Joel Langill (@SCADAhacker),
a long time reader, ICS Security Expert and commentor, started an interesting twitversation
about the latest ICS-CERT medical
device advisory. He started with this Tweet®:
“I think it is a bit strange that @ICSCERT is also handling medical
devices. A real stretch for an #ICS. Are they
losing focus here?”
Medical Devices vs Industrial
Control Systems
In one respect I agree with Joel, while medical device
security is important it really isn’t in exactly the same realm as industrial
control system security. The scope of the consequences is different by several
orders of magnitude; potentially thousands of deaths from a successful attack
on a major chemical plant control system while a successful medical device
attack would only affect the person wearing the device.
Of course, the Phillips Xper advisory wasn’t about an individual
device, this system is used in monitoring systems that potentially handle
hundreds of patients at a major hospital. That is still a couple of orders of
magnitude different than that chemical plant in the terms of people at risk,
but it is much closer to an industrial control system than an implanted device.
But, while the scope of the ultimate vulnerability is much
different, the similarities in how the systems work and how they become
vulnerable to outside attack are very great. Looking at the ICS-CERT description
of the Xper vulnerabilities you could have blocked out the ‘Xper’ name and this
could have described revealed vulnerabilities in any number of classical
industrial control systems.
ICS-CERT Role
Joel asks if ICS-CERT is losing its focus with advisories
like this. Others would argue that it doesn’t have any focus to lose. The
important thing to remember here, though, is that this was just an advisory, something
that took relatively little effort by ICS-CERT, and that effort was nearly
identical to what they do for any coordinated disclosure.
If this had been about a fly-away team going out to
investigate this vulnerability the focus question might have been more appropriate.
But even so, if the fly-away team were going out to aid in deciphering an
attack on an Xper system as part of a criminal investigation, I don’t think
anyone would really complain too much.
The other side of this is that while the Xper system is not
exactly an industrial control system, in the media realm it is probably more
important. Because the vulnerabilities and exploits were so similar to a more
classical ICS-CERT advisory, this publication might be more beneficial to
raising the public awareness of the potential problem in a way that a Siemens
or Rockwell advisory never will; a medical device is personal and more concrete
in the eyes of JQ Public.
And think of this. On many occasions I have said that there
will not be any significant improvement in ICS security until there is a public
incident, a successful attack, that convinces boards, politicians and the
public that the problem is real. Pardon this cold and heartless calculation,
but a successful attack on an implanted medical device that kills one patient
will provide that ‘public incident’ at a much lower societal cost than a
successful attack on a chemical plant or the electrical grid.
No Joel, I think that ICS-CERT was right in publishing this
advisory. Besides, what else were they doing anyway?
Posts
No comments:
Post a Comment