By Connor Walsh and Joshua Garvin
In May of this year the Colonial Pipeline, America’s largest fuel pipeline, was the victim of a ransomware attack that led to fuel shortages along the East Coast. That same month JBS, the world’s largest meat processor, also fell victim to a ransomware attack which resulted in the shutdown of nine of its plants.
It is no coincidence that both companies were targeted, as threat actors have increasingly homed into the inherent vulnerabilities of these industrial control systems (ICS). Unfortunately, like certain medical devices, cybersecurity is often an afterthought when developing and deploying ICS systems into production, which make both areas ideal targets for ransomware. Due to lack of visibility, system administrators can leave devices riddled with vulnerabilities online without knowing there is anything wrong with them, whether that be an outdated ICS or an unpatched medical device. The good news is that there is a known path to reduce the risk of falling victim to ransomware or any cyber-attack on our systems: developing and deploying an HTM vulnerability scanning policy.
When it comes to medical device security, there are more ways to keep your systems safe besides firewalls and anti-virus/malware. Not only does your medical device’s underlying operating system contain vulnerabilities, but the applications and their dependencies installed on them do as well. Bad actors can take advantage of any unpatched exploits available to them to gain access to medical systems and patient data. A recent security week article estimated that threat actors begin scanning for vulnerable systems on the Internet roughly 15 minutes after new security exploits are posted publicly. These adversaries can monitor up to 50 million IP addresses per hour, looking for flaws ranging from insecure remote access, to F5 load balancers and exposed database servers. Of these, the top security issue was remote desktop protocol (RDP), which accounted for a third of all reported vulnerabilities. The purpose of in-house vulnerability scanning is to reduce your potential attack vector by gaining visibility into your medical systems, identifying current vulnerabilities and patching them as soon as possible. To determining what types of vulnerability scanning options you’ll want to use on your medical devices, you must consider the pros and cons of different types of scanning. The two main types of vulnerability scanning are passive and active scanning.
Passive scanning is less intrusive, takes less time to run, but provides you with less vulnerability information on your system due to a lack of privileges. Even though this is the less invasive approach, depending on your medical system, you may only be able to perform a passive scan on it. The information provided from passive scans can include which ports/protocols are open/vulnerable on your device, what kind of network traffic your device is utilizing, operating system, application, firmware, and other generic information, as well as other potential information that attackers can use to target your systems.
Active scanning, also known as credentialed scanning, requires elevated credentials to allow scanning permissions. It is an extremely thorough vulnerability scan that requires a longer time to run on a medical device, can impact system performance and should be utilized during downtime/off-hours. However, even though that may seem to be a high price to pay for vulnerability information, the benefits of active scanning provide you with results that cover all aspects of your medical devices. The results obtained from active scanning are unparalleled compared to passive scanning. The knowledge obtained from these types of scans can help you identify vulnerabilities you never knew existed. Results can include out of date or unsupported operating systems, firmware, databases, software, improperly set file permissions, missing security patches, unsupported encryption methods enabled on the system and much, much more.
Not only do vulnerability scans help you assess your medical devices for vulnerabilities, but creating a recurring scanning schedule can provide your hospital with ongoing visibility into your medical device security. With passive/active scanning performed routinely you can monitor which threats have been remediated, which systems are still at risk, and how you can develop a plan within your organization to incorporate a patch management routine that will strengthen your overall cybersecurity posture.
Active and passive scanning are great tools to have in your cybersecurity arsenal, but choosing the right vulnerability scanner for your organization can make a world of difference. For example, a popular and well-trusted scanning solution used by many organizations is Tenable’s Nessus scanner. Nessus is an industry leader when it comes to vulnerability scanning and continuous monitoring. Not only does Nessus scan your medical devices, it can scan your network equipment and monitor real-time traffic as well. Nessus is not Windows specific and can support many different operating systems such as Unix, Linux, Mac, Cisco and many more. Not only will it scan your medical devices, but it will also compare the vulnerabilities it finds against a database of common vulnerabilities and exposures (CVE) plugins that will then provide you will a detailed report of each vulnerability detected, including a description of the threat, how to take action to remediate the threat and criticality of the threat. The reports available to review within Nessus are extremely detailed and provide you with granular, up-to-date critical vulnerability data that can help you remediate threats you never knew existed. This kind of scanner allows you to reduce your organization’s attack vector and minimize potential attacks.
There are other vulnerability scanners on the market, such as AT&T’s AlienVault USM, IBM Security QRadar, InsightVM (Nexpose) and many more that have similar capabilities as Tenable’s Nessus scanner. The choice comes down to budget, infrastructure, organizational requirements/security policies and utilization. Each type of vulnerability scanner has its pros and cons, but no matter which one you decide to use within your organization, it is truly an essential part of your overall cybersecurity framework.
Medical device vulnerability scanning is separate to your department medical device patch management which, as we all know, is in a field of its own. The first step in developing a vulnerability scanning policy is identifying what you have in your inventory and answering the big question; can the device receive active/credentialled scans? It is extremely important to answer this question during pre-procurement so you have a better idea of what risk you may be introducing on your networks. Any device on your network that has manufacturer approval to active scan should be actively scanned. As mentioned above, there are several tools that can be purchased/budgeted/maintained by HTM to help provide this visibility – this would be the next logical step in policy development. Other questions to ask yourself are when should the scans occur, who in the department should run the scans, how often will scan credentials be changed, and who do we want to see the vulnerability reports on scan completion? The due diligence to put together the vulnerability scan policy and the due care to execute it will dramatically improve the cyber posture of your environment.
In conclusion, not only does vulnerability scanning provide you with the knowledge, awareness and visibility into the threats facing your medical devices, it allows your organization to develop an effective patch management routine. There are many layers to cybersecurity, including network firewalls, network isolation, system level anti-virus, security patching and more. But even with all of these layers of security in place, you will still need a way to identify threats on your medical systems and network that other layers of security can’t provide you with and that is an effective patch management regiment. Utilizing vulnerability scanners can only strengthen your organization’s cybersecurity posture and will allow you to sleep more comfortably at night knowing that your systems are being monitored for the latest threats to better protect the patients you serve.
Connor Walsh works for VA Central Office on the Office of Electronic Health Record Modernization (OEHRM) HTM team.
Joshua Garvin is an Information Systems Biomedical Equipment Support Specialist (IS-BESS) for the VISN 10 program office at the Department of Veterans Affairs.
Sources:
https://www.nytimes.com/2021/06/01/business/meat-plant-cyberattack-jbs.html
https://www.bbc.com/news/world-us-canada-57318965
https://www.tenable.com/products/nessus
https://www.securityweek.com/scans-vulnerable-exchange-servers-started-5-minutes-after-disclosure-flaws#:~:text=Between%20January%20and%20March%2C%20threat,Exchange%20Server%20on%20March%202.
The views expressed here are those of the author and do not necessarily represent or reflect the views of TechNation or MD Publishing.