Christopher Gates, Director of Product Security, Velentium04.04.24
Cybersecurity for the manufacturing floor of medical device firms presents unique challenges compared to other industries due to the critical and sensitive nature of the products being fabricated and the potential impact of threats on patient safety. There are several ways in which cybersecurity differs for this environment from normal IT infrastructure cybersecurity.
Regulatory Compliance: Medical device manufacturers must adhere to stringent regulatory standards such as the FDA’s Quality System Regulation (QSR), Quality Management System Regulation (QMSR), and international standards like ISO 13485. These standards require manufacturers to implement cybersecurity controls throughout the product lifecycle, including during the manufacturing process.
Patient Safety Concerns: Unlike many other manufacturing processes, the production of medical devices directly impacts patient safety. Cybersecurity incidents such as tampering with manufacturing systems or introducing malware into production processes can result in faulty or infected devices that may harm patients. Even more subtle effects, such as impacts to the characterization or calibration stations where the device’s sensors would be biased from returning accurate readings.
Supply Chain Risks: Medical device manufacturers often rely on complex supply chains involving multiple vendors and partners. Each node in the supply chain presents a potential cybersecurity risk and a vector for attack. Ensuring the security of these vendor-supplied sub-systems is crucial to maintaining the integrity of the manufacturing process.
Intellectual Property Protection: Medical device manufacturers invest significant resources in research and development to create innovative products. Protecting intellectual property from cyber threats, such as theft or sabotage, is essential to safeguarding the organization’s business model. The loss of intellectual property in the form of executables or source code that may be present in the manufacturing process would likely cause significant financial harm.
Mass Distribution of Secondary Infections: Likewise, tampering with medical device executable images as stored in version control repositories for use in the manufacturing process could result in devices being distributed that are themselves a source of infection for the receiving customer.
Legacy Systems: Manufacturing equipment and systems on the production floor may include legacy technology with known vulnerabilities, requiring additional cybersecurity measures to mitigate risks.
Integration with the Business Network: Increasingly, medical device manufacturing systems are interconnected with the manufacturer’s business network for improved management of manufacturing operations. This connectivity introduces additional cybersecurity considerations, as vulnerabilities in manufacturing systems could potentially be exploited to compromise the broader infrastructure of the manufacturer.
Interruption to Manufacturing Operations: The proper operation of the manufacturing floor results in medical devices that help people and possibly save lives. If these devices are not readily available at the point of care, people may be harmed. As such, disruptions to manufacturing operations could have severe consequences for public health, especially during events such as we recently experienced (i.e., the pandemic).
To address these challenges, medical device manufacturers must implement a comprehensive cybersecurity strategy that encompasses not only traditional IT systems but also the unique requirements of the manufacturing floor. This strategy should include measures such as network segmentation, access controls, encryption, intrusion detection systems, regular security assessments, sharing of “Indicators of Compromise” (such as via the H-ISAC organization), and employee training to create a culture of cybersecurity awareness throughout the organization.
Collaboration between manufacturers, regulators, healthcare providers, and cybersecurity experts is essential to develop and implement effective cybersecurity strategies in this critical industry.
Start with an inventory of assets on the manufacturing floor and their current patch status. Automate this process as much as possible, such as using the self-assessment tool developed by CISA.
This tool is called the Cyber Security Evaluation Tool (CSET).1 This tool assesses the security posture of a manufacturing site based on answers from a set of questions focused on IT and Industrial Control System standards. CSET can provide good recommendations on where a manufacturing floor could improve its security posture.
Following the use of the CSET tool, perform a risk analysis of each product line, which can be utilized to prioritize and scale preparations. Such assessments should include the typical ship rate of each product, the quantity of each product being buffered in distribution and warehouses, and the anticipated total recovery time for each production line. If it is found, disruption to a line will result in market shortages of the product— mitigations can scale to preclude such a disruption. This can include an entire replacement production line that is a “failover” solution kept identical to the main production line’s updates and patches. This failover production line would be completely air-gapped from the rest of the organization’s networks.
Following the containment of a security incident, recovery should be performed. The desired goal of incident recovery is to curtail the impact of a cybersecurity event by minimizing the loss of manufacturing capacity, continuing to contain the incident effectively, and curating forensic evidence. At the same time, affected systems are restored and brought back online.
Restoration of critical equipment and services is the priority, but this may come at the cost of degraded operational capabilities, reduced throughput, and reduced integration with other systems until all production line features can be fully brought back online.
Depending upon the nature of the incident, various recovery efforts may be needed. These could include:
If specific manufacturing processes have been previously determined to be “mission critical” and emergency restoration resulted in the activation of failover systems (in an isolated environment to protect against another incident), the final phase of restoration would include resetting these redundant systems to the same level of failover reliability as existed before the incident. This type of system architecture could result in the fastest and most reliable approach to restoring manufacturing operations, but such a backup strategy could come with a large cost and additional overhead due to the activities needed to keep the failover systems current and viable.
Next, while the failover systems are maintaining operational processes, the original affected systems can be evaluated for restoration and patches/upgrades to affected components that were targeted during the event.
As restoration of affected systems is pursued, the responsible organizational team (i.e., cyber security incident response team) needs to work under the supervision of the manufacturing engineering team to restore systems via backups. Subsystems should be isolated from each other during the restoration and restored in an order determined by the manufacturing team to minimize systemic sequence dependency risks.
The goal of this process is not to return the affected systems to their previous state, but instead, make these restored systems more secure and resilient to the most recent attack vector while retaining the same operational characteristics. Therefore, additional security measures may be applied during this stage (e.g., updates/patches; changes in VPN or remote desktop; or changes to security agents such as malware scanners, endpoint protection, or installation of supplementary security tools).
During the evaluation of the affected systems, the severity of the incident should be discovered. For example, if equipment sustained physical damage or persistent infection, restoration of existing equipment may not be possible, resulting in a complete system rebuild (potentially including partial or complete replacement of hardware) of the affected systems. This would involve associated data restored from backups and activated as described previously.
Following this restoration process, formal process validation activities such as installation qualification, operational qualification, and performance qualification should be performed on these activated, restored, or rebuilt systems to maintain compliance with requirements.
Start the planning process now, before an event occurs. Define the responding team, write the policies and the procedures, and exercise the plan. In this way, you can minimize the cost to your organization when the manufacturing floor has a security event.
Recommended Reading
NIST SP 800-92 Rev 3: Guide to Operational Technology (OT) Security
https://csrc.nist.gov/pubs/sp/800/82/r3/ipd
NIST SP 800-61 Rev 2: Computer Security Incident Handling Guide
https://csrc.nist.gov/pubs/sp/800/61/r2/final
NIST SP 800-83 Rev 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops
https://csrc.nist.gov/pubs/sp/800/83/r1/final
References
1. https://github.com/cisagov/cset
Christopher Gates is director of Product Security at Velentium and the current co-chair for H-ISAC’s MDSC. He has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, Bluetooth SIG, and FDA to present, define, and codify tools, techniques, and processes that enable the creation of secure medical devices.
Regulatory Compliance: Medical device manufacturers must adhere to stringent regulatory standards such as the FDA’s Quality System Regulation (QSR), Quality Management System Regulation (QMSR), and international standards like ISO 13485. These standards require manufacturers to implement cybersecurity controls throughout the product lifecycle, including during the manufacturing process.
Patient Safety Concerns: Unlike many other manufacturing processes, the production of medical devices directly impacts patient safety. Cybersecurity incidents such as tampering with manufacturing systems or introducing malware into production processes can result in faulty or infected devices that may harm patients. Even more subtle effects, such as impacts to the characterization or calibration stations where the device’s sensors would be biased from returning accurate readings.
Supply Chain Risks: Medical device manufacturers often rely on complex supply chains involving multiple vendors and partners. Each node in the supply chain presents a potential cybersecurity risk and a vector for attack. Ensuring the security of these vendor-supplied sub-systems is crucial to maintaining the integrity of the manufacturing process.
Intellectual Property Protection: Medical device manufacturers invest significant resources in research and development to create innovative products. Protecting intellectual property from cyber threats, such as theft or sabotage, is essential to safeguarding the organization’s business model. The loss of intellectual property in the form of executables or source code that may be present in the manufacturing process would likely cause significant financial harm.
Mass Distribution of Secondary Infections: Likewise, tampering with medical device executable images as stored in version control repositories for use in the manufacturing process could result in devices being distributed that are themselves a source of infection for the receiving customer.
Legacy Systems: Manufacturing equipment and systems on the production floor may include legacy technology with known vulnerabilities, requiring additional cybersecurity measures to mitigate risks.
Integration with the Business Network: Increasingly, medical device manufacturing systems are interconnected with the manufacturer’s business network for improved management of manufacturing operations. This connectivity introduces additional cybersecurity considerations, as vulnerabilities in manufacturing systems could potentially be exploited to compromise the broader infrastructure of the manufacturer.
Interruption to Manufacturing Operations: The proper operation of the manufacturing floor results in medical devices that help people and possibly save lives. If these devices are not readily available at the point of care, people may be harmed. As such, disruptions to manufacturing operations could have severe consequences for public health, especially during events such as we recently experienced (i.e., the pandemic).
To address these challenges, medical device manufacturers must implement a comprehensive cybersecurity strategy that encompasses not only traditional IT systems but also the unique requirements of the manufacturing floor. This strategy should include measures such as network segmentation, access controls, encryption, intrusion detection systems, regular security assessments, sharing of “Indicators of Compromise” (such as via the H-ISAC organization), and employee training to create a culture of cybersecurity awareness throughout the organization.
Collaboration between manufacturers, regulators, healthcare providers, and cybersecurity experts is essential to develop and implement effective cybersecurity strategies in this critical industry.
Start with an inventory of assets on the manufacturing floor and their current patch status. Automate this process as much as possible, such as using the self-assessment tool developed by CISA.
This tool is called the Cyber Security Evaluation Tool (CSET).1 This tool assesses the security posture of a manufacturing site based on answers from a set of questions focused on IT and Industrial Control System standards. CSET can provide good recommendations on where a manufacturing floor could improve its security posture.
Following the use of the CSET tool, perform a risk analysis of each product line, which can be utilized to prioritize and scale preparations. Such assessments should include the typical ship rate of each product, the quantity of each product being buffered in distribution and warehouses, and the anticipated total recovery time for each production line. If it is found, disruption to a line will result in market shortages of the product— mitigations can scale to preclude such a disruption. This can include an entire replacement production line that is a “failover” solution kept identical to the main production line’s updates and patches. This failover production line would be completely air-gapped from the rest of the organization’s networks.
Following the containment of a security incident, recovery should be performed. The desired goal of incident recovery is to curtail the impact of a cybersecurity event by minimizing the loss of manufacturing capacity, continuing to contain the incident effectively, and curating forensic evidence. At the same time, affected systems are restored and brought back online.
Restoration of critical equipment and services is the priority, but this may come at the cost of degraded operational capabilities, reduced throughput, and reduced integration with other systems until all production line features can be fully brought back online.
Depending upon the nature of the incident, various recovery efforts may be needed. These could include:
- Changing all access credentials, including 3rd party remote access
- Changing physical access permissions
- Evaluation of security event logs
- Removal of vulnerable devices or access methods (e.g., remote desktop)
- Removal of malware using anti-virus tools or through system restoration
- Removing or filtering specific methods of network communications between systems
- Temporary activation of failover systems while affected systems are being restored
- Restoration of affected systems while managing capacity reduction or shutdown
- Replacement of affected systems, typically resulting in temporary shutdown.
If specific manufacturing processes have been previously determined to be “mission critical” and emergency restoration resulted in the activation of failover systems (in an isolated environment to protect against another incident), the final phase of restoration would include resetting these redundant systems to the same level of failover reliability as existed before the incident. This type of system architecture could result in the fastest and most reliable approach to restoring manufacturing operations, but such a backup strategy could come with a large cost and additional overhead due to the activities needed to keep the failover systems current and viable.
Next, while the failover systems are maintaining operational processes, the original affected systems can be evaluated for restoration and patches/upgrades to affected components that were targeted during the event.
As restoration of affected systems is pursued, the responsible organizational team (i.e., cyber security incident response team) needs to work under the supervision of the manufacturing engineering team to restore systems via backups. Subsystems should be isolated from each other during the restoration and restored in an order determined by the manufacturing team to minimize systemic sequence dependency risks.
The goal of this process is not to return the affected systems to their previous state, but instead, make these restored systems more secure and resilient to the most recent attack vector while retaining the same operational characteristics. Therefore, additional security measures may be applied during this stage (e.g., updates/patches; changes in VPN or remote desktop; or changes to security agents such as malware scanners, endpoint protection, or installation of supplementary security tools).
During the evaluation of the affected systems, the severity of the incident should be discovered. For example, if equipment sustained physical damage or persistent infection, restoration of existing equipment may not be possible, resulting in a complete system rebuild (potentially including partial or complete replacement of hardware) of the affected systems. This would involve associated data restored from backups and activated as described previously.
Following this restoration process, formal process validation activities such as installation qualification, operational qualification, and performance qualification should be performed on these activated, restored, or rebuilt systems to maintain compliance with requirements.
Start the planning process now, before an event occurs. Define the responding team, write the policies and the procedures, and exercise the plan. In this way, you can minimize the cost to your organization when the manufacturing floor has a security event.
Recommended Reading
NIST SP 800-92 Rev 3: Guide to Operational Technology (OT) Security
https://csrc.nist.gov/pubs/sp/800/82/r3/ipd
NIST SP 800-61 Rev 2: Computer Security Incident Handling Guide
https://csrc.nist.gov/pubs/sp/800/61/r2/final
NIST SP 800-83 Rev 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops
https://csrc.nist.gov/pubs/sp/800/83/r1/final
References
1. https://github.com/cisagov/cset
Christopher Gates is director of Product Security at Velentium and the current co-chair for H-ISAC’s MDSC. He has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, Bluetooth SIG, and FDA to present, define, and codify tools, techniques, and processes that enable the creation of secure medical devices.