Joel Langill (@SCADAhacker), a long time reader, ICS Security Expert and commentor, started an interesting twitversation about the latest ICS-CERT medical device advisory. He started with this Tweet®:
“I think it is a bit strange that @ICSCERT is also handling medical devices. A real stretch for an #ICS. Are they losing focus here?”
Medical Devices vs Industrial Control Systems
In one respect I agree with Joel, while medical device security is important it really isn’t in exactly the same realm as industrial control system security. The scope of the consequences is different by several orders of magnitude; potentially thousands of deaths from a successful attack on a major chemical plant control system while a successful medical device attack would only affect the person wearing the device.
Of course, the Phillips Xper advisory wasn’t about an individual device, this system is used in monitoring systems that potentially handle hundreds of patients at a major hospital. That is still a couple of orders of magnitude different than that chemical plant in the terms of people at risk, but it is much closer to an industrial control system than an implanted device.
But, while the scope of the ultimate vulnerability is much different, the similarities in how the systems work and how they become vulnerable to outside attack are very great. Looking at the ICS-CERT description of the Xper vulnerabilities you could have blocked out the ‘Xper’ name and this could have described revealed vulnerabilities in any number of classical industrial control systems.
Joel asks if ICS-CERT is losing its focus with advisories like this. Others would argue that it doesn’t have any focus to lose. The important thing to remember here, though, is that this was just an advisory, something that took relatively little effort by ICS-CERT, and that effort was nearly identical to what they do for any coordinated disclosure.
If this had been about a fly-away team going out to investigate this vulnerability the focus question might have been more appropriate. But even so, if the fly-away team were going out to aid in deciphering an attack on an Xper system as part of a criminal investigation, I don’t think anyone would really complain too much.
The other side of this is that while the Xper system is not exactly an industrial control system, in the media realm it is probably more important. Because the vulnerabilities and exploits were so similar to a more classical ICS-CERT advisory, this publication might be more beneficial to raising the public awareness of the potential problem in a way that a Siemens or Rockwell advisory never will; a medical device is personal and more concrete in the eyes of JQ Public.
And think of this. On many occasions I have said that there will not be any significant improvement in ICS security until there is a public incident, a successful attack, that convinces boards, politicians and the public that the problem is real. Pardon this cold and heartless calculation, but a successful attack on an implanted medical device that kills one patient will provide that ‘public incident’ at a much lower societal cost than a successful attack on a chemical plant or the electrical grid.
No Joel, I think that ICS-CERT was right in publishing this advisory. Besides, what else were they doing anyway?