Posted Industrial Internet 4.0 on Blog
This quick post simply seeks to set context for software leaders hoping to help with the Industrial Internet, or “Industry 4.0” as many say in Europe, just highlighting a few points commonly missed by software leaders first stepping into industrial settings, particularly with the recent multi-hundred billion dollar projections on the size of the market for industrial internet software.
Unfortunately, many of us with strong backgrounds in software don’t often realize the scale of time and cost at which most industrial plants operate. Relining a blast furnace can cost $100M. In auto manufacturing, each minute of downtime for a manufacturing plant costs $22,000 on average. That’s $1.3M per hour, nearly three times more expensive than unplanned downtime costs for the average Information Technology (IT) organization. Some pipelines move $32,000 of oil per minute. That’s over $1.9M per hour. In that context, it’s no wonder that plant operations teams often view planned and unplanned maintenance with a bit more intensity than most IT teams. It’s also no wonder that companies are investing aggressively to optimize systems where a 10% improvement can produce gains of more than $200M per year for typical manufacturing plants. It's equally clear why "security" means "availability" to these operational teams who have so much need to protect the uptime and integrity of these systems. That's in direct contrast to traditional Information Technology (IT) teams who often must protect "confidentiality" and "secrecy" at the cost of uptime. That's an important distinction as manufacturing companies look to carefully leverage these smart technologies to improve their performance.
According to many, the past 350 years of manufacturing are marked by three revolutionary advances: the steam engine for generating mechanical power, then electrification of manufacturing, and most recently, digitalization of manufacturing through simple Programmable Logic Controllers (PLC). Many industrial leaders in Europe believe that they can produce a “fourth” such leap, “Industry 4.0,” by lashing digital manufacturing systems into highly virtualized, decentralized, and modular, plants leveraging interoperable real-time systems to yield “smart” factories which outperform current manufacturing plants by the same degree to which mechanization, electrification, and digitalization have improved manufacturing in centuries past. Beyond “linear” improvements such as the “10%” mentioned above, such digitally “integrated” plants will have the flexibility and agility to not only keep pace with increasingly nimble competition, but to stay ahead of them.
Of course, that connectivity brings both tremendous promise and risk. Having belabored pipeline explosions and steel blast furnace damage from cyber attacks in past posts, I won’t repeat myself here, especially since Symantec has already given the “Dragonfly” attacks against Western energy companies such great in depth coverage. However, I will promise here that next month’s blog will propose a path “forward” for security of such next generation Industrial Control Systems (ICS), not only leveraging the cornerstones of security for the Internet of Things (IoT), but also describing how they can be applied to the ICS of the Industrial Internet and Industry 4.0. In the interim, if you’re impatient, feel free to read up on our latest security solutions for embedded systems at www.symantec.com/iot.
For more reading:
Mar 07 2018, 9:10 AM
Posted Hospitals Breached via Medical Devices? on Blog
Many were surprised to read that extremely sophisticated and expensive medical devices, such as X-Ray machines and Blood Gas Analyzers, had been used as a pivot point in more broadly penetrating IT systems in three hospitals. Even though general vulnerability of networked medical devices has been well known, these are the first documented cases where such devices were used as pivot points for broader lateral attacks into the rest of the hospital.
With such exploitation now reported, I’d like to help “peel the onion” on why such obvious problems have been practically impossible to fix for so long. Surprisingly, the answer has nothing to do with technology. Many of these systems actually, believe it or not, run well-known software “under the hood,” such as various flavors of Windows and Linux. Sadly though, these extremely important machines are almost never updated with the latest security patches. Such risks aren’t a secret in hospitals. The healthcare industry has long seen the risks as these devices had previously been infected by malware such as Zeus, Citadel, Conficker, and more. In fact, some (computer) virus infections have shut down entire hospital departments, required rerouting of emergency patients, or had similar implications on care delivery.
Of course, any PC in the hospital, just like your laptop, has countless defenses against such malware. Well-patched machines running effective, up-to-date anti-virus software are well protected against such malware and hacker attacks. Unfortunately though, for regulatory or policy reasons, hospitals are not allowed to patch medical devices, even medical devices running Windows or other commercial software. Similarly, hospitals are not allowed to install any additional software on these medical devices, even security software essential for protection. The original logic stems from good reason. Medical equipment, including its software, must undergo formal testing and be determined safe for patients. Changing the software in any way, including patches, or adding software without explicit approval by the manufacturer can change the behavior of the device in ways that could endanger patients. For such reasons, regulatory restrictions prohibit tampering with medical equipment, even if the tampering is intended to protect the equipment and ultimately protect the patients.
How big are the risks? Obviously there is no risk of “banking information” being stolen from an MRI. However, some of the machines are so vulnerable that they may crash when they experience unexpected behavior. Chris Eng, VP of Research at Veracode, recently tweeted that an MRI machine crashed when simply scanned for vulnerabilities, or other researchers have reported that a simple SNMP inquiry could “tip over” medical equipment. Of course, not all medical devices are that sensitive, but none of these devices should be so vulnerable. When a device becomes infected, either as an entry-point, pivot-point, or just as part of a broader infection, we need to be concerned about the potential consequences. Critical system controls may get altered and could result, for example, in an excessive radiation dose from a CT scanner. Vulnerabilities found in insulin pumps have been shown to be outright lethal.
Another concerning scenario would be that of a targeted attack on a medical device, for example to harm a specific patient or the reputation of a hospital. Although no such cases have been documented or reported to date, security researchers have demonstrated risks for Pacemakers (Kevin Fu), Insulin Pumps (Jerome Radcliffe) and Infusion Pumps (Billy Rios), the latter resulting in an advisory from Homeland Security’s ICS-CERT and a patient safety communication from the FDA.
What is being done? In 2014, the FDA issued guidance to medical equipment makers regarding cybersecurity for the medical devices that they make and sell. I’m sure we’ll see further guidance, and potentially even enforcement, in years to come. Device makers need to design in the cybersecurity as well as capability to update devices “in the field,” and need to work with regulators on a process whereby it is easier for such updates to be provided to their customers. At the same time, hospitals are working on their processes to build a more secure medical device infrastructure.
Could such a strategy work? Will it? Do you like the approach, or does it worry you? Either way, I’d love to hear your thoughts. Feel free to email us anytime at firstname.lastname@example.org and visit us online at www.symantec.com/iot.
For more reading:
Mar 07 2018, 9:10 AM