and guidelines
become applicable. Besides the integrity of the
communications channels, the privacy of the in-
formation traveling between the surgeon and the
surgical environment falls under the Health Insur-
ance Portability and Accountability Act (HIPAA)
which mandates protection of this type of informa-
tion. All of these concerns must be addressed as
surgical robotics standards are being developed.
LocalWords: MIS telesurgery BioRobotics BRL
SRI ITP UDP TraumaPod HIPAA LocalWords:
teleoperate daVinci teleoperated DARPA cyber
checksum
3. Project Description

he Secure Interoperable Telesurgery Protocol

T (Secure ITP) uses the OpenSSL open source
software package. This package provides tools for
authentication, authorization, encryption and se-
cure communications. These tools facilitate the ap-
plication of several well established protocols to the
security enhancement to the surgical robot. The Se-
cure ITP expands the specifications described in the
ITP standard without affecting the implementation
of the ITP itself. The Secure ITP does not alter the Figure 2: Communications between the mast and slave hap-
information contained in information transmitted pen over two channels. The first channel uses TCP packets,
via the basic ITP which only deals with robotics while the other channel uses UDP packets.
information. It provides a safe and secure way to
communicate that data as well as a framework for
developing security policies and enforcement meth- decipher the exchanged data. The Secure ITP spec-
ods. Digital information described in the ITP stan- ifies the use of the Advanced Encryption Standard
dard is now packaged inside the Secure ITP using (AES) to encipher and decipher information ex-
the External Data Representation (XDR) standard changed between the master and slave. The Na-
for transmission. This process, likely to be adopted tional Security Agency has published a policy that
by the ITP standard, allows for easier development all key lengths specified in the published AES stan-
across different computer architectures. dard (128, 192, and 256 bits) may be used to protect
information classified up to and including the level
3.1. Communications of SECRET and key lengths of 192 and 256 bits are
adequate to protect information classified up to and
The ITP protocol specifies two communications
including TOP SECRET[12]. Enciphering the com-
channels between the surgical robot master and
munications between the surgical master and slave
slave. The first is a supervisory channel. This
using AES protects the data to degree commensu-
channel requires all communications reach the des-
rate with both military adversarial environments
tination, but is tolerant to some delay. For this
and in civil environments.
reason, the channel uses Transmission Control Pro-
The final selection for bit key length for the com-
tocol (TCP) packets. The second channel is used
munications will depend on whether communica-
to exchange the commanded inputs from the mas-
tions using cryptographic keys for AES of 256 bits
ter and the information output from the slave. This
can be maintained without impacting the ability
channel must transmit data every millisecond with
of the system to perform other necessary computa-
minimal delay, but is resilient to imperfect packet
tions within the strict timing requirements for sur-
delivery. It uses User Datagram Protocol (UDP)
gical robots. However, preliminary measurements
packets.
indicates the required performance may be met us-
TLS is a widely adopted protocol used to for se-
ing 256 bit keys on currently available consumer
cure communication and is the method suggested
grade desktop computers. The option to encipher
by the National Institute of Standards and Tech-
streaming video feeds at all bit depths will be re-
nology (NIST) for the best security[11]. This is the
tained.
protocol web servers and clients use to securely ex-
change web pages. TLS is a secure communications
protocol based on a TCP connection. A version of 3.2. Authentication
TLS has been developed for connectionless UDP The TLS and DTLS protocols use X.509 certifi-
communications links and is called Datagram TLS cates to authenticate the certificate bearer. TLS is
(DTLS). These protocols allow the surgical robot the same protocol that web servers now use to im-
master and slave to securely communicate and pass plement secure HTTP communications (HTTPS).
information as described by the ITP. (See Figure 2.) It is a well tested and documented standard widely
The TLS and DTLS specifications allow for the adopted across the Internet. DTLS is a variant of
choice of many cipher algorithms to encipher and TLS designed for UDP communications. In the sur-
4
gical robot Secure ITP specification, both parties of
the communications must present certificates. The
master and slave exchange certificates to verify the
authenticity of the other party.
X.509 certificates contain information about the
certificate holder. A Certificate Authority (CA)
digitally signs a certificate to verify the authenticity
of the certificate and also prevents altering the con-
tents of the certificate. A root certificate issued by
the CA is distributed to all devices prior to deploy-
ment and are used to verify the digital signatures
which the master and slave certificates contain. Au-
thentication can be established by the presentation
of certificate which contains a valid digital signature
that is determined using a root certificate from the
CA. These root certificates will be included on on
all surgical robot devices.
The Secure ITP development included creating a
private CA which issues certificates used to authen- Figure 3: Both the master and slave devices present a certifi-
ticate and authorize the master and slave devices cate to the other device for authentication and authorization
purposes. Once the certificates are authenticated, authoriza-
of the surgical robot. The information the X.509
tion levels which they contain are used to implement security
certificates contain will provide much of the infor- policies.
mation necessary to begin developing higher level
security policies for surgical robotics.
4. Conclusion
3.3. Authorization
he University of Texas at Dallas and the Uni-
Version three of the X.509 certificate specifica-
tion provides certificate extensions. These exten-
T versity of Washington have established a col-
laboration to implement security around the Inter-
sions may be used to add custom fields to the cer- operable Telesurgery Protocol to provide security
tificate. These custom fields allow specific prop- for srugical robotics.
erties associated with a device to be included in Version three of the X.509 certificate standard
the certificate and are used to establish an autho- has been used to securely authenticate both the
rization level for the equipment. For example, the master and the slave equipment for a surgical robot.
certificate presented by a master to the slave in- Communications have been secured using the AES
cludes an authorization level for the master and cipher via the TLS and DTLS communication pro-
vice versa. Operations will only proceed when the tocols. The certificate extensions available in the
authorization levels for the devices are compatible. X.509 certificate have allowed an authorization level
Preliminary authorization levels which exist at this to be included in both the master and slave certifi-
time include MAINTENANCE, NON-SURGICAL, cates. These levels provide a foundation on which
NON-HUMAN, HUMAN, and OVERRIDE to in- the development of early security policies and en-
dicate the acceptable uses for the identified device. forcement has begun.
(See Figure 3.) This initial development of the Secure ITP pro-
Authorization levels are critical for the safe oper- tects communications between the master and slave
ation of surgical robots, however, enforcement must and provides a way to keep the surgical robot and
also be implemented. Policies and enforcement ex- master from being accessed in unauthorized ways,
ist only as proof of concept at this time. Authen- used by unauthorized parties, and prevents inter-
tication, authorization and policy development and ception or alteration of communications. Further
enforcement are all necessary for the development development of the Secure ITP will expand to in-
of useful security. The authentication and autho- clude a means to authenticate other parties asso-
rization process use for masters and slaves is being ciated with the device such as the surgeon (device
applied to surgeons and patients also. clearances, procedure clearances) and patient (non-
5
human, human, procedure, blood type) and provide
an authorization level for that party.
Higher level security policies governing the over-
all function of the surgical robot must also be de-
veloped. These higher level policies must provide
predictable, safe, and secure transitions between
different modes of operation of the surgical robot
as well as graceful failure and recovery. These poli-
cies must extend the safety and security present in
a modern operating room through the communica-
tions link to the remote surgical environment and
they must do so without adding to the workload of
the surgeon.
The Department of Homeland Security also rec-
ognizes the need to develop security measures for
cyber physical system coincidently from the earli-
est phase of device development[13]. The develop-
ment of the security enhancements for telesurgery
coincidently with the design of the Interoperable
Telesurgery Protocol directly addresses this need,
as well as allows for better overall design and eas-
ier implementation of the security protocols, poli-
cies and enforcement methods. The need to se-
cure communications transmitted through the In-
ternet or any public medium has proven to be nec-
essary many times over in countless other applica-
tions and is all the more vital for surgical infor-
mation. The OpenSSL software package provided
access the publicly tested and accepted protocols
used to provide security for a network based com-
munication for telesurgery.
Acknowledgments
his research was supported by funds from the
T Erik Jonsson School of Engineering and the
Department of Computer Science at The University
of Texas at Dallas.
The authors wish to thank Professor Blake Han-
naford and Hawkeye King from the BioRobotics
Laboratory at the University of Washington.
References
[1] G. Sankaranarayanan, H. King, S.-Y. Ko, M. J. H. Lum,
D. C. W. Friedman, J. Rosen, B. Hannaford, Portable
surgery master station for mobile robotic telesurgery, in:
RoboComm ’07: Proceedings of the 1st international
conference on Robot communication and coordination,
IEEE Press, Piscataway, NJ, USA, 1–8, 2007.
[2] B. Hannaford, T. Low, Interoperable Telesurgery Pro-
tocol (ITP) Version 0.44, 2009.
[3] H. King, B. Hannaford, Breaking the Ineroper-
ability Barrier through Emerging Standards in
Teleoperation, http://brl.ee.washington.edu/
Research_Active/Interoperability/images/0/
04/PlugfestWhitepaper.pdf, 2009.
[4] G. S. Lee, B. Thuraisingham, Secure Surgical Haptics
and Robitics: The Raven Test Platform, Tech. Rep.,
The University of Texas at Dallas, 2008.
[5] R. M. Satava, How the Future of Surgery is Chang-
ing: Robotics, Telesurgery, Surgical Simulators and
Other Advanced Technologies, Tech. Rep., University
of Washington Medical Center, 2006.
[6] P. Garcia, J. Rosen, C. Kapoor, M. Noakes, G. El-
ber, M. Treat, M. Hanson, J. Manak, C. Hasser,
D. Rohler, R. Satava, Trauma pod: a semi-automated
telerobotic surgical system, International Journal of
Medical Robotics and Computer Assisted Surgery 5 (2)
(2009) 136–46.
[7] J. Marescaux, J. Leroy, M. Gagner, F. Rubino, D. Mut-
ter, M. Vix, S. E. Butner, M. K. Smith, Transatlantic
robot-assisted telesurgery, Nature .
[8] M. Lum, D. Friedman, J. Rosen, G. Sankaranarayanan,
H. King, K. Fodero, R. Leuschke, M. Sinanan, B. Han-
naford, The RAVEN - Design and Validation of a
Telesurgery System, International Journal of Robotics
Research .
[9] M. Lum, J. Rosen, M. Sinanan, B. Hannaford, Opti-
mization of a spherical mechanism for a minimally in-
vasive surgical robot: theoretical and experimental ap-
proaches, Biomedical Engineering, IEEE Transactions
on 53 (7) (2006) 1440–1445.
[10] J. Rosen, B. Hannaford, Doc at a Distance, IEEE Spec-
trum 43 (10) (2006) 34–39.
[11] T. Dierks, E. Rescorla, RFC 5246: The Trans-
port Layer Security Protocol Version 1.2, nolinkurl-
http://tools.ietf.org/html/rfc5246, 2008.
[12] N. S. Agency, National Policy on the Use of
the Advanced Encryption Standard (AES) to Pro-
tect National Security Systems and National Se-
curity Information, http://www.cnss.gov/Assets/
pdf/cnssp_15_fs.pdf, 2003.
[13] Workshop on Future Directions in Cyber-physical Sys-
tems Security, Department of Homeland Security, 2009.