CISA Issues an Advisory
On 21 October, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an Industrial Control System (ICS) Medical Advisory. The advisory concerning the B. Braun Infusomat Space Large Volume Pump was discovered and reported to B. Braun by Douglas McKee and Philippe Laulheret of McAfee. The vulnerability set affects medical devices and other products related to healthcare. It could allow command-line access, malicious data replacement of correct data, and device reconfiguration, among other problems.
With five specific vulnerabilities listed, this advisory exposes the need for clear and intentional attention to ICS and Supervisory Control and Data Acquisition (SCADA) systems within the medical field. The software and hardware controllers mentioned in this advisory control infuser pumps and battery packs. Loss of access to correct and timely medical data, as well as the systems that control medications and sensors, can be a life-threatening issue for medical providers and their patients.
If the device in question connects to a network, malicious actors can exploit these vulnerabilities remotely. So there is also a strong argument for ensuring your organization’s network traffic is protected and monitored for abnormal activity.
What are the vulnerabilities?
CISA lists the five following vulnerabilities in their advisory:
- Improper Input Validation: improper sanitization of input;
- Insufficient Verification of Data Authenticity: lack of complete verification of data authenticity;
- Missing Authentication for Critical Function: allows a remote attacker to reconfigure the device from an unknown source;
- Cleartext Transmission of Sensitive Information
- Unrestricted Upload of File with Dangerous Type allows attackers to load any files into temporary file space.
CISA lists this set of vulnerabilities as “Exploitable remotely/low attack complexity, but B. Braun’s separate advisory states that it requires a high skill level to exploit. Either rating is enough to cause concern, as the threats to your organization and its clients are sufficient to call for immediate action to mitigate.
Vendor Recommendations:
B. Braun recommends updating software to the most recent versions, using network zoning that disallows access from the Internet and using Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
Further Reading
B. Braun Advisory: https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy.html.
CISA’s advisory: https://us-cert.cisa.gov/ics/advisories/icsma-21-294-01
Northstarr System Solutions provides expert knowledge and skills to help our customers protect their data and clients from malicious actors. Visit us at https://northstarr-ltd.com/ to sign up for a free assessment, or call us at (888) 767-2210.