OnDemand Webinar: Key Considerations to Securing the Internet of Things (IoT) & Bio-medical Devices...

Key Considerations to Securing the

Internet of Things (IoT) & Bio-

medical DevicesWebinar

Merritt MaximSeptember 14, 2016

© 2016 Forrester Research, Inc. Reproduction Prohibited 2

Abstract

› Key Considerations to Securing the Internet of Things (IoT)

› IoT has evolved beyond a hyped-buzzword into available technologies on

the market that can significantly improve customer outcomes and deliver

business benefits. However, the reality of IoT as an interlinked set of

hardware, software, and ubiquitous connectivity is that it creates new

security challenges and exacerbates legacy security problems.

› In this webinar, Forrester Senior Analyst Merritt Maxim will summarize the

key IoT trends, outline the current IoT attack surface. He will also provide

guidance on how organizations can protect and defend against IoT based

threats while simultaneously enabling meet desired IoT business

objectives.


Agenda

›Current IoT Trends

›Balancing Innovation With Security In Healthcare

›The Bio-medical Device Risk Landscape

›Attack Scenarios

›The Path Forward


Current IoT Trends


Current status of IoT technologies: Forrester IoT TechRadar™, Q1 2016

Source: “TechRadar™: Internet Of Things, Q1 2016” Forrester report

IoT security — on

a significant

success trajectory

but only in

creation stage

https://www.forrester.com/report/TechRadar+Internet+Of+Things+Q1+2016/-/E-RES121873


IoT Security is still maturing….

› Lots of hype and interest; focus on OS, firmware, and

hardware level.

›Growing awareness of security concerns with IoT

›General consensus on value/need for IAM with IoT


Industry IoT deployment momentum varies widely

Source: https://www.forrester.com/report/The+Internet+Of+Things+Heat+Map+2016/-/E-RES122661 January 14, 2016.

https://www.forrester.com/report/The+Internet+Of+Things+Heat+Map+2016/-/E-RES122661


Security Concerns still impede IoT Deployments

Base: 2,247 IT decision makers

Source: Forrester’s Business Technographics Security Survey, 2014

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

We can't find the right supplier(s)

None - we don't have any concerns

Lack of executive support

We don't think that we have an application or process that will beenhanced by M2M

Regulatory issues or concerns

Difficulty and risk of migration or installation

Lack of technology maturity

Pricing is unclear or complicated

Integration challenges

Total cost concerns (total cost of ownership)

Security concerns

What are your firm’s concerns, if any, with deploying M2M/Internet of Things technologies?


Different Worlds, different approachesArea Traditional World IoT World Difference

Authentication User-centric IoT device-centric Authenticating

devices/blocking devices

to/from IoT security

management plane

Authentication Passwords then biometrics Human to device: biometrics,

behaviors. Device-to-device:

API, certs

Authenticating user(s) and

devices to an IoT device

Provisioning and registration Life-cycle support for

predominantly users only.

Manual and bulk registration.

Life-cycle support for devices,

not just users

Provisioning and registering

devices and users to IoT

security management plane

Provisioning and registration Enterprise mobility

management

Linking many previously

unlinked but operational

devices to user

Device registration to user,

user registration to device

Provisioning and registration Static process Dynamic, fast-changing

process (e.g. connected

vehicles)

Managing relationships

between IoT devices

Provisioning and registration Manual and user-initiated User-initiated and inactivity-

based

Unenrolling devices from the

IoT security management

plane

Self-services No adopted standard Forrester expects User-

Managed Access (UMA) will

emerge

Preference management,

privacy management, data

sharing consent

Self-services Web-based Based on enhanced Bluetooth

or NFC connectivity

Allowing users to perform self-

services for their IoT devices


Balancing Innovation With Security

In Healthcare


Robotic Surgery

Innovations in Healthcare


Telemedicine



mHealth



With Innovation Comes Risk


With Innovation Comes Risk


The Bio-Medical Device Risk

Landscape


A Typical Hospital Network is Flat


Complexity Is The Primary Enemy


Threat Actor Motivations


Attack Scenarios


Medical Device Security - Risk Categories

Denial-of-Service

Patient Data Theft

Therapy

Manipulation

Asset Damage


Denial-Of-Service: Scenario

Causes

• Network attack

• Malware

• Software exploitation

• Radio frequency (RF)

exploitation

Impacts

• Clinical workflow

disruption

• IT/Clinical engineering

staff disruption

Outcomes

• Patient harm

• Reputational damage

• Regulatory fines/Lawsuits

• Request for ransom


Denial-Of-Service: Evidence

› Case #1: 20 patient monitoring systems taken down in a CA-based

hospital (unreported)

› Case #2: MA-based hospital ward shut down due to malware infecting

patient monitoring systems (unreported)

› Case #3: CA-based hospital shutdown due to ransomware infecting

medical devices


Denial-Of-Service: Outlook


Therapy Manipulation: Scenario

Causes

• Malware


• Poor access controls

Impacts

• Changes in device

function/parameters

• Changes to patient data

Outcomes

• Patient harm


• Regulatory fines/lawsuits

• Request for ransom

• Changes in future

treatment decisions


Therapy Manipulation: Evidence

› Case #1: PCA Pump exploited by Austrian patient

› Case #2: PCA Pump exploited by researcher

› Case #3: Insulin Pump exploited by researcher

› Case #4: Implantable Defibrillator exploited by researcher


Therapy Manipulation: Outlook


Asset Damage: Scenario

Causes

• Network attack

• Malware


Impacts

• Clinical workflow

disruption

• IT/clinical engineering staff

disruption

Outcomes

• Patient harm

• High replacement costs


Asset Damage: Evidence

› No examples found in healthcare

› Difficult to track due to lack of consideration over security event causation

in MDRs

› Examples from other industries still prove capability

• Stuxnet malware (tarrgeted industrial centrifuges in Iran)

• Ukrainian power grid

• Reservoir dam in Westchester County NY-December 2015


Asset Damage: Outlook


Patient Data Theft: Scenario

Causes

• Malware


• Poor access

controls/device theft

• Device used as entry point

into data network

Impacts

• Direct theft of data from

device

• EMR database

compromise

Outcomes

• Patient harm due to fraud

• Patient privacy loss


• Regulatory fines/lawsuits


Patient Data Theft: Evidence

› Case #1: HIPAA fines MA-based hospital $850,000 due to CT Scanner

breach

› Case #2: Russian gang used medical devices as entry point into hospital

network; stole patient data from EMR

Update Russian info


Patient Data Theft: Outlook

High Severity Risk


The Path Forward


Step 1: Categorize Existing Devices Based On Risk

Base your risk categories on:

› Potential impact to patient

safety

› Network Connectivity

› Data Sensitivity

› Attack likelihood

› Vendor security SLA


Step 2: Implement A Clinical Risk Management Framework

Device Risk Management

Risk acceptance

Residual risk level

Reduction, mitigation and

control

Assessment, prioritization and planning


Step 3: Follow Basic Security Hygiene

› Foster a culture of security awareness within clinical engineering and

clinical departments

• Blogs, security champions, rotationships

› Eliminate default passwords


Step 4: Include Security Requirements In RFPs

Request that device manufacturers:

› Follow current application security best-practices

› Conduct threat modeling/pen testing

› Have roadmap to build security logging into software

› Present a completed MDS2 form


Step 5: Move Toward A “Zero-Trust” Architecture

› Segment devices

based on risk

› Inspect network data

as it flows between

segments

› Require secure

authentication into

network


Principles of Zero Trust

The network is designed from the inside out

Visibility: Inspect and log all traffic

Verify and never trust

Access control is on a “need-to-know” basis and is strictly enforced

All resources are accessed in a secure manner regardless of location


Need to Know

› IEC 80001-1

› MDS2

› NH-ISAC / ICS-CERT

› MDISS

› UL 2900 Cybersecurity Certification

› FDA Pre-Market and Post-Market

Cybersecurity Guidance


Closing Thought….IoT Technology focus is shifting from networks and hardware to software, platforms and analytics

› Initial IoT focus is on connecting devices, but is now extending

to applications and solutions

• Variety of applications

• Actual case studies in many industries

• Analytics and business intelligence benefits

› IT execs will engage as business embraces scalable IoT systems,

driving needs for skills in:

• Security, device management, and interoperability

• Links to analytics and systems of record

Thank you

forrester.com

Merritt Maxim

[email protected]

@merrittmaxim

mailto:[email protected]

Date post:	22-Jan-2018
Category:	Technology
Upload:	great-bay-software
View:	185 times
Download:	1 times