Vicki A. Barbur, Ph.D.11.04.16
Cybersecurity remains an ever-increasing problem on the national scene as highlighted by a multitude of initiatives that continue to arise as a means to create visibility to the issues that we face as users of, consumers of, and producers of new technologies. Whether a product, application, or tool, they make use of modern approaches to communications and processes that rely extensively on the global revolution in digitization of vast amounts of data/design/code that needlessly carries “information” when interrogated appropriately. This article outlines issues over and above those addressed by the recent FDA Guidance Documents (released February 2015 and August 2016) that highlight when a manufacturer needs to submit for further 510(k) approvals due to product and/or software changes with advances in the way data are collected, processed, and communicated. Here we will focus on issues that are nearer to the “smart” manufacturing shop floor and enterprise itself, which possesses its own set of challenges and vulnerabilities.
First, take a moment to think about the following questions.
It would not be unusual to find that each and every one of you mentioned either automated processes, internet communications, wireless data transmission, mobile access, and/or some aspects of digital designs and embedded sensors. All of these present entry points for attacks, and cyber attacks that penetrate the perimeter fences, making them less effective in the new digital world.
What You Should Know
The more recent FDA Draft Guidance Document has helped manufacturers understand more clearly when they must seek a new FDA review for a 510(k) approval, whether it be for device modifications, wireless communications that impact cybersecurity, or software changes that improve device cybersecurity directly. This guidance document protects the users only after a device has been sold and is already in the hands of the user; none of the guidance protects a company as the manufacturer of the device, product/part, or software application.
There is much to protect in a medical device manufacturer’s arsenal. Glavach discusses [PDF] a methodology for ensuring manufacturing resiliency. He advocates that establishing the appropriate service level agreements with a “Trust (meets security responsibilities) and Verify (meets security requirements)” approach is an appropriate way to minimize attack vectors. It is important to recognize that with a cyber attack, many vulnerabilities exist:
So how do you go about addressing these points of potential weakness, protecting assets, and avoiding the potential for legal suits upfront?
First, key questions to answer are:
Incidents themselves spread across a range of intrusion points and represent a variety of methodologies for attempting to gain access to both the business and the operational environments, including:
What Can You Do?
Following are a set of best practices that can be deployed easily and inexpensively to start the journey to protecting against vulnerabilities, which are highly likely to be perpetrated by an insider threat unbeknown to you.
Additional Help Is at Hand
There are several countrywide initiatives currently ongoing to assess the standardization issues with respect to the responses [PDF] and focusing on gap closure with respect to this ever-increasing and challenging problem.
Vicki Barbur works with companies in their efforts to promote innovation through portfolio management and technology partnering. She can be reached at vbarbur@gmail.com.
First, take a moment to think about the following questions.
- Have you ever stopped to consider where your company is most vulnerable?
- How do you manage your manufacturing operations?
- Is your manufacturing process considered “smart”? In other words, is it connected seamlessly to input and output requirements?
- How do you interface your manufacturing operations to your business enterprise?
- How do you design your products? How do you transmit your designs? Are they in-house?
- How do you maintain your products once they are deployed, in use, or discarded?
It would not be unusual to find that each and every one of you mentioned either automated processes, internet communications, wireless data transmission, mobile access, and/or some aspects of digital designs and embedded sensors. All of these present entry points for attacks, and cyber attacks that penetrate the perimeter fences, making them less effective in the new digital world.
What You Should Know
The more recent FDA Draft Guidance Document has helped manufacturers understand more clearly when they must seek a new FDA review for a 510(k) approval, whether it be for device modifications, wireless communications that impact cybersecurity, or software changes that improve device cybersecurity directly. This guidance document protects the users only after a device has been sold and is already in the hands of the user; none of the guidance protects a company as the manufacturer of the device, product/part, or software application.
- Have you taken time to consider the potential for and impact of cyber threats associated with your operations?
- How do you validate the integrity of your vendors? Your supply chain?
- How do you protect your operations? What barriers do you have implemented?
There is much to protect in a medical device manufacturer’s arsenal. Glavach discusses [PDF] a methodology for ensuring manufacturing resiliency. He advocates that establishing the appropriate service level agreements with a “Trust (meets security responsibilities) and Verify (meets security requirements)” approach is an appropriate way to minimize attack vectors. It is important to recognize that with a cyber attack, many vulnerabilities exist:
- Data and designs are valuable to an organization.
- Attacks may be low risk for you, yet represent high return opportunities for those attacking.
- All your network installations are easy targets.
- Threats today are complex, yet penetrate further and are increasingly challenging to neutralize—take ransomware as an example.
So how do you go about addressing these points of potential weakness, protecting assets, and avoiding the potential for legal suits upfront?
First, key questions to answer are:
- Do your employees appreciate the consequence of company information loss?
- How accessible is your company’s intellectual property/trade secrets that set you above others in the field? More to the point, who has access to this information?
- Does the entire management team understand that cyber vulnerability is a business threat that requires attention and investment just as much as the next new technology?
Incidents themselves spread across a range of intrusion points and represent a variety of methodologies for attempting to gain access to both the business and the operational environments, including:
- Intrusion via internet facing ICS/supervisory control and data acquisition (SCADA) devices
- Malware/ransomware infections within air-gapped control system networks
- Remote access interfacing—approved or unapproved
- Transfers between network zones
- Infuriating phishing campaigns
- Other strategic web site compromises
What Can You Do?
Following are a set of best practices that can be deployed easily and inexpensively to start the journey to protecting against vulnerabilities, which are highly likely to be perpetrated by an insider threat unbeknown to you.
- Be vigilant to threats from insiders and business partners through an enterprise-wide risk assessment.
- Document and consistently enforce policies and controls.
- Ensure insider threat awareness is included in periodic security training for all employees.
- Routinely monitor and respond to suspicious or disruptive behavior.
- Anticipate and manage negative issues in the work environment.
- Understand the company’s assets.
- Employ rigorous password and account management policies and practices.
- Require separation of duties.
- Identify explicit security agreements for any cloud services, especially with respect to access restrictions and monitoring capabilities.
- Deploy rigorous access controls and monitoring policies on users.
- Institutionalize system change controls.
- Scrutinize and control remote access from all end points, including mobile devices.
- Execute a routine, secure backup and recovery processes procedure.
- Determine a baseline of normal network device behavior.
- Manage use of social media in the workplace.
Additional Help Is at Hand
There are several countrywide initiatives currently ongoing to assess the standardization issues with respect to the responses [PDF] and focusing on gap closure with respect to this ever-increasing and challenging problem.
- NIST (National Institute of Standards and Testing)—Framework for Improving Critical Infrastructure Cybersecurity [PDF]
- NDIA (National Defense Industrial Association)—Cyber Security for Advanced Manufacturing [PDF]—Identifying gap closure initiatives; focused mostly on defense logistics supplies yet a good message for all manufacturers dealing with critical parts and assemblies.
Vicki Barbur works with companies in their efforts to promote innovation through portfolio management and technology partnering. She can be reached at vbarbur@gmail.com.