Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
For hackers, internet-connected medical devices have become an attractive target. Compared to computers, they tend to have more vulnerabilities that stay unpatched. But Congress is now considering legislation that would give the Food and Drug Administration more authority to require medical device manufacturers to make them more secure. John Pescatore is director of emerging security trends at...
For hackers, internet-connected medical devices have become an attractive target. Compared to computers, they tend to have more vulnerabilities that stay unpatched. But Congress is now considering legislation that would give the Food and Drug Administration more authority to require medical device manufacturers to make them more secure. John Pescatore is director of emerging security trends at the SANS Institute. He talked with Jared Serbu on the Federal Drive with Tom Temin about those weaknesses, and how to mitigate the risks in the meantime.
John Pescatore: There’s a long history behind this issue. In the medical world, nothing used to have internet connectivity. In fact, it had very proprietary network connectivity. But starting close to more than 15 years ago, most things started having some form of internet connectivity, including medical devices as well. When you’re just connected to a wire, you don’t really worry about what bad guys might do and break in. And once you started connecting to the internet, you really do have to worry about that. Another thing is in the medical equipment world, the Food and Drug Administration for many years, has had a certification program. So if anything was to be used for medical purposes, actually, for humans or animals, it had to be inspected for quality and safety, which back then meant, we don’t want to electrocute the person, or if it’s an infusion pump, don’t want to let it pump too hard, or start pumping backwards and remove all their blood. So the medical world’s had a certification program that really did not address security, really addressed safety. The bad part about that certification program was it was very complex to go through pretty expensive for the manufacturers. But that’s good, things should be safe. But that complexity meant once they brought a product to market, they didn’t want to change the product, because if they changed the product they had to go through, they thought they had to go through the certification process again. So once these products started having software in them, think of an infusion pump or an MRI machine or a CAT scanner these days, the issue of patching came about. All software is built with vulnerabilities. Mankind has never built more than one line of code that didn’t have at least one vulnerability. So the manufacturer said we can’t patch our devices. Yes, we know they’re vulnerable out there and anybody could find this vulnerability and since it’s connected to the internet, exploited, but the quality and safety certification process means by the time we patched it, and got us through certification, there’ll be another patch out so we can’t do it. And 15 years ago, in 2006 the FDA put out guidance saying no, you can patch for security reasons, and not have to go through certification. But it’s taken these 15 years before they’ve put in some oomph behind it. So that’s a short reason is most of the medical equipment was first built, not being exposed to the internet, didn’t have to worry about software and patches, and then for a long time thought they couldn’t patch. And we’re finally starting to see that change.
Jared Serbu: It’s going to take a long time, I think is the bottom line before some of the fundamentals here start to change, and in terms of the the the attack surface of these devices. And so it sounds like until then it’s really on the end users, the health care system operators to mitigate some of these vulnerabilities. What can they do in that area? And specifically for our audience, I don’t know the degree to which you’ve watched federal users specifically in DoD and VA, are they doing any better?
John Pescatore: Well, first, there is an important thing they can do before we get to the shielding of these vulnerable things. The security CISOs and the government agencies that are buying medical equipment need to make sure they get involved in the procurement process, that the security team is represented. There’s almost always competitive procurements for these things. And to make sure that security requirements are in the RFP and are highly weighted evaluation criteria is really key. And the FDA actually will help for some of that, but for the CISOs and government that have medical responsibilities, really, that’s first thing is key. So the next thing we come to is what we’ve done historically is if you have something vulnerable, you shield it away from the danger, you put it in a separate network segment. The very first thing is never connect anything to the internet that really, really doesn’t need to be connected. So what we found was, a lot of vendor remote maintenance might happen over the internet, a lot of times IT says, “Oh, we can telenet into this thing so we can do a status check on the network, make sure it’s working when somebody complains.” So we’ll leave that open. So the very first thing is to make sure that they are in separate network segments, all the medical devices. And that what creates the segment is essentially a firewall that implements the old school policy of no connection is allowed unless it’s explicitly authorized, versus, let’s just try and stop bad stuff. The negative security model, it’s got to be the positive security model. Only connections we know we trust can come through, nothing else gets through. Because when you think about it, most medical machinery real doesn’t need to be communicated to a lot. And if there does have to be remote internet connections to these segmented networks that they all have multi-factor authentication. So the biggest risk today is attackers getting somebody with privileges password, getting admin access or getting a password on VPN account and getting in remotely. That doesn’t happen if you’re using strong authentication, which has been a requirement for remote access. And for many years, what we’ve seen, unfortunately, both in government and private industry is very slow movement away from passwords.
Jared Serbu: Yeah, and at the risk of stating the obvious here, the allure for an attacker to get into one of these devices is solely as a foothold into a broader enterprise network. I would assume a dialysis machine on their own is not that interesting to a hacker.
John Pescatore: Well, over time, we’ve always seen a progression of hacking. The first is just people who are interested in seeing what they can do, and break into things. And then invariably, they cause accidents to happen just because they got in and touched the machine and it stops working. Then you have denial of service. So one risk is denial of service. So for instance, what is it Greenland right now nationwide, had an attack where they can’t bring up the machinery again, and it really wasn’t an attack against the medical care systems. It was just an attack. Then we saw a wave of “I want to break into whatever I can, because then I’m going to steal identity information. And I can sell those names and those health IDs and the information I find.” Turned out, on the hacker markets, that type of information was more valuable than the credit card information because the financial industry had put a lot of controls in place and was getting tougher to break into. But if I had all that information on some medical forms you filled out that included your address, and that meant lots of information, I could then go spoof your identity, and perhaps answer your security questions and get your password and when I go in identity theft. So yeah, it was true that over the past several years, a lot of it’s been about getting a foothold. But when you see ransomware attacks, basically those are attacks where they say I’m going to, I’ve crashed your systems and I won’t let you bring them back til you pay me. And that’s a big fear with attacks against this medical equipment, because you’re bringing down all the CAT scans and MRI machines and an entire hospital and holding them for ransom. That’s life and safety impacting, not just financial.
Jared Serbu: All right, so in the last couple minutes here, let’s talk about the possible long term fixes here. I nderstand there’s legislation in the FDA reauthorization bill that would do some things to give FDA some new regulatory authority over cyber specifically, how would that work? How long would it take to actually make a difference here?
John Pescatore: Well I think that will take time, because what the FDA is doing is saying, when you manufacturers, when you apply to get certified, you must include this security information. And we will be evaluating that as part of approving the certification. So that will take time. More immediately. There’s kind of two things we already talked about the, what I call the “keep the bad guys out,” the segmentation. The other real thing is more quickly noticing, when the bad guys do get in, it’s kind of like ants in your house. You do everything you want to keep the ants or the termites out. Sooner or later they get in. The quicker you notice the less damage there is. So there’s a lot of techniques and things called threat hunting tools and techniques to quickly discover something anomalous on your network or something that looks like something malicious happening. And amidst all those medical machineries. Another is, we push at SANS is called “purple teaming,” which is where many companies have what they call a red team, try to break in, do penetration testing. And the blue team is the defenders who are trying to keep them out. If they sort of work together, and the blue team learns from the red team and comes up with better defenses and the red team then tries better ways of breaking in once they understand the defenses, companies and the agencies will improve their security of those networks a lot more quickly, and be able to find things, time to detect in hours or days instead of months.
Jared Serbu: Getting back to FDA’s regulatory authority here if they are going to require some sort of cyber hardening as part of the certification process going forward, strikes me that it’s probably important that they do that in a way that manufacturers can keep up with future threats, and make changes as needed without having to go through the owner certification process all over again, going back to what you said at the beginning.
John Pescatore: The NSA and the Australians and the British and several other countries just put out a cybersecurity advisory reminding everybody that the vast majority of attacks are enabled by lacks of basic security hygiene. What the NSA put out years ago and turned into what’s these days called a critical security controls. There’s the sort of eight to 10 things that are very well known, should be done in all equipment, can be baked into most. We’re finally starting to see that happen in Windows, for example, in the cellular phone operating systems. So I think as long as the manufacturers and the FDA guidance is sticking, starting with that, with the basics of security, build security in such that If you’re minimizing the attack surface, you’re making it a lot harder for the bad guys, but really not that harder for the good guys to use the equipment. So I think they’re taking a good approach there. That’s the start, of course, what always happens is once you raise the bar to the basic level, then the real sophisticated attacks come about, and that’s where things like threat hunting come into play.
Jared Serbu: Last question, John, I can’t think of too many other examples, maybe you can, of federal agencies that have any kind of regulatory authority over the private sector in terms of imposing cyber requirements on IoT devices. If FDA does this well, could it provide some lessons and how to harden IoT devices outside of the medical industry?
John Pescatore: Yeah, I think it can. I mean, when you look at all agencies that do procurements can put requirements in RFPs and point to industry specifications or industry standards and the like, for Internet of Things devices, things in smart buildings, for example, government buildings are being built with internet-connected heat, or high voltage AC and power and elevator and video systems that are often vulnerable. So yeah, there’s not, GSA doesn’t have yet security requirements going in the smart building-type contracts. But I think that’s very key. I was on a committee advising an incoming Congress about 10, 15 years ago, and that’s one of the things we recommended that all government procurements for anything because everything’s coming with software, everything is vulnerable, can be attacked. Cybersecurity considerations be included in all the procurement language.