Short Takes – 11-2-24 – Cybersecurity Edition

Data Normalization Challenges and Mitigations in Software Bill of Materials Processing. Mitre.org report. Pull quote: “The U.S. FDA has recognized the importance of SBOMs in managing postmarket software vulnerabilities in medical devices and providing transparency to the users of these devices since the 2018 Medical Device Safety Action Plan [link added] [10], including considering the need for additional regulatory authorities in this space. These authorities were granted in Section 3305 in the Consolidated Appropriations Act, 2023, which added Section 524B “Ensuring Cybersecurity of Medical Devices” to the Federal Food, Drug, and Cosmetic (FD&C) Act. This provision, among other requirements, requires SBOMs (Section 524B(b)(3)) as part of premarket submissions for cyber devices. The 2023 guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions [link added] (henceforth called “premarket cybersecurity guidance”) [11], provides, among other things, FDA’s recommendations on using SBOMs to manage cybersecurity risks.”

New Research: The Proliferation of Cellular in IoT. Rapid7.com blog post. Pull quote: “They go on to demonstrate the importance of breaking open these IoT devices with the goal of penetration testing (pentesting) the strength of the security — or lack thereof — built into the onboard tech. Absent a Wi-Fi connection, they say, it’s critical these devices are able to leverage cellular as a back-up communications method, particularly in the category of potentially life-saving medical devices.”

Testing the security of CCTV systems. PenTestParners.com blog post. Pull quote: “Some vendors, particularly those who operate at the ‘higher end’ of the market have excellent security controls and development practices. Mid-market vendors have distinctly variable security issues. Those at the low end, at a price point where it is hard to drive strong investment in cyber security, are where we have found some depressingly simple compromises.”

Unveiling the Persistent Risks of Connected Medial Devices. Forescout.com report. Pull quote: “The most common OS in embedded firmware is Linux, followed by: The real-time operating systems (RTOS) VxWorks, KADAK AMX RTOS, NutOS, ThreadX, and Digi Net+OS.”

NOTE: During my search for Researcher Reports on control system vulnerabilities for my weekly Public ICS Disclosures post I frequently run across more generic articles and blog posts that provide information of potential interest to the community at large. I will try to bring those to my Short Takes posts on Saturdays. As always, points to such vulnerability reports and articles are much appreciated.