Date post: | 22-Jan-2018 |
Category: |
Technology |
Upload: | great-bay-software |
View: | 185 times |
Download: | 1 times |
Key Considerations to Securing the
Internet of Things (IoT) & Bio-
medical DevicesWebinar
Merritt MaximSeptember 14, 2016
© 2016 Forrester Research, Inc. Reproduction Prohibited 2
Abstract
› Key Considerations to Securing the Internet of Things (IoT)
› IoT has evolved beyond a hyped-buzzword into available technologies on
the market that can significantly improve customer outcomes and deliver
business benefits. However, the reality of IoT as an interlinked set of
hardware, software, and ubiquitous connectivity is that it creates new
security challenges and exacerbates legacy security problems.
› In this webinar, Forrester Senior Analyst Merritt Maxim will summarize the
key IoT trends, outline the current IoT attack surface. He will also provide
guidance on how organizations can protect and defend against IoT based
threats while simultaneously enabling meet desired IoT business
objectives.
© 2016 Forrester Research, Inc. Reproduction Prohibited 3
Agenda
›Current IoT Trends
›Balancing Innovation With Security In Healthcare
›The Bio-medical Device Risk Landscape
›Attack Scenarios
›The Path Forward
© 2016 Forrester Research, Inc. Reproduction Prohibited 4
Current IoT Trends
© 2016 Forrester Research, Inc. Reproduction Prohibited 5
Current status of IoT technologies: Forrester IoT TechRadar™, Q1 2016
Source: “TechRadar™: Internet Of Things, Q1 2016” Forrester report
IoT security — on
a significant
success trajectory
but only in
creation stage
© 2016 Forrester Research, Inc. Reproduction Prohibited 6
IoT Security is still maturing….
› Lots of hype and interest; focus on OS, firmware, and
hardware level.
›Growing awareness of security concerns with IoT
›General consensus on value/need for IAM with IoT
© 2016 Forrester Research, Inc. Reproduction Prohibited 7
Industry IoT deployment momentum varies widely
Source: https://www.forrester.com/report/The+Internet+Of+Things+Heat+Map+2016/-/E-RES122661 January 14, 2016.
© 2016 Forrester Research, Inc. Reproduction Prohibited 8
Security Concerns still impede IoT Deployments
Base: 2,247 IT decision makers
Source: Forrester’s Business Technographics Security Survey, 2014
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
We can't find the right supplier(s)
None - we don't have any concerns
Lack of executive support
We don't think that we have an application or process that will beenhanced by M2M
Regulatory issues or concerns
Difficulty and risk of migration or installation
Lack of technology maturity
Pricing is unclear or complicated
Integration challenges
Total cost concerns (total cost of ownership)
Security concerns
What are your firm’s concerns, if any, with deploying M2M/Internet of Things technologies?
© 2016 Forrester Research, Inc. Reproduction Prohibited 9
Different Worlds, different approachesArea Traditional World IoT World Difference
Authentication User-centric IoT device-centric Authenticating
devices/blocking devices
to/from IoT security
management plane
Authentication Passwords then biometrics Human to device: biometrics,
behaviors. Device-to-device:
API, certs
Authenticating user(s) and
devices to an IoT device
Provisioning and registration Life-cycle support for
predominantly users only.
Manual and bulk registration.
Life-cycle support for devices,
not just users
Provisioning and registering
devices and users to IoT
security management plane
Provisioning and registration Enterprise mobility
management
Linking many previously
unlinked but operational
devices to user
Device registration to user,
user registration to device
Provisioning and registration Static process Dynamic, fast-changing
process (e.g. connected
vehicles)
Managing relationships
between IoT devices
Provisioning and registration Manual and user-initiated User-initiated and inactivity-
based
Unenrolling devices from the
IoT security management
plane
Self-services No adopted standard Forrester expects User-
Managed Access (UMA) will
emerge
Preference management,
privacy management, data
sharing consent
Self-services Web-based Based on enhanced Bluetooth
or NFC connectivity
Allowing users to perform self-
services for their IoT devices
© 2016 Forrester Research, Inc. Reproduction Prohibited 10
Balancing Innovation With Security
In Healthcare
© 2016 Forrester Research, Inc. Reproduction Prohibited 11
Robotic Surgery
Innovations in Healthcare
© 2016 Forrester Research, Inc. Reproduction Prohibited 12
Telemedicine
Innovations in Healthcare
© 2016 Forrester Research, Inc. Reproduction Prohibited 13
mHealth
Innovations in Healthcare
© 2016 Forrester Research, Inc. Reproduction Prohibited 14
With Innovation Comes Risk
© 2016 Forrester Research, Inc. Reproduction Prohibited 15
With Innovation Comes Risk
© 2016 Forrester Research, Inc. Reproduction Prohibited 16
The Bio-Medical Device Risk
Landscape
© 2016 Forrester Research, Inc. Reproduction Prohibited 17
A Typical Hospital Network is Flat
© 2016 Forrester Research, Inc. Reproduction Prohibited 18
Complexity Is The Primary Enemy
© 2016 Forrester Research, Inc. Reproduction Prohibited 19
Threat Actor Motivations
© 2016 Forrester Research, Inc. Reproduction Prohibited 20
Attack Scenarios
© 2016 Forrester Research, Inc. Reproduction Prohibited 21
Medical Device Security - Risk Categories
Denial-of-Service
Patient Data Theft
Therapy
Manipulation
Asset Damage
© 2016 Forrester Research, Inc. Reproduction Prohibited 22
Denial-Of-Service: Scenario
Causes
• Network attack
• Malware
• Software exploitation
• Radio frequency (RF)
exploitation
Impacts
• Clinical workflow
disruption
• IT/Clinical engineering
staff disruption
Outcomes
• Patient harm
• Reputational damage
• Regulatory fines/Lawsuits
• Request for ransom
© 2016 Forrester Research, Inc. Reproduction Prohibited 23
Denial-Of-Service: Evidence
› Case #1: 20 patient monitoring systems taken down in a CA-based
hospital (unreported)
› Case #2: MA-based hospital ward shut down due to malware infecting
patient monitoring systems (unreported)
› Case #3: CA-based hospital shutdown due to ransomware infecting
medical devices
© 2016 Forrester Research, Inc. Reproduction Prohibited 24
Denial-Of-Service: Outlook
© 2016 Forrester Research, Inc. Reproduction Prohibited 25
Therapy Manipulation: Scenario
Causes
• Malware
• Software exploitation
• Poor access controls
Impacts
• Changes in device
function/parameters
• Changes to patient data
Outcomes
• Patient harm
• Reputational damage
• Regulatory fines/lawsuits
• Request for ransom
• Changes in future
treatment decisions
© 2016 Forrester Research, Inc. Reproduction Prohibited 26
Therapy Manipulation: Evidence
› Case #1: PCA Pump exploited by Austrian patient
› Case #2: PCA Pump exploited by researcher
› Case #3: Insulin Pump exploited by researcher
› Case #4: Implantable Defibrillator exploited by researcher
© 2016 Forrester Research, Inc. Reproduction Prohibited 27
Therapy Manipulation: Outlook
© 2016 Forrester Research, Inc. Reproduction Prohibited 28
Asset Damage: Scenario
Causes
• Network attack
• Malware
• Software exploitation
Impacts
• Clinical workflow
disruption
• IT/clinical engineering staff
disruption
Outcomes
• Patient harm
• High replacement costs
© 2016 Forrester Research, Inc. Reproduction Prohibited 29
Asset Damage: Evidence
› No examples found in healthcare
› Difficult to track due to lack of consideration over security event causation
in MDRs
› Examples from other industries still prove capability
• Stuxnet malware (tarrgeted industrial centrifuges in Iran)
• Ukrainian power grid
• Reservoir dam in Westchester County NY-December 2015
© 2016 Forrester Research, Inc. Reproduction Prohibited 30
Asset Damage: Outlook
© 2016 Forrester Research, Inc. Reproduction Prohibited 31
Patient Data Theft: Scenario
Causes
• Malware
• Software exploitation
• Poor access
controls/device theft
• Device used as entry point
into data network
Impacts
• Direct theft of data from
device
• EMR database
compromise
Outcomes
• Patient harm due to fraud
• Patient privacy loss
• Reputational damage
• Regulatory fines/lawsuits
© 2016 Forrester Research, Inc. Reproduction Prohibited 32
Patient Data Theft: Evidence
› Case #1: HIPAA fines MA-based hospital $850,000 due to CT Scanner
breach
› Case #2: Russian gang used medical devices as entry point into hospital
network; stole patient data from EMR
Update Russian info
© 2016 Forrester Research, Inc. Reproduction Prohibited 33
Patient Data Theft: Outlook
High Severity Risk
© 2016 Forrester Research, Inc. Reproduction Prohibited 34
The Path Forward
© 2016 Forrester Research, Inc. Reproduction Prohibited 35
Step 1: Categorize Existing Devices Based On Risk
Base your risk categories on:
› Potential impact to patient
safety
› Network Connectivity
› Data Sensitivity
› Attack likelihood
› Vendor security SLA
© 2016 Forrester Research, Inc. Reproduction Prohibited 36
Step 2: Implement A Clinical Risk Management Framework
Device Risk Management
Risk acceptance
Residual risk level
Reduction, mitigation and
control
Assessment, prioritization and planning
© 2016 Forrester Research, Inc. Reproduction Prohibited 37
Step 3: Follow Basic Security Hygiene
› Foster a culture of security awareness within clinical engineering and
clinical departments
• Blogs, security champions, rotationships
› Eliminate default passwords
© 2016 Forrester Research, Inc. Reproduction Prohibited 38
Step 4: Include Security Requirements In RFPs
Request that device manufacturers:
› Follow current application security best-practices
› Conduct threat modeling/pen testing
› Have roadmap to build security logging into software
› Present a completed MDS2 form
© 2016 Forrester Research, Inc. Reproduction Prohibited 39
Step 5: Move Toward A “Zero-Trust” Architecture
› Segment devices
based on risk
› Inspect network data
as it flows between
segments
› Require secure
authentication into
network
© 2016 Forrester Research, Inc. Reproduction Prohibited 40
Principles of Zero Trust
The network is designed from the inside out
Visibility: Inspect and log all traffic
Verify and never trust
Access control is on a “need-to-know” basis and is strictly enforced
All resources are accessed in a secure manner regardless of location
© 2016 Forrester Research, Inc. Reproduction Prohibited 41
Need to Know
› IEC 80001-1
› MDS2
› NH-ISAC / ICS-CERT
› MDISS
› UL 2900 Cybersecurity Certification
› FDA Pre-Market and Post-Market
Cybersecurity Guidance
© 2016 Forrester Research, Inc. Reproduction Prohibited 42
Closing Thought….IoT Technology focus is shifting from networks and hardware to software, platforms and analytics
› Initial IoT focus is on connecting devices, but is now extending
to applications and solutions
• Variety of applications
• Actual case studies in many industries
• Analytics and business intelligence benefits
› IT execs will engage as business embraces scalable IoT systems,
driving needs for skills in:
• Security, device management, and interoperability
• Links to analytics and systems of record