Sunday, August 11, 2013

Medical Malware – Detection Techniques

There is an interesting article over at about cybersecurity and medical devices. A lot of it is a rehash of things we’ve been hearing out of the black hat community for a couple of years now and is reflected in the recent FDA draft guidance on cybersecurity. There are two interesting new items that I hadn’t seen discussed before; a new method of detecting medical malware and a discussion about the use of anti-virus software on medical devices.

Power Detection of Malware

The article contains a link to a journal article (in the Proceedings of USENIX Workshop on Health Information Technologies, 2013) about a power monitoring system (WattsUpDoc) that can be used to detect the unusual power consumption associated with a malware attack on a medical device. The authors noted that if one has an accurate history of a devices normal power consumption patterns that changes in those patterns could be used to detect when a device has been compromised by a cyber-attack. Their paper also claims to have validated the technique in an industrial scale SCADA system.

I’ll leave the technical evaluation of the technique to people with the appropriate expertise, but it would seem to me that this technique might be particularly valuable in safety systems because of the vary constrained outputs of those systems.

Medical Anti-Virus Problems

Sorry, I couldn’t resist that heading. 

The article explains that many medical devices cannot use commercial anti-virus software because they are running on proprietary operating systems. The ones that are using variations of a Microsoft OS might be able to use off-the-shelf AV software, but device manufacturers do not allow (or support) the use of third party software (or I suspect even the update of the MS-OS) because of the very real potential for unexpected conflicts with the device software.

This is not an unknown problem for many control systems, but a software lockup on ones’ pacemaker could be even more troublesome than the shutting down of a production line. But with the rise of hackers actively looking at medical device control systems, it seems to me that there is a significant need to come up with a workable solution to the AV problem.

No comments:

/* Use this with templates/template-twocol.html */