FDA Cybersecurity Regulations: Medical Devices

A cardiac pacemaker is a lifesaver for many and is considered an implantable medical device. The FDA imposes regulations to protect these devices. Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine FDA Quality System Regulations, ISO standards, and FDA guidelines used by Sterling Medical Devices that are essential to the manufacturing practices.

FDA Cybersecurity regulations in medical devices is a tough topic! Consider the cardiac pacemaker, probably the most notable life-saving implantable medical device. Did you know that it is operated by a computer chip? Just like any other computer they can be vulnerable to cybersecurity breaches.

Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine the FDA’s Cybersecurity quality system regulations, ISO standards, and guidelines followed by Sterling Medical Devices to ensure cybersecurity for all their devices.

Tune in to Part 2 of our 3 Part Series on Medical Devices

The FDA Cybersecurity Regulations: Medical Devices Video Transcript Follows.

Lee Neubecker (LN): Hi, I’m back on the show today with Keith Handler, Keith, thanks for being back on.

Keith Handler (KH): Thanks again for having me.

LN: And Keith, again, is from Sterling Medical Devices, and today we’re going to talk about what measures are in place, that the FDA imposes to help ensure cybersecurity on medical devices, especially safety of PHI, and safety of the operation of those devices for end-users. Thanks again for being here.

KH: Yeah, thanks for having me. So, cybersecurity. It’s a tough topic, and the FDA is still figuring out how exactly to deal with it. They have issued guidance that attempts to categorize how high the risk is of cybersecurity for a device and the basic standards you need to follow in designing, and testing, and documenting your processes for developing that device. That guidance is currently how we generally implement most of our analysis processes and controls. The FDA has chosen to recognize certain certifications, such as UL 2100-1-2.

LN: And what is UL 2100-1?

KH: 2100-1 is a certification for network-connected systems, as far as cybersecurity is concerned, and 2100-1-2 is a subset of that standard, specifically for medical devices connected to the internet or a network. Mostly that standard follows the 2100-1, with a couple of modifications, based on the fact that medical is safety-related.

LN: Have you seen any changes in the standard since the WannaCry attack that took out a lot of the UK hospitals?

KH: Nothing that I can point to specifically. You know, that really comes down to changing specific vulnerabilities, our knowledge about them, and the attack vectors that we know that are capable of executing these things, cataloging them, making sure that we plan for them in future designs.

LN: So I know Bluetooth is a protocol that’s vulnerable to exploitation. I think at one point in time, there was a warning that everyone should take their pacemaker and get it updated. Were you familiar with that?

KH: Yes.

LN: Can you tell people a little bit more about what happened?

KH: Yeah, well, in that specific case, I’m not actually 100% sure what occurred there, but most of the time your issues are, with a lack of authentication, a lack of encryption, you need to be sure that what the device is talking to on the other end is exactly who they expect it to be, what they expect it to be, and you have to make sure that that communication is secured and unchanged, unaltered. Typically, that’s done by using specific security libraries, integrating them in careful ways, making sure that all communication over the wire is encrypted, things like an asynchronous key generation.

LN: I think, just from my memory of events, one of the problems they discovered is that these protocols, there’s a period of time before authentication occurs, in the preamble when there’s broadcast of the Mac address, the wireless name, and whatnot, where there’s a potential to create an overflow situation, to actually compromise a device before encryption and authentication occurs.

KH: Yes, in certain system designs it is that way.

LN: And, unfortunately, these protocols are, you know, they’re everywhere. So, at the time, I believe that the chip makers and various equipment providers, not just only in the medical area, but across the board, had to create fixes that help protect against these types of cyber-attacks.

KH: Yes.

LN: So, you were talking about UL 2100-1-2, what about TIR57? Can you explain what that is?

KH: So, AAMI TIR57 describes how to marry up the processes of medical safety risk analysis and security analysis. It’s an attempt to show that the security analysis process is actually very similar and very familiar for anybody that’s done the safety risk analysis before. More of less, it takes ISO 14971 and applies security risk management to it with a mix of a little bit of some NIST standards in as well. But the general idea is to really categorize what assets you’re protecting in your system, and the known vulnerabilities that your system has, and then from there, you attempt to determine a list of known attack vectors and categorize the profiles of your possible attackers. With a combination of that type of information, you can assess what the real vulnerabilities and risks are for your system, and design in controls, from the ground up, to make sure that you’ve protected against them.

LN: Yeah, well, this is really fascinating stuff. I appreciate you being on the show, and I look forward to our next segment talking more about cybersecurity and how to keep these devices safe.

KH: Thanks again for having me, Lee.

Don’t Miss Part 1 of this 3-Part Series on Medical Devices

Part 1 of the 3-Part Series on Medical Devices

View Related Articles

To Learn More About Sterling Medical Devices

https://sterlingmedicaldevices.com/company/

FDA Cybersecurity Medical Devices Regulations

https://www.fda.gov/medical-devices/digital-health/cybersecurity

Please follow and like us:

Energy Industry Incident Response

Energy is vital to our everyday life. Companies face a competing demand to preserve data and at the same time continue to function. Experts Lee Neubecker and Geary Sikich give advice on how to overcome these challenges.

The Energy Sector provides the global economy with oil, gasoline, electricity, wind and natural gas. An Energy Industry incident could be a physical attack on a power grid or a cyber attack that stops a company from functioning. The properly planned and orchestrated energy sector incident response will minimize or reduce recovery time and loss. Potentially saving lives! Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. strongly urge all companies to create an incident response plan.

This is the final segment in the four-part series on Energy Sector Cyber Insecurity.

Part 4 of our Global Energy Sector – Incident Response

Energy Sector Incident Response video transcript follows

Lee Neubecker: Hi I’m here again with Geary Sikich, and we’re continuing with our final fourth part segment in this discussion about global cyber insecurity as it relates to the energy sector. And in this segment, we’ll be telling you a little bit more about some of the things that need to happen, related to the incident response of a data breach, for the energy sector. Geary, thanks for coming back.

Geary Sikich: Thanks Lee for having me. I think this is, probably one of those areas that are challenging to talk about.

LN: Yeah, certainly, and at the forefront, when things first go wrong, there’s a need to immediately take action to help preserve the data, and collect data so that it can be analyzed. But at the same time, there’s a competing demand for wanting the organization to function. And sometimes those two needs, create conflicts.

GS: Yeah, they sort of butt heads if you will. Yeah, I think the issue for a number of organizations, and I’ve experienced being in the kind of command center if you will, of organizations where their website had gone down. And it was, one of these where a lot of stuff was processed through the portals that they had there. Suddenly there was this pressure to get things back up, and then to look at, what is this costing us? Because now our customers cannot execute their orders and whatnot. And that becomes a challenge because it’s the urgency issue. The other aspect is that when we look at incident response, and this is a little bit different from the typical natural disaster incident response. If I’ve been breached in a cyber incident, how long is it before I actually realize that I’ve been breached? It may not happen very quickly, it could be very subtle. And things could be manipulated, and suddenly I’m in a situation like some of the big companies that had data hack, where all the sudden personal accounts of cardholders are exposed. Now, what do I do? So there’s a lot of not the only rapid response that’s needed, but a lot of consequence analysis that’s really needed.

LN: Is it?

GS: How do you do that and yet maintain, as you were saying, and begin to look at that.

LN: Yeah.

GS: From, not really a legal standpoint, but, from a defensive standpoint.

LN: Yeah, well there’s a lot that needs to happen in a short period of time, you have the collection and preservation. Which, forensic professionals are often called in, such as myself. To collect the data. Firewalls, servers, logs. Then you also have the analysis of that data to determine, what are the motivations of the attacker? Was it an attacker? Was it negligence? You know, oftentimes things go down, people assume it’s a cyber attack, external. It could be an internal attack, it could just be something as innocent as, I’ve seen a new system coming online that’s supposed to help back up and provide redundancy, actually reformat a storage NAS array, that it was supposed to help protect. So, these things can happen. And quickly understanding, making sure that data doesn’t disappear that could be used to rebuild is important And that’s where bringing in the outsider’s important because someone new coming in doesn’t have skin in the game. And, you really need that objective party, to help you figure out what’s happening.

GS: But I think that in that respect when you bring in someone from outside, they also have a vested interest in making sure that, from not only a reputation standpoint but also from the standpoint of the viability of their services, making sure that they’re helping to alleviate the issue. And to bring back some, equilibrium if you will. So there’s this issue of consequence management that comes to bear on those–

LN: And you have some conflicts that happen with having the people that were, kind of in charge of watching over the equipment, do the investigation. And that can cause some, serious problems to the organization. And it may be very well that, the attack wasn’t the fault of the people responsible for managing it. But, if for instance there was, an action that took place that might show some carelessness or mishandling of events by the people in charge of IT, there’s a real risk there that, that person might take actions that could result in further data destruction. In an effort to cover up, what had happened.

GS: So now in that respect, we need to protect, we need to begin to look at how we manage the data collection post-incident, or during an incident, if you will. There obviously some legal ramifications.

LN: Yeah well whoever does this might have to testify. And that’s another reason why having a third party come in to do this work is important. Because you may want, legal may want to know, “well before we put an expert up to testify in this, “just tell us what happened and how do we respond? “How do we get ahead of this?” If it was a problem with a vendor, you want to know that. Because the clocks ticking. You know from the time a data breach is confirmed, it is a real data breach and known, to the time it has to be reported, oftentimes its thirty days. So there’s not a lot of time, to wait around If your data breached before you get in your expert, your forensic expert to inspect.

GS: Okay, so we’ve got a legal consideration, that has to be looked at. Insurance today has changed in a lot of respects. So, business interruption insurance. Obviously, that’s a critical area because if you want to file a claim–

LN: Yeah you have to report it to the carrier, or even if you have cyber coverage, it might not be covered if you failed to notify the insurance company of the incident.

GS: So, when I look at that aspect and say, “I’ve got a business interruption policy,” you mention cyber. And now I know that there are other writers to those policies. Like for terrorism and things like that today. If I don’t have a cyber writer, which is a contingent business interruption issue, my business interruption insurance may not cover me, on something like that. So it really becomes more incumbent to have one, the knowledge, two, to be able to look at the legal considerations, three, to begin to understand insurance laws, what do I have from a coverage standpoint? Which is where the traditional risk management group comes into play. But IT’s got to coordinate with them, to ensure all that.

LN: Exactly, and I had Todd Rowe on my show, who’s an insurance cyber attorney, that deals with these coverage issues. So, that’s an excellent video to watch that delves into that more. The other things though with incident response, you know you have the potential PR issues that relate to being data breached. So really, you need to assemble your team, your in-house legal, your HR, your media advisor. Preferably you have a PR firm that has dealt with data breaches before. And then, you’ve got to put together a plan. And all this stuff needs to be going on in parallel. So while that’s happening, your internal people are probably trying to work on, getting their disaster recovery systems restored. You might even have an outside IT provider come in and help bring those systems back up online. The workload that happens when a data breach has occurred, is such that it really isn’t pragmatic or practical to try to have internal IT do all the work. And it also isn’t covered by insurance typically. The outside providers will usually be covered, but not the internal people.

GS: So, if from a structural standpoint, and I’ll draw this to the areas that I worked in many years back after some of the events in the energy industry. Oil spills and things like that. Where industries adopted what they called an incident command system. The United States now has the National Incident Management System. So with cyber though, the composition, in terms of that team, is not necessarily the same that we would see in a typical, incident command system as is generally presented. So from a functional standpoint, I think that there are some things that I would look at. One, somebody’s got to be in charge. Two, somebody’s got to look at planning. What’s going on, and future planning, what do we do? Three, operationally, what’s effected what’s not affected? How do we keep it from cascading? Four, a communications perspective. Internal and external. An administrative function, which looks at the financial aspects. An infrastructure function, which again, internal-external infrastructure. And then, the aspect of, you know, bringing this all together as a team. Your HR people, all these other things. So, yeah.

LN: That was an excellent wrap-up Geary. I really appreciate you being on the show. If you liked this video, please share it. And check out the other segments we did as well. Thanks again Geary for being on the show.

GS: Thank you, Lee. Very challenging to present on this topic. So much.

LN: Be safe.

Watch the other segments in our Cyber Insecurity in the Energy Sector Series.

Energy Sector Detection

Energy Sector Protection

Energy Sector Global Cyber Insecurity

Enigma Forensics related video blogs

Please follow and like us:

Energy Sector: Intrusion Detection

After the most recent Iranian attacks most people don’t think about the danger to our Energy Sector that lurks in the global underworld. Cyber Security Experts Lee Neubecker and Geary Sikich are on the job! They say we can tighten our security and detect cyber attacks before they happen.

Energy Sector Intrusion Detection is complicated and delicate and necessary to maintain our power grid. The Energy Sector provides energy for the world and must be secured and protected. Many detection tools and resources of expert precision are used to ensure the security of these precious resources. Think about it? What do you do on a daily basis that doesn’t involve energy or some type of energy? Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. put your mind at ease and dissect cyber security and intrusion detection systems that are utilized by the Energy Sector.

This is Part 2 in the four-part series on Energy Sector Cyber Insecurity.

Lee Neubecker (LN): Hi, I’m back on the show again with Geary Sikich, thanks for coming back on the show.

Geary Sikich (GS): Thanks for having me back Lee.

LN: So we’re continuing our series discussing about global cyber insecurity as it relates to energy sector. In the second part of the series we’re talking more about detection of compromise. Um Geary, what’re your thoughts in this area?

GS: I believe that there’s a lot to be looked at in terms of the detection aspect, and this is one of the areas where you from a forensic standpoint, provide sort of a critical juncture, what’re you seeing that the general person, and even the general employee of the utility, might not be seeing? And might not be aware of?

LN: Well we know from reports by Dragos Cyber Security firm, that there’s a number of groups, I think around 11 groups are specifically targeting the energy sector. This report just came out this month, so there is a heightened attack readiness requirement to defend against these attacks. And the key thing that organizations need to be doing is they need to know that they have their firewall actively logging, and they need to be looking at those logs.

GS: Those are all state sponsored groups, right?

LN: Well, we don’t know exactly who they are, there could be terrorist cells, the Dragos report doesn’t give attribution as to the entities behind them. They describe the types of attacks, and the character of the attack methods, but there is a number of them that you can check out, there’s a link that will take you to their report if you’re interested in reading it. But you know, often times organizations fall compromised, and they don’t know it, and these things go on for a long time. There was a credit reporting agency attacked recently, for instance.

GS: So from a detection standpoint, the challenge that industries are faced with, cause our focus is going to be on the energy industry, so we’ll get energy industry. In general, the challenge that they face then, is that it’s not just what we perceive could be state sponsored hacking of their systems, it could be individuals, it could be terrorist cells, it could be pretty much anyone with a desire to infiltrate a system whether it’s to do harm, or whether it’s just to see if they can do it

LN: Exactly. The barrier to entry to launching one of these attacks is much lower. It requires knowledge, but the knowledge could be in the head of a teenager, that got rejected at school and wants to take the power out in his town. So that’s a legitimate problem. Now related to detection, I mentioned the firewall logs, there’s a great product out there called, Canary. Have you heard of it?

GS: No, it’s new to me.

LN: Essentially, it’s a company they tell these little devices, you deploy in your network, and they can pretend to be a payroll mass, health care information system storage database, or you can make it be whatever you want. But it’s essentially trying to lure an attacker. So if someone’s in your network, there going to scan your network to look for resources and it will detect people trying to brute force that item. So these items are a great way to have another way of knowing are you compromised. If organizations that had recently been publicly compromised, that didn’t know it for many years had some of these devices in place, they would probably know pretty quickly, like within a day or so, of someone getting through their firewall.

GS: So the challenge then I guess, from a detection standpoint, and the way we’ve seen it, and in discussions with organizations that I’ve worked with. Is that it’s not a single point of penetration that we have to worry about, it’s become multiple points of penetration, and multiple points that are not necessarily hard wired into the operating system. So utilities in a lot of respects have gone out to do with their status systems, monitoring your water usage, or electric usage, all remotely, and you periodically might see a utility vehicle drive by, and they may have a cellular type phone system, that goes by and scans your homes to see what your energy usage is. So those all become a factor. We get into detection in terms of things, we’ve mentioned today shipping is a big issue, and we mentioned with the current situation with Iran, the concern over the Strait of Hormuz, but shipping in general, navigation systems, have been targeted, not only by state actors, but by other groups. So you have navigation systems which is not just water born shipping. Think of where navigation systems are today. Look into your pocket and see your cell phone.

LN: Well we had the recent issue with the Boeing Max airplane, it turned out the sensors were damaged. Well these sensors they’re called MEMS sensors, they’re a combination of electro-mechanical sensors, and if the chip is hit at the frequency that matches the natural frequency of the component board, it can actually cause the chip to malfunction and report erroneous readings temporarily. Or if the frequency matches and it’s of a great enough amplitude it can actually damage the chip. And there hasn’t been much discussions about whether these chips were cyber-attacked but it’s very possible, if you look up University of Michigan, they have research on MEMS chip sensors and interestingly enough, the patent for these sensors was a Boeing patent. So there’s not a lot of talk about that and I think more likely if the chips were damaged, it’s more likely they were damaged while they were on the ground interestingly enough, the two crashes that occurred were in countries that had a lot of terrorist activity.

GS: I think the other aspect with detection is that when you begin to bring out a point like that, people have a tendency to assume durability of systems when systems can be very sensitive to, if you will, shocks, minor shocks to the system. So it’s not necessarily the physical attack, you could take the example recently Puerto Rico has had an earthquake. What damages were incurred by the, on their systems as a result? That are undetected yet. The sensitivity of systems I think has become really critical in a lot of these aspects.

LN: But like with these chips we’re blending mechanical with computer embedded processors. So like these chips think of an opera singer, that sings the natural frequency of a wine glass. If he sings it loud enough, that glass will shatter. It’s the same concept with this chip. You can fire sound at it, if you’re close enough, or if you have a strong enough amplifier, you could fry it. Now that could happen, a drone could potentially launch a sonic attack, someone onboard, a passenger could do it, cleaning crew coming through could do it. So these are some questions that it’s kind of a new paradigm but we even had issues with military aircraft having this uptick in crashes, and these same types of systems are in the newer military helicopters and planes and whatnot. So I think it was good that the military grounded some of these devices that were having these problems, And you know the investigation, I’m sure, continues and the public may not fully be briefed on this, but it is a threat that needs to be detected before people die.

GS: So the real issue with the situation that we’re in, with this kind of global insecurity if you will, is our ability to detect has been I’ll put it in these terms, if our ability to detect has been compromised by virtue of the disruptive technologies that exist that are making detections more and more of a challenge, because they’re becoming more and more subtle in how they entered in the system. So I can have a system that looks like it’s working perfectly, and yet at a point be compromised like the mechanical system that’s supposed to open a valve, and it’s been doing it for a long time, and then suddenly it either leaves it open, or completely shuts it.

LN: This is where it’s important that these entities have an accurate inventory of what their equipment is, and they also have an accurate inventory of the embedded systems and what that software code should look like. And they should have procedures in place to periodically verify that the embedded firmware chips that do these functions haven’t been altered. Otherwise they won’t even know, and something could happen at a very critical time. So that wraps up our section on detection. In our next segment will be talking about helping to protect against these types of attacks.

GS: Great.

Watch the other segments on Cyber Insecurity in the Energy Sector

Part one of our four-part series on Energy Sector Cyber Insecurity

Learn more about cyber security and data breach from Enigma Forensics.

Check out the government’s directives on cybersecurity as it relates to energy infrastructure.

https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure

Check out what ComEd is doing.

https://www.comed.com/SiteCollectionDocuments/SmartEnergy/SmartGridAndDataSecurity.pdf

Please follow and like us:

Energy Sector: Global Cyber Insecurity

Global Energy Sector Cyber Insecurity can lead to complete chaos that will be felt throughout the world. Neubecker and Geary Sikich who are experts in cyber security and incident response share their solutions.

Energy Sector: Global Cyber Insecurity can lead to global calamity. If a major attack happens there would be a cascading effect with catastrophic results. In lieu of the most recent Iranian conflicts, the Energy Sector, as well as Corporate America, has been warned by our government to be aware of imminent security threats. Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. take apart the many threats that will affect the Global Energy Sector. Starting with SCADA, which is a computer system for gathering and analyzing real-time data. Cyber Insecurity means if hacked the SCADA systems would have a rippling effect.

In this four-part series, Lee and Geary will discuss cyber threat detection, protection and global incident response in the Global Energy Sector.

The video transcript for Energy Sector: Global Cyber Insecurity follows.

Lee Neubecker (LN): Hi, I’m here again with Geary Sikich on my show. Geary is the president of Logical Management Systems, a business consulting and risk advisory firm. Geary, thanks for being on the show again.

Geary Sikich (GS): Thanks for having me back, Lee.

LN: So today we’re going to talk about the current state of global cyber insecurity. News events have been published detailing Iran’s potential cyber response. The energy sector has been put on notice to be looking out for attacks, as well as corporate America. So Geary, what is the current state of cyber risk as you see it?

GS: I think it’s kind of appropriate to begin to look at it as you introduce it, global insecurity. One has to begin to look at how secure are you? And in the context of how secure are you, how secure is our infrastructure. All the things we depend on for our day to day lives. And how we live, literally. So everything from your food on the table to the heat, to clean water, to your heat in your home, et cetera, all become potentially

LN: Transportation, travel, and fulfillment.

GS: Road systems, everything that’s out there.

LN: So we’re going to be talking about the highest areas of concern where a rogue terrorist organization might want to strike or a nation state that we’re at odds with. And unfortunately, we have quite a few. Later on in the second, third, and fourth segment we’ll be talking about detecting threats. In the third segment, we’ll be talking about protection against that, things that can be done proactively. And then finally, in the fourth and last segment we’ll be talking about responding to compromises, incident response, and how to recover and get back up online. So Geary, can you give everyone an understanding of what encompasses SCADA devices and what SCADA means?

GS: SCADA systems were developed for the use to control operations and utilities and other areas. It’s called the Supervisory Control and Data Acquisition.

LN: So what kind of devices make up SCADA devices?

GS: Everything from the control of pipelines, utility, electricity functions, all the way onto healthcare, pacemakers and other types of systems.

LN: CPAPs. So these are critical systems. These are systems that if someone wanted to cyber attack and really hurt us, they’re natural targets. And they’re classified as such because they have to be regulated and handled in a way to help keep them safe.

GS: Yeah. And the problem we face is not that these are systems that are so vulnerable, the problem we face is that because of the technology that we’ve embraced over the years since 1999, so that’s what, almost 20 years now. Or it is 20 years now. That those systems have become so embedded that we have gotten rid of the manual systems that they replaced. So things like switching for railroads. You would be hard pressed to find manual switches available to the industry. Because they got rid of ’em, and they were scrapped, and they’re gone. No once produces them, or should I say, they’re produced in limited quantities. And they’re hard to get. The things we depend on in a lot of respects for the smooth running of our infrastructure become very critical to us because there are no alternatives for those systems. And as a result, we become more and more vulnerable to a infiltration of the systems for disruption.

LN: And then we also have what’s known as FPGA’s, Field Programmable Gateway Arrays. They’re microprocessor controllers that can be programmed that can actually be altered by an attacker to change how these systems function, the logic that works. We can only think of, what would happen, Geary, if a nation state that we’re in a conflict with, what would happen if the water filtration system sensors were altered to put water out that appears safe but isn’t?

GS: I think you see a lot of that today simply because the threat levels are such that we have to make sure these systems are so well protected. And unfortunately, the ability to protect the systems is not necessarily as good as it should be, let me put it that way. It’s not that they’re bad, it’s not that they’re behind the times, it’s just that they’re trying to keep up with things that are changing so rapidly. Technology disruptions, and disruptive technologies today have made a lot of systems sort of antiquated before their time. And the problem is that, to keep up with replacement, to keep up with the viability systems becomes another burden to the system. Another critical issue in this global insecurity aspect is look at the talent pool that’s out there in the workforces, and you start to begin to realize that there are very few people that are talented in the areas where we need them. I think in our last segment that we did I mentioned that in the energy industry, nuclear engineers, petrochemical engineers, desperately needed areas because their workforce is transitioning and the skill levels are not there. So that becomes a real challenge.

LN: Just the past, in this month alone, cybersecurity firm Dragos issued a report showing that there is a number, I think around 11 groups that are actively targeting the energy sector and trying to take out various providers of energy. Oil, gas, you know, nuclear. There’s other threats there. You know, locally here in Chicago, you’re in Indiana, we’re in Illinois, what part of the energy sector to you think is at greatest risk?

GS: Well, I think the interesting point with that is that the bigger players, Commonwealth Edison, NIPSCO, Northern Indiana Public Service, are doing their part to ensure that their infrastructure is well maintained and protected. The problem we run into is that they’re not the only utility providers. If you look at across the United States, there are so many smaller utility providers, co ops, small utility companies, that don’t necessarily have the resources

LN: They don’t have the scale.

GS: Yeah, the skills. And the problem that they encounter and we encounter as a result is that they are critical links in the grid system. So everything from water, gas, electric, telecommunications, et cetera, all dependent on a lot of these small players. And getting one to go could potentially offer cascade effects to all the others. And as it cascades, things can get even more disruptive.

LN: So you could actually take down the big electrical utility by getting enough of the small, vulnerable electrical co ops and launching a cyber attack on the electrical co ops to then take out the big giant. Because when these happens, you have power imbalance. And Kirchhoff’s Law dictates the flow of electricity, and it will flow where it’s weak, and the current flows, well that can cause line tripping and power outages.

GS: Yeah. And I think the thing that people have to realize is that the apparently most vulnerable things are not necessarily the ones that are the most visible. And I say that in this respect, we look at power plants, we look at nuclear plants, and there’s a fear of someone attacking the plant. In reality, it’s the part of the system that are not related, or that are related, linked to the power plant, but not directly.

LN: It’s an interconnected system.

GS: It’s the transformers

LN: Everything from endpoint demand to supply. And in our prior video we talked about manipulation of endpoint demand that could cause a cyber attack.

GS: And it’s the step up and step down systems. When you generate it, electricity’s stepped up, it goes over transmission lines, it goes to a point, it’s stepped down and then it goes in the user groups, the residential, your cities, your smaller industries. So you start seeing these as being potentially vulnerable in a respect. In terms of vulnerability is that we have to begin to look at the users and begin to differentiate which ones are what we call interruptible and which ones aren’t.

LN: So in our next segment, we’ll be talking about detection of these threats, and then finally after that, the third segment we’ll talk about protecting and what organizations should do such as electrical co ops, things they can do to get ahead of this. And then when things invariably do go wrong, finally we’ll talk about incident response. So tune in next time, and please, we appreciate your shares, likes. Sign up for my YouTube channel if you liked this and you’ll get alerted when we publish the next one. Thank you.

Learn more about Global Cyber Security from Enigma Forensics

More on Global Security …

Here is the bulletin issued by the Department of Homeland Security on Global Security

https://www.dhs.gov/national-terrorism-advisory-system

Check out this article warning about Iranian Cyberattacks

https://fortune.com/2020/01/16/iran-cyberattack-false-flag-russia/

Please follow and like us:

Iranian Cyber Threat Readiness

DHS has issued an advisory warning of potential cyber attacks by Iran against the U.S. Organizations should watch this short video detailing the top ways to protect yourself from Iranian Cyber Attacks.

D.H.S. Alert – Iran Cyber Threat Readiness

On January 4, 2020 Department of Homeland Security (DHS) has issued an advisory warning that Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out cyber attacks with temporary disruptive effects against critical infrastructure in the United States. Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.- based targets. The Iranian Cyber Threat is real and warrants proactive measures to ensure cyber threat readiness and minimize the risk of a successful cyber attack.

Check out Enigma Forensics, Lee Neubecker, President & CEO, and John Blair, noted Healthcare Industry Cyber Security Expert to learn more about what can be done to deter such cyber-attacks and maximum readiness to an Iranian originated cyber attack.

Video Discussion on Iran Cyber Threat Readiness

1st Video in a three-part series with John Blair

This is the first video transcript of a three-part series.

Lee Neubecker (LN): So John, thank you for being on the show.

John Blair (JB): Thanks, Lee.

LN: John is a cybersecurity expert that focuses on the healthcare sector. Can you tell us a little bit about what organizations should be doing right now in response to concerns about potential Iranian cyber strikes on U.S. companies?

JB: Sure. I’m a pragmatist, so I think you should execute the basics first. Make sure your devices, it’s a border level of your network, and the devices are patched. You might want to start increasing your network monitoring for the next few weeks, to monitor the activity coming through, check your firewall rule sets, these types of things, just to make sure that you get a comfort level. I’m a firm believer in executing the basics solidly, and then monitoring. Because if you’re a target, and the people know what they’re doing, there’s not much you can do to prevent it anyway.

LN: So one of the things too, that I would add to that is, I think it’s important that people have a command of what’s on their network, which is basic inventory of your digital assets, so you know what your devices are.

JB: Yes, you do need to know your environment.

LN: Like you said, knowing what’s on your network, monitoring your log files and patching your devices, those three things go a very long way.

JB: A very long way. And they’re just good practice anyway. That’ll prevent most things from going bad.

LN: Great, well thanks for being on the show.

JB: Sure, thank you.

Articles & Resources Related to Cyber Threat Readiness

Resources on the Internet Related to Cyber Threat Readiness

Click here to view the DHS Iranian Cyber Threat Advisory.

Cyber Essentials: Building a Culture of Cyber Readiness– a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
Department of Homeland Security

Cybersecurity for Small Business: The Fundamentals” – a set of training slides and speaker notes to help small business owners educate themselves and their employees about cybersecurity best practices and resources.
National Institute of Standards and Technology

Cyber Readiness Program  – The Cyber Readiness Program is designed to provide practical resources and tools to help organizations like yours take action to become cyber ready. Completing the Program will make your organization safer, more secure, and stronger in the face of cyber threats. (Note: account with login is required.)
Cyber Readiness Institute

Please follow and like us:

Hospital Data Breached

Hospital Data Breach

Hackers will continue to pummel the sector with targeted attacks.

Have you heard the news about the most recent Chicago, Illinois area hospital data breach?  We’re referring to the article in the Chicago Tribune, By Lisa Schencker on December 31, 2019.  “Personal information of nearly 13,000 people may have been exposed in Sinai Health System data breach” Click here to view the article.

After reading this article many questions came to mind.  Who would hack a hospital system?  Are cyber attacks on hospitals becoming more frequent? Could a foreign hacker be targeting hospitals to conduct cyber warfare?  Could it be a disgruntled employee who maliciously wants to obtain patient electronic medical records (EMR) and target a particular patient?

It has been reported that 70% of hospital data breaches include sensitive demographic or financial information of that could lead to identity theft. The Sinai Health System data breach included 13,000 patients’ names, addresses, birth dates, Social Security numbers, health information or health insurance information were potentially exposed. 

One could easily assume that if a hacker was armed with this information, they could sell patient electronic medical records and financial data to the highest bidder. The potential for patient harm is exponential.

Data Breach Incident Response

What happens next? Computer Forensic Experts are called to initiate a data breach response. Experts start with immediately stopping the breach, accessing the damage, notifying those affected, conducting a security audit. Forensic experts create a recovery plan to prepare for future attacks.  Finally, Forensics experts train employees to protect the data and enforce strong passwords.

Computer Forensic Experts A.K.A. Cyber Security sleuths or electronic detectives are really excellent at detecting where and how the breach occurred and accessing the damage.  In cases of litigation due to a data breach or medical malpractice, Computer Forensics Experts are hired by law firms to serve as expert witnesses to help win the litigation. In addition, many hospitals hire Computer Forensic Experts to assist in auditing their records to prove their side of the case. 

Prepare a Data Breach Incident Response Plan

Looking forward to 2020. Cyber Forensic experts agree the entire sector needs to adjust its security approach to keep pace with hackers. The Department of Health and Services and many states may impose fines on those who are not following security guidelines. It’s vitally important to create a Data Breach Incident Response Plan.

Enigma Forensics are experts in Data Breach Incident Response. To learn more about Enigma Forensics read below.

If you think you have been breached…contact Enigma Forensics.com
Please follow and like us:

Top Ways to Protect Your Home from Cyber Attacks

Top 10 Ways to Secure your Home from Cyber Attack

  1. Make sure you have a firewall that blocks outsiders from getting into your home network
  2. Patch your computers and devices at least monthly
  3. Buy IoT devices from vendors that build in security by default
  4. Purchase IoT devices that auto-update or can easily be patched
  5. Don’t purchase computing devices that use default username = admin, password = static default password
  6. Consider carefully if you really need a WiFi enabled toilet (or other appliance)
  7. Segregate your IoT devices by putting them on the guest network that many routers offer
  8. Purchase devices from manufacturers that publish the firmware updates online with verifying hash value
  9. Don’t buy devices from manufacturers that lack https secure encryption on their own website
  10. Discard out dated IoT devices that do not have patch updates available

Top Online Resources for Securing your Home Against Cyber Attacks

USA Department of Homeland Security CISA on Securing your home network security

USA Department of the Navy on Securing your Home Against Cyber Attacks

Please follow and like us: