Here’s a heart stopper: On March 21, the Department of Homeland Security and the FDA alerted cardiologists, hospitals, and patients that hundreds of thousands of implanted defibrillators, programmers, and heart monitors could be hacked, “potentially impacting product functionality.”
While the FDA noted that some company's devices contain telemetry vulnerabilities that can allow cyber tampering and the interception of patient data, there have been no reports of harm to actual patients. The companies, meanwhile, say they are working to patch the vulnerabilities.
The news is chilling for a number of reasons. It shows that cyber bad guys can practically reach inside our very bodies. (In fact, the white hat hacker Billy Rios showed last summer that he could access control of an implanted pace maker and deliver or withhold shocks to the heart). It also suggests that nothing is safe from malicious tampering in our increasingly wired world.
“Anything that is part of a physical network, that is monitored by sensors and uses computing control systems, can be infiltrated by incoming corrupted data,” says Lalitha Sankar, an associate professor at Arizona State University’s school of electrical, computer, and energy engineering.
For years now, security experts have been warning about the growing risk and outsized impacts of cyber-physical attacks. The Internet of Things, which embraces a range of newly-smart devices including everything from smart lawn mowers to electricity grids, has morphed into the internet of everything. Advances in computing, networking, sensing, and control systems has given rise to some 30 billion (and counting) connected devices.
What’s lagging in these fast-and-first-to-market innovations is security. As a result, a range of crucial sectors are now at risk to cyber-physical mayhem. Among them: medical devices, smart grids, public utilities, maritime navigation, autonomous vehicles, our homes, and manufacturing.
Advances in computing, networking, sensing, and control systems has given rise to some 30 billion (and counting) connected devices.
Hackers have already proved the point. In 2013, hackers believed to be working on behalf of a nation state remotely seized controls of a small dam, by way of a cellular modem, and could have released water on downstream communities. (The sluice gate at the time had been manually disconnected.) Two years later, foreign cyber attackers shutdown power distribution in a country, leaving a quarter million people without electricity. That same year, the WannaCry ransomware attack disrupted hospitals and clinics in other countries.
It’s not just nation-state malefactors who are responsible or big infrastructure that’s being targeted. Malicious cyber hackers have taken control of water treatment plants, hacked steel mills to halt production, and other examples. White-hat hackers, probing for flaws, proved they could theoretically take over the ballast pumps of cargo ships and capsize it, or take over an electric scooter, via faulty password validation, and accelerate it.
Unlike traditional hacks on information systems, where, say, spear phishing emails seek to infiltrate systems, conduct reconnaissance and hoover up user names and passwords, or lock down crucial files for ransom, these cyber-physical attacks seek to mangle equipment and lives.
“Attackers only have to look for the weakest part of an expanding attack surface,” says Arizona State’s Lalitha Sankar. Her work models sophisticated attacks on power grids, which are increasingly common according to the DHS, to understand them and make grids more resilient.
Much of the power grid, run by private companies and utilities, relies on legacy proprietary software systems, as it has for decades. The challenge is creating what Sankar calls a “ground truth” around reams of data to sniff out anomalies in pattern usage (time of day, location, weather-related) to detect grid load shifts and malicious acts like hacker-produced surges. “You might never know an attack is happening because it’s happening in the background,” she says.
With countless devices interacting over networks, manufacturers must take the lead in making their gadgets safe. To reduce digital vulnerabilities, security must be baked in from the start. New software must be probed for flaws, preferably by non-partisan white-hat hackers.
Cyber-physical attacks seek to mangle equipment and lives.
If not, we run the risk of “attacks changing how cars brake, how medical devices adapt and how buildings and the smart grid respond,” according to a DHS statement on the topic. “Addressing security issues by bolting solutions onto widely deployed systems is not viable. Security issues must be analyzed, understood and addressed in the early stages of design and deployment.”
To do this, companies need to step away from their proprietary, black-box mindset and start sharing information with networks, consumers, and each other. “Device makers need to share data about their software, firmware, and hardware,” says Dale Nordenberg, executive director of Medical Device Innovation Safety and Security, a non-profit focused on medical device security.
Such interconnected devices create entry nodes into increasingly sprawling health networks and so security risks spread out exponentially and to the entire digital ecosystem.
Most hospitals, says Nordenberg, have networks of thousands of connected devices that they don’t monitor for abnormal behavior. “They don’t know what these devices are up to,” he says. “That’s just the tip of the spear. And that’s just one industry. Multiply those by the millions.”
In the case of medical devices, manufacturers are looking to the government for direction. With industry help, the FDA is currently drafting premarket cyber security guidance to help them protect their products from threats like ransomware or attacks on the overall health care system.
With literally hundreds of thousands of products serving myriad functions, the FDA has said it’s crucial for everyone to get on the same security page. Device makers, who often spend millions on R&D and manufacturing are often reluctant to go back spend more on security patches.
But that only makes them easy targets for bad actors. And the same could be said for any physical industry that puts cyber security on a back burner. “You’re tell the bad guys ‘come and get me,’” says Nordenberg. “And the bad guys love nothing more than an open cyber door.”
Attackers are increasingly able to shut down or corrupt the actions of IoT devices that control equipment or interact in some other way with the physical world
The healthcare industry has been slow to adopt modern cyber security practices, a shortcoming that cyber criminals increasingly seek to exploit
We encourage you to share your thoughts on your favorite social platform.