V1.1 | 2020-10-21 @VectorVCS Cybersecurity and Penetration Testing for Medical Systems Christof Ebert and Ruschil Ray, MedConf 2020
V1.1 | 2020-10-21
@VectorVCS
Cybersecurity and Penetration Testing for Medical SystemsChristof Ebert and Ruschil Ray, MedConf 2020
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
1. Welcome 3
2. Medical Cybersecurity and PenTest 6
3. Case Study: Implantable Insulin Pump 11
4. Outlook 16
Agenda
2/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
Why Vector Consulting Services?Welcome
Transport
Automotive
Aerospace
Medical
Digital Transformation
IT & Finance
Vector Group is a global market leader in automotive software, services and engineering tools with over 3,300 employees
Vector Consulting Services is supporting clients worldwide
Transformation > Agile Transformation, SPICE> Cost reductionTrust> Safety and Cybersecurity> Test Methods, PenTest, Supplier AuditsTechnology> Architecture support, e.g. AUTOSAR> Life-cycle methods, e.g. PREEvisionTraining> Training, Coaching, Certification> Corporate Competence Programs
www.vector.com/consulting
@VectorVCS3/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
Industry Trends 2020: The New Normal Fuels a Vicious CircleWelcome
Quality matters: Liability and Life-Cycle Cost
Vector Client Survey 2020. Details: www.vector.com/trends.
Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges.
Sum > 300% due to 5 answers per question. Strong validity with 4% response rate of 2000 recipients from
different industries worldwide.
Vicious circle: > cost pressure > lack of competences > less innovation and quality
Innovative productsCompetencesand knowledge
Cost andefficiency
Flexibility
Distributeddevelopment
Complexity
Digital transformation
Quality
Others0%
10%
20%
30%
40%
50%
60%
70%
0% 10% 20% 30% 40% 50% 60% 70%
-
Lon
g-t
erm
ch
alle
ng
es
Short-term Challenges
4/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
1. Welcome 3
2. Medical Cybersecurity and PenTest 6
3. Case Study: Implantable Insulin Pump 11
4. Outlook 16
Agenda
5/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
With convergence of IoT and medical domain, medicalcybersecurity threats are increasing
Comprehensive survey (2020): IMD such as pacemakers, cardiac defibrillator, insulin pumps are most targeted.
More traditional attacks to healthcare IT infrastructure are fast increasing
Need for real-world V&V Increasing connectivity to outside world needs real-
world security verification and validation with life-cycle approach, both effective and cost-efficient
Cyberattack Trends in Medical DomainMedical Cybersecurity and PenTest
Klonoff, David, and Julia Han: The first recall of a diabetes device because of cybersecurity risks, Journal of Diabetes Science and Technology, 2019Newaz, A. K. M., et al.: A Survey on Security and Privacy Issues in Modern Healthcare Systems: Attacks and Defenses, Cornell University, https://arxiv.org/abs/2005.07359, 2020Casey Crane: 42 Cyber Attack Statistics by Year, Infosec Insights, https://sectigostore.com/blog/42-cyber-attack-statistics-by-year-a-look-at-the-last-decade/, 2020
41%
37%
22%
Targeted Medical Devices
Non-invasive Invasive
Active therapeutic
020406080
100120
IoT Cyberattacks with > $1M losses
The First Recall of a Diabetes Device Because of Cybersecurity Risks
6/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
State-of-the-Art Medical Security PracticesMedical Cybersecurity and PenTest
Cybersecurity Medical Standards
Medical Security Verification and Validation Reviews, code inspections, static code analysis Unit testing, integration testing, system testing Vulnerability scanning, fuzzing, penetration testing
Grey-Box PenTest =Black Box PenTest – Brute Force + Intelligent Analysis
Grey-Box PenTest yields exhaustive list of vulnerabilities with least number of test cases
Year Scope Standard / Regulation Focus Areas
2020 International ISO 24971: Application of risk management to medical devices General requirements for risk management, post production activities
Progress International ISO / IEC 81001: Health software, health IT systems safety, effectiveness, security Security across lifecycle of health systems
2019 International ISO 11633: Security management for remote maintenance of medical devices (RMS) Security requirement of RMS, risk analysis
2019 EU Medical Device Coordination Group (MDCG), Medical Device Regulation (MDR): Guidance on Cybersecurity for medical devicesCybersecurity concepts, Secure-by-design, post market surveillance system
2018 USA FDA: Premarket management of Cybersecurity in Medical Devices Cybersecurity device design, labelling, documentation, premarket review process
2017 USA Diabetes Technology Society (DTSec) in collaboration with FDA:Standard for wireless diabetes device securityRisk management of insulin pumpProduct security target approval
7/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
Triple Peak ModelMedical Cybersecurity and PenTest
Forward TORE: Test Cases are synthesized together with requirement for testability
From problem to solution
Why: Market Requirements
What: Product Requirements
From abstract
to specific
How: Component Requirements
Architecture, assets System Testing
Market Perspective“Need”
Tester Perspective“Product”
Detailed Design
Unit Testing/ Static Code Analysis
Test-Driven Development (TDD)
Designer Perspective“Solution”
Integration Testing
Implementation
Backward TORE:Test cases are executed, two cases are possible: 1. Positive result: Addition of new requirement2. Negative result: Potentially redundant test case, invalid issue
C. Ebert, Requirements Engineering, 6. Auflage, dPunkt, 2019, C. Ebert, R. Ray: Test-Oriented Requirements Engineering, IEEE Software, Jan 2021. B. Nuseibeh, Weaving together requirements and architecture, IEEE Computer Society, 2001
8/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
10-Step Grey-Box Penetration TestMedical Cybersecurity and PenTest
TORE (Test-Oriented Requirements Engineering)
Context Analysis
Assets
Architecture / System / SW
Design
Detailed Design
Code
TARA, security goals
System Test Cases
PenTesting
Integration Test Cases
Fuzzing
FSR (functional security
requirements)
KPI: Threat coverage, security test efficiency, vulnerability detection
effectiveness
Minimum viable test set
Regression Test Cases
Classic TDD (Test-Driven
Development)
Static Analysis, CQA
Component requirements
Product (Functional and Quality) requirements
Unit Test Cases
C. Ebert, R. Ray: Test-Oriented Requirements Engineering, IEEE Software, Jan 2021.
9/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
1. Welcome 3
2. Medical Cybersecurity and PenTest 6
3. Case Study: Implantable Insulin Pump 11
4. Outlook 16
Agenda
10/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
Treats diabetes by sensing blood sugar level and appropriately injecting insulin to the body.
Highly susceptible to remote attacks due to increased wireless connectivity to outside world.
Case Study: Insulin PumpCase Study: Implantable Insulin Pump
Newaz, A. K. M., et al. A Survey on Security and Privacy Issues in Modern Healthcare Systems: Attacks and Defenses. arXiv preprint arXiv:2005.07359, 2020.Rathore, H, et al. A review of security challenges, attacks and resolutions for wireless medical devices. 13th Int. Wireless Comm. and Mobile Computing Conf. (IWCMC). IEEE, 2017.C. Ebert, R. Ray: Test-Oriented Requirements Engineering, IEEE Software, Jan 2021.
Cellular Internet Network
Notification to Family at home
Smart hospital centres, Ambulance
Notification to Physician
Health monitoring and data logging
Controller
Pump
Continuous Glucose Monitor (CGM)
Remote Programmer
Buzzer, Display
Man-in-the-middle, Backdoors Malware attacks
Eavesdropping
Physical attacks, Sensor confusion
Data corruptionCommand injection
Blood Sugar Sensor
11/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
Threat Landscape for Insulin PumpCase Study: Implantable Insulin Pump
D. Kim, J. Choi and K. Han, "Medical Device Safety Management Using Cybersecurity Risk Analysis," in IEEE Access, 2020
Hardware
Configuration and Control
Glucose Monitoring,
Hospital Server logging
Calibration and Dosage, Personal Settings
Self TestingComm. Stacks
Interfaces
GUI
Network
Device Software
Memory Mgmt
I / O
Status
Network vulnerabilities: Eavesdropping, replay attacks, Man-in-the-middle
Blood Glucose Sensor, CGM: Sensor confusion
RF, BLE, USB , Wi-Fi etc.Malware attacks: Air-gap attacks
Aftermarket products (Remote programmer , CGM): COTS specific vulnerabilities due to supply chain risks
Insider attacks, identity spoofing, authenticity violation, hardcoded credentials, default passwords
PHI leak: personal data, settings, dosage loggings, blood sugar readings
LED Displays, buzzer, pump: Denial of Service
S/W corruption, buffer overflow, database corruption, software plagiarism
Fail Safe Mechanism
Spear phishing, ransomware attack by DoS: PHI held until ransom is paid.
Unavailability or modification of fail safe mechanism due to DoS attack,
COTS Operating System
Insulin Pump Device
Understanding representative architecture allows to better investigate threats and vulnerabilities.
12/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
COMPASS Facilitates Reusable and Semi-Automated Mini-TARACase Study: Implantable Insulin Pump
13/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
Grey-Box PenTest vs. Black-Box PenTest in a NutshellCase Study: Implantable Insulin Pump
Controller with Pump
Display
Black-Box PenTest
• Unaware of architecture misses crucial vulnerability categories: Alert Buzzer, CGM, Remote Programmer.
• Brute force to determine Safe Minimum, Maximum Threshold, lead to false positives. More test effort.
• No risk analysis: Inefficient resource prioritization.
• Test Cases: ~ 40 TCs• False positives: 20• Missed vulnerability: 5• Vulnerabilities found: 8
• Effectiveness Category Coverage: 62%
• Efficiency Vulnerability Discovery AverageOn average 5 TCs needed for finding 1 vulnerability
Continuous Glucose Meter (CGM)
Alert Buzzer
Remote Programmer
Blood Sugar Sensor
Grey-Box PenTest
• Knowledge of high-level architecture and all configurations taken in account. Good attack pathway coverage.
• Accurate attack tree, Less false positives, more valid vulnerabilities found.
• Risk-oriented test approach: efficient resource usage.
• Test Cases: ~ 15 TCs• False positives: 2• Missed vulnerability: 0• Vulnerabilities found: 13
• Effectiveness Category Coverage: 100%
• Efficiency Vulnerability Discovery AverageOn average 1 TC needed for finding 1 vulnerability
14/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
1. Welcome 3
2. Medical Cybersecurity and PenTest 6
3. Case Study: Implantable Insulin Pump 11
4. Outlook 16
Agenda
15/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
Grey-Box PenTest offers efficient and effective hardening Knowledge of architecture: more vulnerabilities identified due
to good attack scenarios coverage. Good traceability: Exhaustive requirement coverage >
exhaustive list of vulnerabilities. Attack tree accuracy: Architecture aligned attack tree: less
false positives, hence less test effort. Risk- Analysis: Prioritized list of findings lead to efficient
consumption of resources.
Outlook Heuristics: Reusable architecture design patterns for efficient
threat and damage scenario identification. Automation: Machine learning models to automatically derive
minimum number of test cases.
Summary and EnhancementsOutlook
Security in design: Test-oriented Requirements Engineering (TORE) for cybersecuritySecurity in test: Grey-Box PenTest to enhance test-effectiveness and cost-efficiency
16/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
Learning from the BestOutlook
Vector Forum 2021>Winning in the New Normal
Innovative technologies Resilient and efficient engineering Mastering quality and complexity
24. June 2021. Worldwide. Online. Enhance your competences Grow your networks
Details and free registration…www.vector.com/forum
Free white Paper with many case studies and YouTube clips from Vector Forum 2020:www.vector.com/StayCompetitive
17/18
© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21
Thank you for your attention.Please contact us for consulting support.
Passion. Partner. Value.
Vector Consulting Services
@VectorVCS
www.vector.com/[email protected]: +49-711-80670-1520