One particular highly sensitive environment, with a huge impact on our lives, covers medicine and medical device manufacturing, hospitals and healthcare, and for our wellbeing, these eco-systems must function correctly at all times. ICS is an umbrella term for Supervisory Control and Data Acquisition (SCADA) and Distributed Control System (DCS) and it is part of Operational Technology (OT). In the United States, medical devices are categorized as ICS and any security advisories are released by ICS-CERT, however this is not a case for the European Union or in Asian countries such as South Korea.
ICS are cyber-physical systems, meaning that a process or an action in a cyber space can result in an action / change in the physical world. They are usually used to monitor and control physical components. Therefore, when speaking about networks, algorithms, or any computational entity in the realm of healthcare, such as in a hospital, unplanned alterations or outages can become very dangerous. We are still trying to digest the latest industrial revolution and move to industry 4.0, with the evolution and revolution of cyber physical systems, yet we are already talking about the next industrial revolution, in which we will see greater collaboration between humans and machines as equals, with humans leaving increasing parts of their work to machines. This collaboration is emerging with advances in artificial intelligence (AI), machine learning (ML), robotics, Internet of Things (IoT), autonomous vehicles and self-driving cars, 3D printing, virtual and augmented reality, wearables, additive manufacturing, nanotechnology, biotechnology, energy storage and quantum computing. While all this may take some time, the cyber security industry must already work to better safeguard environments such as ICS or healthcare, before the new industrial revolution comes. Sadly, both ICS and Health Information Systems (HIS) share many common cybersecurity challenges, such as legacy devices and the use of unsupported operating systems, critical and sensitive devices exposed to internet, slow/impossible patching processes and low level of cyber security maturity and awareness.
The well-known CIA triad is a model with the three security principles: confidentiality, integrity, and availability. These can help guide an organization's efforts and policies, helping with the prioritization and implementation of different policies in an IT environment.
- Confidentiality: Only authorized users and processes should be able to access or modify data.
- Integrity: Data should be maintained in a correct state and nobody should be able to improperly modify it, either accidentally or maliciously.
- Availability: Authorized users should be able to access data whenever they need to do so.
In an ICS environment, unlike a classical IT environment, the focus is on the industrial processes that information technology controls, rather than on the information itself. This places availability and integrity at the top of the pyramid of priorities.
Towards the end of 2019, we observed a very significant increase in ransomware attacks on hospitals that continued in 2020. In the US alone, 92 individual ransomware attacks affected over 600 separate clinics, hospitals, and organizations (a 60 percent increase from 2019) and more than 18 million patient records and the cost of these attacks is estimated to be almost $21 billion. However, breaches are only published by the U.S. Department of Health Services if they affect over 500 people. While those impacting less than 500 must also be reported, they often stay under the radar as they are not publicly disclosed. [1]. At the beginning of the pandemic, several cybercrime gangs promised to halt their attacks on healthcare organizations. Other ransomware operators said they would be offering free decryption services for healthcare organizations that mistakenly became encrypted. But this didn't last long, and they were quick to break their promise considering the enhanced opportunities for easy revenue. In our last blog, we discussed ransomware attacks on ICS environments, but once ICS and healthcare are included as dual targets, this dangerous combination can cost lives. ICS and healthcare both frequently depend heavily on "Security through obscurity" and while trying to keep both environments secure with limited budgets and high threats, they often rely more on hiding than on proactive protection and threat actor hunting.
On average and across all industries, companies have required 207 days to identify and 73 days to contain a breach, that is 280 days or over 9 months. When considering only healthcare, these statistics get worse, with the breach lifecycle reaching 329 days, making it almost 11 months - where 50% of breaches were the result of a malicious attack, 27% of breach incidents were caused by human error, and 23% were caused by a system glitch [2]. Most of these attacks are currently ransomware, as this provides a very attractive target for cyber criminals, however we are now seeing a rise in the number of virtual hospitals or hospital wards, where the vulnerabilities may no longer simply be outdated operating systems, and if breached, we must be concerned about the integrity of the medical information. Looking further into the ICS portions of a traditional hospital, such as heating and air conditioning (HVAC) systems, these are designed to be durable with a lifecycle measured in decades rather than years, meaning these will remain endpoints leading to the other OT parts of the healthcare environment in hospitals and laboratories.
The security risk and potential impacts for both ICS and healthcare is often far worse than for typical business IT networks. Unfortunately, ICS is a component of the healthcare environments that is frequently overlooked. Adding to already very sensitive and often insecure environments, like hospitals and laboratories, drugs and medication manufacturing, we also have ICS elements that keep the healthcare environments up and running or simply maintaining a required state (for example the specific storage temperature requirements of certain COVID-19 vaccines). And while ICS in healthcare environments is mostly defined as building automation, it could also be argued that other equipment such as anaesthesia machines, sterilisers, electrosurgical units or infusion pumps are all medical equipment that exist in connected / "smart" versions and therefore could be accessed, altered, hacked or shut down, causing changes in the physical world, directly affecting people's lives.
How can ICS be better protected, not only, but perhaps especially within healthcare?
To protect the ICS portion of healthcare facilities, a variety of measures and security controls must be applied, knowing that a single security product or technology cannot adequately protect an ICS. It is a mixture of security policies and a properly configured set of security controls fit for the technologies deployed in the environment. The selection and implementation of security controls to apply to an ICS can have major implications to the operation.
- Which security controls are needed to adequately mitigate risk to an acceptable level to support the organizational missions and business functions?
- Have the selected security controls been implemented or is there a realistic implementation plan in place?
- What is the required level of assurance that the selected security controls are implemented correctly, operating as intended, and producing the desired outcome?
There is no one-fit-all solution for everyone, but the following outlines some basic approaches and best practices that could help in taking decisions:
- Network Segmentation and Segregation: While with the ever-growing connectivity, the traditional CIM/Purdue Model may be becoming obsolete, most threats continue to come from the enterprise network, thus a proper use of DMZ, with uni-directional firewalls / data diodes / air-gap is recommended.
- Smart Patching: As mentioned earlier, this pain point is common to both environments, outdated operating systems. It is almost impossible and certainly not even recommended to attempt to patch everything due to numerous legacy systems and interoperability issues. However, a smart patching plan is one that that works for your environment and includes processes for proper testing alongside enforced change management controls. Where patching is unfeasible, application whitelisting, and policy enforcement will make an attacker’s life far more difficult and significantly improve your chance to defend or deny a ransomware attack on your OT organization.
- Removable Media: Like most OT environments, hospital machines are frequently seen with freely accessible USB ports, the use of removable media on any node connected to sensitive environments should be severely restricted, if not totally blocked.
- Audit, Monitor and Supervision: Continuous testing and monitoring are required to ensure identification of vulnerabilities and improvements in the policies, processes, procedures and technology that have been configured, created and deployed. This can also help to identify methods by which the duration of the breach lifecycle can be reduced.
- Security Awareness and Training: The human assets in the network can be the strongest link, but this will only be the case with the right security awareness and trainings, based upon continuous audit and monitoring, to address the threats in their environments.
- Authentication and Access Control: In both environments, some equipment must always be accessible without credentials for emergency situations, it needs to be accessed to be shut down or in an opposite scenario needs to be quickly available for use to reduce damage or save lives. As always, this decision must be made by each organisation, however where we are designing access controls and authentication, it is always recommended that users have different (and unrelated) passwords for use with encrypted and unencrypted protocols. Additionally, users should have different accounts and passwords on the corporate network and on the OT / ICS / healthcare network. Where possible, a centralized authentication system exclusively for those sensitive environments and separate from the corporate one, should be used.
- Backups: Frequent backup of all hosts and ensuring that there is an adequate pipeline to recover systems from those backups, means a faster recovery from any ransomware attack. Offline backups as a disaster recovery strategy are also critical, to ensure that the most important OT assets are protected or can be readily restored if the infrastructure is down. As always, these backup and recovery processes must also be regularly tested.
The healthcare ecosystem is only one of the sensitive environments containing ICS, our course on Attacking and Securing Industrial Control Systems can be applied to not only healthcare environments but to many others, from power grids, water treatment facilities, food processing and other parts of critical infrastructures that needs to be well secured and resilient. This training will help you to understand ICS systems, analyse their weaknesses, attack them and design strategies to protect them. It is aimed at security professionals who want to understand ICS systems, improve their skills, or specialize in ICS security, and will take them from the fundamentals of ICS security to advanced hacking techniques.
The focus will be on methodologies for hacking commercial hardware devices such as PLCs as well as simulators and will also provide an excellent opportunity for participants to gain hands-on experience in penetration testing of these devices and systems. The ICS setup will simulate the ICS infrastructure with real-time PLCs and SCADA applications. The training will cover the most common ICS protocols (Modbus, S7, DNP3, OPC, Profinet), analysing packet captures and learning how to use these protocols to talk to PLCs. The training will also incorporate how to program a PLC, to improve understanding of how they can be exploited. There will be modules on how to bypass air-gaps, how to defend air-gapped systems, along with the techniques and tactics that adversaries use to compromise ICS systems.
Do you want to learn more?
We are giving a two-days online training about Attacking and Securing Industrial Control Systems at HITB in May 2021 and Black Hat USA in August 2021.
Get your ticket!
- HITB (Europe Timezone): https://sectrain.hitb.org/courses/attacking-and-securing-industrial-control-systems-ics-may-2021/
- Black Hat USA (US Pacific Timezone): https://www.blackhat.com/us-21/training/schedule/index.html#attacking-and-securing-industrial-control-systems-ics-21885
Check out also our trainings schedule for more dates: https://dreamlab.net/en/education/trainings-schedule/.
Resources and Related Content::
[1] https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/, Paul Bischoff, 2021, Ransomware attacks on US healthcare organizations cost $20.8bn in 2020
[2] https://newsroom.ibm.com/2020-07-29-IBM-Report-Compromised-Employee-Accounts-Led-to-Most-Expensive-Data-Breaches-Over-Past-Year, IBM, 2020, IBM Report: Compromised Employee Accounts Led to Most Expensive Data Breaches Over Past Year
__________
Sarka Pekarova
Security Consultant at Dreamlab Technologies