Attack my MRI, CT or Nuclear Processing Plant would you?
Tuesday 13th February 2018
A recent article in Sophos' magazine pointed to hospital MRI and CT scanners still being at risk of Cyber Attack (https://nakedsecurity.sophos.com/2018/02/01/hospital-mri-and-ct-scanners-at-risk-of-cyberattack/)
This led me to think wider about the whole ethos of the Internet of Things (IoT) and specialist processing such as nuclear processing or MRI/CT scanners in conjunction with Cyber Attacks, and conclude that there are two major directions to go here (three including neutralising the adversaries);
- Ensure all equipment are cyber-attack resistant, or
- Ensure that cyber-attacks cannot reach all equipment
Harden all equipment to cyber-attacks?
Over the last few years the public domain has been littered with various attacks on IoT equipment, with many Distributed Denial of Service attacks using Internet-connected equipment to relay, or bounce their mass attack off and then focus all of those attacks onto a single target. These have proven very effective attacks, especially when so much IoT equipment is not hardened against cyber-attack and is unlikely to be updated to be resistant.
In the recent days when many webcams were being produced, cyber-attacks were well known and documented, yet the specific attacks used such as Mirai had not been developed. Specific attacks were developed based on the inherent weaknesses of this IoT equipment (in this case typically webcams).
So, should the IoT manufacturers have developed defences against possible future Mirai attacks? Not necessarily, but these manufacturers should have put in at least some minimal sensible defences that were found to be sadly lacking; such simple measures would have stopped Mirai.
Yet even when some simple, yet effective countermeasures are built into equipment that is still not sufficient. Recent vulnerabilities have come to light around Cisco switch, router, firewall and Intrusion Detection systems in that they can be rendered completely ineffective following a specific and direct attack (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1), and this was despite Cisco being well versed in applying security to their security products.
Looking at the recent discussion about hospital MRI and CT scanners, these have been brought into the spotlight over this last year as a result of mass cyber-attacks on hospitals, and that some of these attacks rendered scanning inoperative in some hospitals. Whether aborted scanning can be attributed to the scanner itself being under attack or other support equipment failing is an academic point, but it has highlighted that many scanners might still be built on out-of-date computer equipment and hence might contain many vulnerabilities.
Complex equipment is by its very nature, complex. Equipment such as the Space Shuttle, Concorde and Submarines are quite typically known for using out of date technologies for a few reasons; one is that older technology has a better reliability record for safety, and another is building complex systems takes a long time and frequently updating to modern computer technology throughout would significantly increase costs and development time.
MRI and CT scanners fit more into the complex equipment bracket than for IoT commodity items; they have a safety case to stop over irradiating patients, there is complex processing required to come to a correctly informed diagnosis and there are very expensive electronics which are optimised to try to deliver maximum numbers of patients for minimum cost.
Yet, some MRI and CT scanners have been shown to still operate with operating systems such as Windows XP, which is no longer supported and shown to be riddled with security holes. At face value, this would suggest that such equipment would need to be updated for support reasons as well as ensuring that they become resilient to cyber-attacks. Yet, compared to updating a corporate network with the latest operating system, costs to re-engineer a scanner is likely to have a very high costs penalty and take quite some months of extensive testing per scanner model to ensure that nothing dangerous or degrading can happen. With each scanner model costing upwards of £150000, the costs can soon mount up. On top of which, the expected security process of updating equipment every time software patches come out would render the current approach of building scanners probably unaffordable.
At this point in the discussion, let's bring Stuxnet into play as a standard model. Here, specialist equipment was attacked by highly capable threat agents to create a processing deficiency. If we use and extrapolate the same argument as above, then the PLC manufacturers Siemens should have built-in cyber defences to their equipment to stop such attacks happening. But the network designers for the nuclear processing plant probably considered the PLC to be sufficiently separate from the rest of the World that it was unnecessary to have specific cyber defences in the embedded system.
Keep equipment out of reach from attackers?
In the last 20 years or so, society needs and technological development, have both worked together to make more and more equipment talk together over sustainable electronic connections, and have gravitated towards using ubiquitous networking communications to achieve this.
Prior to interconnecting equipment, it was once considered that isolated equipment with no network interfaces would be impervious to threats and attacks. Going back to the Stuxnet standard showed this to be false whereby well-crafted attacks could "jump" air gaps or be transported on USB memory sticks, meaning that nothing was safe, everything was reachable, and the digital World appeared doomed.
Let's examine this a little further - the use of isolated equipment, such as in the Iranian nuclear processing facility, meant that the equipment was actually quite difficult to reach with any malware, and that it would have taken just one more countermeasure to stop that attack happening altogether; namely ensuring that only verified correct data could be loaded onto its system through benign interfaces.
This then points towards there being a strong cyber defence in ensuring that equipment is difficult to reach and that such a defence might keep all but the most skilled and effective threat agents away from that equipment.
This argument is fine only as long as the threat agents stand still in their capability and don't discover new routes and techniques to attack systems, and we know from bitter experience that this assumption is unsafe.
This also means that completely isolating some equipment from network connections is contrary to the growth of society needs and technological evolution that we are taking for granted, so that's a non-starter, right?
Don't get me wrong, I AM an advocate of the interconnectedness of all things, but that interconnections themselves need to be treated with consideration of the need for the connection and the threats arising to/from the connection.
As a provocative example, let's consider an MRI scanner that is built to pass its results to analysis computers through a network connection. The question I would raise here is "does the MRI scanner and analysis equipment needs to be accessed by just about anybody on the Internet from their home computer?
- Yes. Sorry to say then that the MRI scanner manufacturer will have to consider direct cyber-attack against their equipment and to be hardened accordingly
- No, it is completely isolated. In which case, updates and patches to the equipment need to be proven to only come from trusted sources and through a benign data transfer medium, but that the equipment need not have robust cyber defences built in.
- No, but it does need to be accessed by multiple Health Trusts. This suggests a hybrid defence model is necessary.
Hybrid Defences and equipment certification
In the cases cited above, there is a middle ground that requires some thought being given to how equipment needs to be built AND how the networks and associated support equipment need to be architected to keep the specialist equipment secure.
Rather than place all of the onus upon the specialist equipment manufacturer to build in the state-of-the-art cyber defences into their equipment (see the first argument in this article), we should get the manufacturer to build in good, robust, yet cost-effective and straightforward, defences that can be applied without encumbering the equipment with major compromises in the name of security.
After this, the manufacturer has a duty to describe to the customers and end users what they have, and more importantly have NOT provided for security defences. It is then the duty of the customer to engineer defences into their network segregation models and their security monitoring through their Security Operating Centre (SOC) as a counter to potential weaknesses in this specialist equipment.
Such segregation models might include analysis the specific network protocols that need to go to/from the specialist equipment and restrict these through firewall rules then build SOC/Snort/Splunk (or whatever is used) to alert on any attempted deviations from this pattern.
The utility of this approach goes beyond connections to specialist equipment, but also transcend into commodity equipment such as are common in the Internet of Things (IoT). In IoT fridges, home automation, cars and buildings are all accessible through Internet connectivity. One might argue philosophically the necessity to attach your dishwasher to your email accounts but that is now fruitless in today's technological progression.
By understanding what your IoT manufacturer has or has not supplied for cyber defences will allow customers to determine what are the best means to configure this into their networks, taking into consideration the consequences of the IoT failing and being subsequently used by attackers as a useful tool itself by which to do further damage.
There have been a few discussions around the use or application of security marking, CE marks, quality labels etc to IoT technologies so that consumers can determine how good their equipment actually is. Certification like this is a good thing yet is going to take a long time to achieve as definitions of "what is good or bad" and how to articulate and measure it is subject to many arguments amongst the security professionals.
In the meantime, it is currently upon the equipment consumer to understand the security value of all of the equipment that they have purchased and use, and to segregate, monitor or just accept the fact that someday they might be part of the next Stuxnet or global DDoS target.