dreaded embedded sec360 5-17-16
TRANSCRIPT
![Page 1: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/1.jpg)
The Dreaded Embedded
Barry CaplinVP & CISOFairview Health [email protected]@[email protected]
Secure 360Tues. May 17, 2016
Tweet along: #Sec360
![Page 2: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/2.jpg)
@bcaplinhttp://about.me/barrycaplinsecurityandcoffee.blogspot.com
![Page 3: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/3.jpg)
o Not-for-profit established in 1906o Academic Health System since 1997
partnership with University of Minnesotao >22K employeeso >3,300 aligned physicians
o Employed, faculty, independento 7 hospitals/medical centers
(>2,500 staffed beds)o 40-plus primary care clinicso 55-plus specialty clinicso 47 senior housing locations o 30-plus retail pharmacies
2014 volumes
o 6.39M outpatient encounterso 1.4M clinic visitso 71,049 inpatient admissionso 76,595 surgerieso 9,298 birthso 282 blood and marrow transplantso 340 organ transplantso >$4 billion total revenue
![Page 4: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/4.jpg)
Who is Fairview?
A partnership of North Memorial and Fairview
![Page 5: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/5.jpg)
• For Reals?• What’s a “Thing” and why is it on the
Internet?• Put a Chip In It• Are Medical Devices “Things”?• You’re doing what with my data?• Security Concerns• Solutions?
Agenda
Tweet along: #Sec360
![Page 6: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/6.jpg)
CSI:Cyber 11/1/15 s2/ep5 “hack E.R.”• “Hacker group” takes over hospital• Kills via infusion pump• Ransom• Weak/no auth and encryption in med devices• Smart TV• Hardware Poisoning• Flat Network• Medical Record Integrity• Physical Access to Network• Financial v Hacktivism
What’s Real?
![Page 7: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/7.jpg)
![Page 8: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/8.jpg)
“I asked you not to tell me that!”
Who’s got?...
![Page 9: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/9.jpg)
Apr. 3, 2010
300K ipads1M apps250K ebooks… day 1!
![Page 10: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/10.jpg)
2011 – tablet/smartphone sales exceeded PCs
![Page 11: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/11.jpg)
Apr. 24, 2015
1M orders2500 apps available… day 1!
![Page 12: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/12.jpg)
2016 – IOT sales exceed smartphone + tablet
![Page 13: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/13.jpg)
http://weputachipinit.tumblr.com/
![Page 14: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/14.jpg)
Medical Devices
http://get-fun-here.blogspot.com/2014/04/ 22-strange-medical-instruments-from.html
![Page 15: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/15.jpg)
Medical Devices
![Page 16: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/16.jpg)
1997
![Page 17: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/17.jpg)
2013
![Page 18: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/18.jpg)
“Embedded”• Quantified Self• Insulin pumps, pace-
makers, ICD, etc.- FDA requirements- Device manufacturers- Ease of connection
• Jay Radcliffe, BlackHat 2011
Barnaby Jack, HackerHalted 2012• Homeland attack (Broken
Hearts, s2/ep10 12/2/12)- Wireless attack via
pacemaker id/sn- Dick Cheney ICD, 2007
• MITM or snooping• Integrity• Availability
![Page 19: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/19.jpg)
Security ChallengesExposure/Leakage of data – including
repairsPoor Design/ProtocolsOwnershipMalwareDirect AttackIntegrityAvailability
But don’t we have all this now???
![Page 20: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/20.jpg)
• Primary mechanism is… Obscurity• Focus is on
- Function- Aesthetics- Communication- Cost- Speed to Market
• Testing?• Patching?• Design?
Security
![Page 21: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/21.jpg)
• Sneakernet– USB updates or data
movement• Data Exfiltration
– aka Breach!• Integrity
– Alter Capability– Alter Data/Reporting
• Availability• Medjacking
– Attack– Infiltrate– Pivot
Attack Vectors
https://securityledger.com/wp-content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-0_6-3-2015-1.pdf
![Page 22: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/22.jpg)
• FDA certification process– Complex, painful, long, expensive
• Patching and FDA advice– Manufacturers responsible for patches– Premarket review not required for
security patch
FDA Reality
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
![Page 23: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/23.jpg)
• Retail• Manufacturing• Energy
We Are Not Alone
![Page 24: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/24.jpg)
Solutions
![Page 25: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/25.jpg)
• FDA, NIST and others in progress• NCCoE/NIST/UMN TLI infusion pump security study
https://nccoe.nist.gov/sites/default/files/nccoe/NCCOE_HIT-Medical-Device-Use-Case.pdfhttps://nccoe.nist.gov/projects/use_cases/medical_devices
• Medical Device Innovation, Safety and Security Consortium (MDISS), International Society of Automation (ISA), HITRUST Alliance, NIST and others working with:
• FDA, HHS, DOD, NHISAC, CIS (Center for Internet Security), AAMI (Association for Advancement of Medical Instrumentation), ACCE (American College of Clinical Engineering), SANS, and others
• IHE/MDISS – Medical Device Software Patching white paper https://ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Patching_Rev1.0_PC_2015-07-01.pdf
• MDS2 (Manufacturer Disclosure Statement for Medical Device Security) http://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx
• Archimedes http://www.secure-medicine.org/• NIST SP-1800 Securing Electronic Health Records on Mobile Devices
https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices
Frameworks
![Page 26: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/26.jpg)
• LifeCycle and Risk Management approach– CyberSecurity Insurance?
• SLM – Security Lifecycle Management
• Existing?:– NAC– Scanning– Communications– Threat/Vuln Intell– Patching?– Segmentation?– Segregation?
Solutions?
Intake
Analysis
Requirements
DesignTest
Deploy
Maintain
![Page 27: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/27.jpg)
• It will get worse before it gets better• Mandatory NIST CyberSecurity Framework?• FDA pre-market security accreditation?• Help Vendors
– Ask– Assess– Push back
• Help Universities– Connect– Advise
• The First Rule of Security… We Talk About Security!– HSPIG
Final Thoughts
http://mnc3.org
![Page 28: Dreaded Embedded sec360 5-17-16](https://reader034.vdocuments.net/reader034/viewer/2022051707/58eeebb61a28ab831d8b4591/html5/thumbnails/28.jpg)
Tweet along: #Sec360 www.Secure360.org
Barry CaplinFairview Health Services
[email protected]@bjb.org@bcaplin
securityandcoffee.blogspot.com