https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/IoTWorldToday-mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

ICS security

ICS Security, Medical Devices and the Accidental Bogeyman

Swarms of hackers could maliciously target industrial facilities and hospitals. But for now, cybersecurity-related mistakes and negligence pose bigger risks.
  • Written by Brian Buntz
  • 7th May 2019

Hacked pacemakers, insulin pumps, cars, industrial facilities, satellites and breached power grids… For years now, cybersecurity researchers have been warning of the possibility of black hat hackers to hurt or kill people through their exploits — often with demonstrations about how they could do it.

But the degree of sensationalism often accompanying the topic can obscure the true level of risk, while doing little to underscore the level of risk of common attack vectors and vulnerabilities such as outdated operating systems, unpatched or buggy software, malconfigured networks and the like.  

In general, the level of cyber risk is high with industrial control systems, which are used for an array of applications, from controlling satellites to oil-and-gas equipment to automation equipment in factories. There are reports of computer sabotage causing chaos stretching back decades. True, it is difficult to verify, say, whether the United States deployed Trojan malware on computing equipment used to control the flow of gas in a Trans-Siberian pipeline, prompting a massive explosion. Thomas C. Reed, a former Air Force secretary in the Reagan administration, claimed as much in the book “At the Abyss.”

[Internet of Things World is the intersection of industries and IoT innovation. Book your conference pass and save $350, get a free expo pass or see the IoT security speakers at the event.]

But attacks on connected industrial systems are common now. A number of cybersecurity vendors, from IBM Managed Security Services to Kaspersky Lab, have tracked an uptick in ICS security attacks in recent years. Only in March, Norsk Hydro, one of the largest aluminum producers globally, struggled with cyber-induced production in operations in both Europe and the United States.

In to deal with the problem, industrial giant Siemens and TÜV SÜD, the international testing, inspection and certification firm, joined forces on what they call “a new approach to digital safety and security.” “Attacks against industrial environments are increasing at an exponential pace,” said Leo Simonovich, vice president and global head for industrial cyber and digital security at Siemens. “However, unlike in IT, where the primary concern is data loss, cyberattacks targeting operational technology can lead to a potential shutdown or worse.” The two companies will thus collaborate to offer what they are terming “digital safety and security assessments” to help energy customers, in particular, assess and manage cyber risk.

Simonovich pointed to the potentially-catastrophic Triton malware, which the cybersecurity firm Dragos discovered in Saudi Arabia in 2017. Researchers recently found the code at a second facility.

“What was remarkable about [the Triton] attack, was the ease with which attackers traversed from IT to OT to safety systems,” Simonovich said.

Indeed, this is a recurring theme across sectors where cybersecurity breaches pose a potential safety risk. Despite all of the research demonstrating esoteric and often borderline-implausible types of attacks at cybersecurity events, it is easy to overlook the risk posed by, say, an “air-gapped” Windows XP computer or dated malware such as Kwampirs, a trojan discovered in 2015, or Conficker, first discovered in 2008. While hackers could, say, modify CT scans to create fake cancer cells, as researchers demonstrated, it is more likely that a hospital will get hit with a commodity type of attack or a pacemaker patient will end up targeted by a cyber-hitman. “People always laugh when I say: ‘Even though I consider myself a cybersecurity expert, there are easier ways to hurt people,” said Stephanie Preston Domas, vice president of research and development at MedSec. “All of these fancy custom exploits designed against medical devices are not pointing to the real problem. The real problem is things like Kwampirs still work. Things like Conficker still work.”

And then there is WannaCry, the 2017 ransomware attack that Europol said was unprecedented in its scope. Affecting some 200,000 computers, WannaCry affected industrial and medical facilities. Nissan had to stop production in a facility in the United Kingdom. Renault was forced to halt production in multiple sites. Germany’s train company Deutsche Bahn was a victim. A similar piece of malware hit, Notpetya, caused millions of dollars worth of damages to shipping giant Maersk.

But as large as the ICS security impact was, WannaCry also had an outsized impact on the UK’s National Health Service, resulting in damages at nearly £100 million while leading to the cancellation of 19,000 medical appointments.

It’s possible that WannaCry, or a similar commodity attack, could lead to death or injury by, say, delaying a heart surgery, although it is generally difficult to prove a direct connection, said Leon Lerman, chief executive officer of Cynerio.

Attacks like WannaCry also illustrate the risk of exploits developed by nation states leaking and unwittingly empowering adversaries to attack the U.S. and allies. WannaCry and NotPetya both used an exploit known as EternalBlue, which the U.S. National Security Agency likely developed. The New York Times recently reported Chinese intelligence agents used “key parts of [the United States’] cybersecurity arsenal” to carry out attacks. Incidentally, the piece also reports that the sophisticated NSA-developed Stuxnet malware used to target Iranian nuclear centrifuges caused damage to U.S. businesses including Chevron.  

Domas is more worried about generic malware or simple carelessness playing a role in cyberattacks with safety consequences. “I still see too much sensationalism focused on bad guys causing patient harm,” she said. “I would love to see more of a shift toward understanding that if patient harm has happened [as a result of a cyberattack], it’s probably accidental. It is probably a side effect of something else that they were trying to do on the system.”

Researchers who examine cyberattacks on industrial control systems see a similar pattern, Simonovich said. “Most have some level of human error associated with the breach.”

On a related note, faulty software code on industrial systems and medical devices is a subject closely related to both safety and cybersecurity. The recent saga regarding the Boeing 737 MAX underscores this point. Writing about the problem, security expert Bruce Schneier wrote: “Technically, this is safety and not security; there was no attacker. But the fields are closely related.”

Domas agrees with that sentiment, citing, for example, the case of a hospital worker who caused an anesthesia machine to seize up abnormally after plugging a cellphone into it. It is easy to overlook the risk of such everyday occurrences, which don’t involve a cyberattacker.

Similarly, the types of headline ICS security and medical device stories that tend to garner the most media coverage make it easy to overlook the risk of insider threat. But “insider threat makes up the overwhelming majority of [attacks in the industrial sector],” Simonovich said.

Ultimately, to help address risk in ever-more connected industrial and medical environments, the people who work within them need to clearly understand the risk such connected systems can pose, whether exploited on purpose or inadvertently. “I think the people who are technology savvy are becoming more aware, but I really don’t see a huge kind of uptick in understanding or appreciation for the people who are not.”

And then, the topic of gauging risk management can be fiendishly difficult. One of the threat modeling, which is a subset of risk management. “But because there are so many cyber risks in any system, and you can’t fix all of them,” Domas said. “So that’s why you have to pair it with things like threat modeling and figure out what are the ones you need to be most concerned about,” she added. “Honestly, a lot of times, you find things that come up that trickle through your ranking system and you said: ‘You know what? I’m okay with that risk,’ and you do nothing to fix it, even though you know, there’s a cybersecurity issue there,” Domas said. “You have to strategize. You can’t fix everything.”

Tags: Connected Health Care IIoT/Manufacturing Security Features

Related Content


  • Caltech campus
    Robots Could Gain Sense of Touch, With New Artificial Skin
    New design can help businesses determine the presence of hazardous materials, offer greater safety for workers
  • Clearview AI Fined $9.4M Over Facial Data Scraping
    The company was ordered to delete any data it held on U.K. citizens.
  • Microsoft Ramping up Cybersecurity Service Offerings
    Three new managed services will boost the company’s presence in the security space
  • IoT Product Roundup
    IoT Product Roundup: PTC, Nokia, Arm and More
    All the latest Internet of Things products

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

  • FDA Clears Robotic Exoskeleton for Multiple Sclerosis Patients
  • Microsoft Extends Secured-Core Program to IoT Devices
  • Spot the Robot Dog Helps Police Ahead of Boston’s Fourth of July Celebration
  • Partnership to Globally Expand Robotics Solutions

Roundups

View all

IoT Product Roundup: Canonical, InfluxData, Wiliot and More

23rd June 2022

IoT Product Roundup: Cisco, Telit, Draganfly and More

9th June 2022

IoT Deals, Partnerships Roundup: Google, Arm, Senet and More

26th May 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Image shows Unilever's Alberto Prado at AI Summit 2022 in London

AI Summit 2022: Unilever’s Alberto Prado

Prado talks about how Unilever is using AI to accelerate the speed of new discoveries and gives them access to more breakthrough innovation

Image Shows John Lewis' Barry Panai at AI Summit London 2022

AI Summit 2022: John Lewis’ Barry Panayi on AI in Retail

Panayi talks about data and AI in retail and how individuals and the technology can work together

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

🤔 Looking for 3 Strategies to Avoid IoT Key Theft? We’ve got you covered! As tech companies continue to develop an… twitter.com/i/web/status/1…

5th July 2022
IoTWorldToday, IoTWorldSeries

AI Summit 2022: Unilever’s Alberto Prado dlvr.it/STMpRN https://t.co/1dyLREr8N6

5th July 2022
IoTWorldToday, IoTWorldSeries

Seoul Robotics Expands 3D Perception Platform across South America dlvr.it/STMhSV https://t.co/a10l3Eb2Kn

5th July 2022
IoTWorldToday, IoTWorldSeries

Microsoft Extends Secured-Core Program to IoT Devices dlvr.it/STMg4k https://t.co/laBPF5VjC4

5th July 2022
IoTWorldToday, IoTWorldSeries

Spot the Robot Dog Helps Police Ahead of Boston’s Fourth of July Celebration dlvr.it/STKWjb https://t.co/LdRg7a2xqU

4th July 2022
IoTWorldToday, IoTWorldSeries

Another 59,000 @Teslas being recalled over a software glitch affecting the vehicle’s Emergency Call safety system… twitter.com/i/web/status/1…

4th July 2022
IoTWorldToday, IoTWorldSeries

Join us in the premier #tech destination of #Austin this November 2-3 for our next #IoT event. Connect and collabo… twitter.com/i/web/status/1…

4th July 2022
IoTWorldToday, IoTWorldSeries

SoftBank, May Mobility Team on Autonomous Driving dlvr.it/STJrW0 https://t.co/mOYoBsgs14

4th July 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X