Cybersecurity and Penetration Testing for Medical Systems ......© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written

V1.1 | 2020-10-21

@VectorVCS

Cybersecurity and Penetration Testing for Medical SystemsChristof Ebert and Ruschil Ray, MedConf 2020

© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-21

1. Welcome 3

2. Medical Cybersecurity and PenTest 6

3. Case Study: Implantable Insulin Pump 11

4. Outlook 16

Agenda

2/18


Why Vector Consulting Services?Welcome

Transport

Automotive

Aerospace

Medical

Digital Transformation

IT & Finance

Vector Group is a global market leader in automotive software, services and engineering tools with over 3,300 employees

Vector Consulting Services is supporting clients worldwide

Transformation > Agile Transformation, SPICE> Cost reductionTrust> Safety and Cybersecurity> Test Methods, PenTest, Supplier AuditsTechnology> Architecture support, e.g. AUTOSAR> Life-cycle methods, e.g. PREEvisionTraining> Training, Coaching, Certification> Corporate Competence Programs

www.vector.com/consulting

@VectorVCS3/18


Industry Trends 2020: The New Normal Fuels a Vicious CircleWelcome

Quality matters: Liability and Life-Cycle Cost

Vector Client Survey 2020. Details: www.vector.com/trends.

Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges.

Sum > 300% due to 5 answers per question. Strong validity with 4% response rate of 2000 recipients from

different industries worldwide.

Vicious circle: > cost pressure > lack of competences > less innovation and quality

Innovative productsCompetencesand knowledge

Cost andefficiency

Flexibility

Distributeddevelopment

Complexity

Digital transformation

Quality

Others0%

10%

20%

30%

40%

50%

60%

70%

0% 10% 20% 30% 40% 50% 60% 70%

-

Lon

g-t

erm

ch

alle

ng

es

Short-term Challenges

4/18


1. Welcome 3



4. Outlook 16

Agenda

5/18


With convergence of IoT and medical domain, medicalcybersecurity threats are increasing

Comprehensive survey (2020): IMD such as pacemakers, cardiac defibrillator, insulin pumps are most targeted.

More traditional attacks to healthcare IT infrastructure are fast increasing

Need for real-world V&V Increasing connectivity to outside world needs real-

world security verification and validation with life-cycle approach, both effective and cost-efficient

Cyberattack Trends in Medical DomainMedical Cybersecurity and PenTest

Klonoff, David, and Julia Han: The first recall of a diabetes device because of cybersecurity risks, Journal of Diabetes Science and Technology, 2019Newaz, A. K. M., et al.: A Survey on Security and Privacy Issues in Modern Healthcare Systems: Attacks and Defenses, Cornell University, https://arxiv.org/abs/2005.07359, 2020Casey Crane: 42 Cyber Attack Statistics by Year, Infosec Insights, https://sectigostore.com/blog/42-cyber-attack-statistics-by-year-a-look-at-the-last-decade/, 2020

41%

37%

22%

Targeted Medical Devices

Non-invasive Invasive

Active therapeutic

020406080

100120

IoT Cyberattacks with > $1M losses

The First Recall of a Diabetes Device Because of Cybersecurity Risks

6/18


State-of-the-Art Medical Security PracticesMedical Cybersecurity and PenTest

Cybersecurity Medical Standards

Medical Security Verification and Validation Reviews, code inspections, static code analysis Unit testing, integration testing, system testing Vulnerability scanning, fuzzing, penetration testing

Grey-Box PenTest =Black Box PenTest – Brute Force + Intelligent Analysis

Grey-Box PenTest yields exhaustive list of vulnerabilities with least number of test cases

Year Scope Standard / Regulation Focus Areas

2020 International ISO 24971: Application of risk management to medical devices General requirements for risk management, post production activities

Progress International ISO / IEC 81001: Health software, health IT systems safety, effectiveness, security Security across lifecycle of health systems

2019 International ISO 11633: Security management for remote maintenance of medical devices (RMS) Security requirement of RMS, risk analysis

2019 EU Medical Device Coordination Group (MDCG), Medical Device Regulation (MDR): Guidance on Cybersecurity for medical devicesCybersecurity concepts, Secure-by-design, post market surveillance system

2018 USA FDA: Premarket management of Cybersecurity in Medical Devices Cybersecurity device design, labelling, documentation, premarket review process

2017 USA Diabetes Technology Society (DTSec) in collaboration with FDA:Standard for wireless diabetes device securityRisk management of insulin pumpProduct security target approval

7/18


Triple Peak ModelMedical Cybersecurity and PenTest

Forward TORE: Test Cases are synthesized together with requirement for testability

From problem to solution

Why: Market Requirements

What: Product Requirements

From abstract

to specific

How: Component Requirements

Architecture, assets System Testing

Market Perspective“Need”

Tester Perspective“Product”

Detailed Design

Unit Testing/ Static Code Analysis

Test-Driven Development (TDD)

Designer Perspective“Solution”

Integration Testing

Implementation

Backward TORE:Test cases are executed, two cases are possible: 1. Positive result: Addition of new requirement2. Negative result: Potentially redundant test case, invalid issue

C. Ebert, Requirements Engineering, 6. Auflage, dPunkt, 2019, C. Ebert, R. Ray: Test-Oriented Requirements Engineering, IEEE Software, Jan 2021. B. Nuseibeh, Weaving together requirements and architecture, IEEE Computer Society, 2001

8/18


10-Step Grey-Box Penetration TestMedical Cybersecurity and PenTest

TORE (Test-Oriented Requirements Engineering)

Context Analysis

Assets

Architecture / System / SW

Design

Detailed Design

Code

TARA, security goals

System Test Cases

PenTesting

Integration Test Cases

Fuzzing

FSR (functional security

requirements)

KPI: Threat coverage, security test efficiency, vulnerability detection

effectiveness

Minimum viable test set

Regression Test Cases

Classic TDD (Test-Driven

Development)

Static Analysis, CQA

Component requirements

Product (Functional and Quality) requirements

Unit Test Cases

C. Ebert, R. Ray: Test-Oriented Requirements Engineering, IEEE Software, Jan 2021.

9/18


1. Welcome 3



4. Outlook 16

Agenda

10/18


Treats diabetes by sensing blood sugar level and appropriately injecting insulin to the body.

Highly susceptible to remote attacks due to increased wireless connectivity to outside world.

Case Study: Insulin PumpCase Study: Implantable Insulin Pump

Newaz, A. K. M., et al. A Survey on Security and Privacy Issues in Modern Healthcare Systems: Attacks and Defenses. arXiv preprint arXiv:2005.07359, 2020.Rathore, H, et al. A review of security challenges, attacks and resolutions for wireless medical devices. 13th Int. Wireless Comm. and Mobile Computing Conf. (IWCMC). IEEE, 2017.C. Ebert, R. Ray: Test-Oriented Requirements Engineering, IEEE Software, Jan 2021.

Cellular Internet Network

Notification to Family at home

Smart hospital centres, Ambulance

Notification to Physician

Health monitoring and data logging

Controller

Pump

Continuous Glucose Monitor (CGM)

Remote Programmer

Buzzer, Display

Man-in-the-middle, Backdoors Malware attacks

Eavesdropping

Physical attacks, Sensor confusion

Data corruptionCommand injection

Blood Sugar Sensor

11/18


Threat Landscape for Insulin PumpCase Study: Implantable Insulin Pump

D. Kim, J. Choi and K. Han, "Medical Device Safety Management Using Cybersecurity Risk Analysis," in IEEE Access, 2020

Hardware

Configuration and Control

Glucose Monitoring,

Hospital Server logging

Calibration and Dosage, Personal Settings

Self TestingComm. Stacks

Interfaces

GUI

Network

Device Software

Memory Mgmt

I / O

Status

Network vulnerabilities: Eavesdropping, replay attacks, Man-in-the-middle

Blood Glucose Sensor, CGM: Sensor confusion

RF, BLE, USB , Wi-Fi etc.Malware attacks: Air-gap attacks

Aftermarket products (Remote programmer , CGM): COTS specific vulnerabilities due to supply chain risks

Insider attacks, identity spoofing, authenticity violation, hardcoded credentials, default passwords

PHI leak: personal data, settings, dosage loggings, blood sugar readings

LED Displays, buzzer, pump: Denial of Service

S/W corruption, buffer overflow, database corruption, software plagiarism

Fail Safe Mechanism

Spear phishing, ransomware attack by DoS: PHI held until ransom is paid.

Unavailability or modification of fail safe mechanism due to DoS attack,

COTS Operating System

Insulin Pump Device

Understanding representative architecture allows to better investigate threats and vulnerabilities.

12/18


COMPASS Facilitates Reusable and Semi-Automated Mini-TARACase Study: Implantable Insulin Pump

13/18


Grey-Box PenTest vs. Black-Box PenTest in a NutshellCase Study: Implantable Insulin Pump

Controller with Pump

Display

Black-Box PenTest

• Unaware of architecture misses crucial vulnerability categories: Alert Buzzer, CGM, Remote Programmer.

• Brute force to determine Safe Minimum, Maximum Threshold, lead to false positives. More test effort.

• No risk analysis: Inefficient resource prioritization.

• Test Cases: ~ 40 TCs• False positives: 20• Missed vulnerability: 5• Vulnerabilities found: 8

• Effectiveness Category Coverage: 62%

• Efficiency Vulnerability Discovery AverageOn average 5 TCs needed for finding 1 vulnerability

Continuous Glucose Meter (CGM)

Alert Buzzer

Remote Programmer

Blood Sugar Sensor

Grey-Box PenTest

• Knowledge of high-level architecture and all configurations taken in account. Good attack pathway coverage.

• Accurate attack tree, Less false positives, more valid vulnerabilities found.

• Risk-oriented test approach: efficient resource usage.

• Test Cases: ~ 15 TCs• False positives: 2• Missed vulnerability: 0• Vulnerabilities found: 13

• Effectiveness Category Coverage: 100%

• Efficiency Vulnerability Discovery AverageOn average 1 TC needed for finding 1 vulnerability

14/18


1. Welcome 3



4. Outlook 16

Agenda

15/18


Grey-Box PenTest offers efficient and effective hardening Knowledge of architecture: more vulnerabilities identified due

to good attack scenarios coverage. Good traceability: Exhaustive requirement coverage >

exhaustive list of vulnerabilities. Attack tree accuracy: Architecture aligned attack tree: less

false positives, hence less test effort. Risk- Analysis: Prioritized list of findings lead to efficient

consumption of resources.

Outlook Heuristics: Reusable architecture design patterns for efficient

threat and damage scenario identification. Automation: Machine learning models to automatically derive

minimum number of test cases.

Summary and EnhancementsOutlook

Security in design: Test-oriented Requirements Engineering (TORE) for cybersecuritySecurity in test: Grey-Box PenTest to enhance test-effectiveness and cost-efficiency

16/18


Learning from the BestOutlook

Vector Forum 2021>Winning in the New Normal

Innovative technologies Resilient and efficient engineering Mastering quality and complexity

24. June 2021. Worldwide. Online. Enhance your competences Grow your networks

Details and free registration…www.vector.com/forum

Free white Paper with many case studies and YouTube clips from Vector Forum 2020:www.vector.com/StayCompetitive

17/18


Thank you for your attention.Please contact us for consulting support.

Passion. Partner. Value.

Vector Consulting Services

@VectorVCS

www.vector.com/[email protected]: +49-711-80670-1520

Cybersecurity and Penetration Testing for Medical Systems ......© 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written

Documents