This security article is written from my hotel room while visiting DEF-CON 26 held in Las Vegas, Nevada USA.
Today I had the privilege to hear the presentation from Veronica Schmitt, a South African security professional with a special interest for cyber medical devices. As her life depends on a pace maker, which can be monitored remotely, she is dedicated to improve the security of such devices. Her presentation provided a shocking insight into the state of cyber security (or better the lack of) within the medical world.
Medical devices like pacemakers, insulators or what have you not can nowadays be accessed from various network technologies like bluetooth, wifi, etc. Many of them are build for functional purposes only and do contain any basic security measures like access controls, hardening, etc. And if they do have security measures on board, many of them left in their default state (like default passwords). Changing these settings or even patching the software might lead to liability issues for hospitals as the warranty will be void. It even gets worse: when a supplier of medical devices wants to improve the security of their devices they need certify their products by the proper authorities (e.g. FDA in the USA) , which is time consuming and costly. Also many hospitals have poor or no cyber security practices implemented. Networks are not segmented, systems not patches and passwords written on post-its. Simply using a Wifi hacking tool in the waiting room would be enough to access most systems.
Later that day I attended a workshop where participants could hack an insulator pump using a network cable and a copy of Kali Linux. The test subject was an insulator pump from 2005 which was hacked in a matter of seconds: just run nmap, discover port 23 telnet is open and make a connection. No credentials required: default root access. Although this model was obsolete and replaced by a more secured version, it is still in service all over the world (40.000 sold world wide).
The above is not limited to the health care world alone. You can witness the same symptoms in every organization from government to commercial.
What is at the root of this problem?
It is a lack technical knowledge? A lack of awareness? Would introducing more processes, more regulations be the answer?
I believe not. I realize that many of these problems are caused by these very controls.
Let me explain: As a security trainer, I teach security governance best practices such as change management, patch management, life cycle management, etc. The aim of these practices is to reduce the risk of unauthorized and unvalidated modifications in information processing systems. However, the security mantra is that these controls need to be enforced and implemented with great rigor or else it will lead to unacceptable liabilities and other dire consequences. For example: a patch needs to be tested rigorously before being implemented or else it might break stuff that, well, is not allowed to break.
It all sounds so logical and acceptable, right? Well, here is the catch: this works perfectly in an environment where everything is deterministic and predicable.
However, the world of today is dynamic and unpredictable and requires organizations to adapt faster to new (and old) threats. There are many impediments that prevent organizations from this. I will look at three of these impediments:
- Legacy or technical debt
- Regulations & legislation
- Distorted risk management
Legacy or technical debt
Many organizations (especially the bigger and older ones) have tons of interconnected information systems. Many of these systems have been accumulated over decades and have become so interwoven with the business processes. Replacing these systems would be cost prohibitive (if the organization knows of their existence in the first place). However, these systems do not have sufficient cyber security capabilities and need to be protected in other ways: rigorous controls like change management, configuration management and patch management (to name a few). This is a vicious loop that can only be broken if these systems are replaced by more agile and secure architectures.
Regulations & legislation
Regulations are often an impediment for organizations to adapt a more agile approach on cyber security. Especially for vendors of critical infrastructures (like gas, water, roads, etc.) and products/services that affect personal safety (planes, cars, medical equipement, etc.).
The huge liability risks deter organizations from releasing improved and more secured products without having passed rigorous safety and compliance tests.
Contracts must safeguard the manufacturer against any liability, for example if the clients want to update the products themselves. The client will face the same liability issues if he/she accepts the risks and therefore decides to forgo the necessary improvements.
Distorted risk management
Risk management is the practice of balancing the costs of security measures versus the expected harm a security threat will cause and the likelihood it will occur. It requires continuous gathering of intelligence on threat actors, cyber threats, vulnerabilities, legislation and above all, a good understanding of the information system architecture.
This seems like a rational process, but it is not: risk assessment and treatment can go awry as decision makers can have conflicting interests or priorities. Also, biases or lack of good and reliable information can lead to bad decisions. Often risks are accepted because the decision maker is not the one who will feel the impact pain of the decision. Laws and regulations try to combat this effect by making senior decision makers personally liable.
So now what?
Many organizations are adapting an Agile approach (like Scrum, SAFe, DevOps) to develop, deliver and improve products and services faster. These approaches of continuous improvement are not new and have gained wide acceptance. So why can’t we use similar approaches to cyber security? We don’t need to reinvent the wheel: there is plenty of experience available, right?
The three impediments mentioned above do not just go away even if you adapt an agile cyber security approach. To get rid of technical debt requires vision, courage and determination. Frameworks such as SAFe might help. SAFe offers a so called architectural run-way: while you are working on something new, make sure you cleanup or decommission the incumbent systems first. Distorted risk management can be combated by nurturing a culture to encourage transparency and openness within the organization.
Lastly, a continuous dialog is required between industry sectors, government and regulators to address the need for an agile cyber security approach.