Toward a Safe and Secure Medical Internet of Things
3.
PRIMARY ANALYSIS
Our foremost objective towards laying down the foundation to secure clinical environments was
to identify security risks, threats and requirements of various clinical scenarios. These are listed
in the table below. Our findings have been mostly consistent with some of the existing literature
on the topic [6][7] as far as external attackers are considered. However, we found that an
important yet often neglected requirement is to minimize the impact of insider attacks posed by
already-compromised devices that are unknowingly used in ICE settings. We discuss such an
attack to instantiations of ICE that utilize secure transports such as TLS in Section 4.
Attack Class
Description
Susceptible Components
Destroy
Physically destroy ICE components;
e.g. cut an infusion pump tube.
All Architectural Components of ICE
Disturb
Modify exchanged data to prevent
All Architectural Components of ICE
correct operation of components; e.g.
man-in-the-middle or replay attacks
Reprogram
Modify data or code in an ICE
component to prevent its correct
operation; e.g. modify infusion pump
software to deliver extra medication
All Architectural Components of ICE
Except the Communication Network
Itself
Denial of Service Exploit bugs or interfaces that were
not designed with security in mind
All Architectural Components of ICE
Eavesdrop
Communication Network
Listen in on the deployed ICE
environment to learn sensitive
information.
Table 1. General attack model for ICE as identified in [6]
Use of an ICE controller based on DDS Security potentially addresses or mitigates Disturb, Denial
of Service and Eavesdrop attacks. Further, it would mitigate the impact of insider attacks
dramatically.
- 10 -
June 2016