The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory this week about critical vulnerabilities to software used in medical devices.
As outlined by a blog post from Forescout Research Labs, the set of 13 new vulnerabilities affects Siemens’ Nucleus TCP/IP stack.
The flaws potentially allow for remote code execution, denial of service and information leak.
“CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities,” said the alert. “CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.”
Siemens did not respond to a request for comment by press time.
WHY IT MATTERS
The team at Forescout, which initially identified the vulnerabilities with support form Medigate Labs, said that it’s “notoriously challenging” to understand where the code may be present.
Still, they were able to find 2,233 vulnerable devices running Nucleus – which was acquired by Siemens in 2017 – in the healthcare industry.
Affected devices include anesthesia machines, patient monitors and others that Forescout describes as “safety-critical.”
The vulnerabilities range in severity, with the most serious given a CVSS score of 9.8 out of 10. That particular vulnerability could result in denial-of-service conditions and remote code execution, said Forescout.
As noted by CNN in its coverage of the report, Forescout researchers were able to use one vulnerability to take a building automation system used in hospitals to turn off the lights and HVAC system in a mock patient room.
According to CISA, there are no known public exploits specifically targeting these vulnerabilities. Siemens has released patches for all of them.
“Complete protection against NUCLEUS:13 requires patching devices running the vulnerable versions of Nucleus,” said Forescout.
Forescout recommended a mitigation strategy for network operators to address the flaws, especially given that patching embedded devices might be difficult:
- Discover and inventory devices running Nucleus.
- Enforce segmentation controls and proper network hygiene.
- Monitor progressive patches released by affected device vendors and devise a remediation plan for vulnerable asset inventory.
- Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible zero-days.
Several major device manufacturers released statements on the report, including Cisco, GE Healthcare and Philips.
“As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Siemens’s vulnerable products for potential impacts from these reported vulnerabilities and validating actions,” said the company in a security advisory.
“At this time, no Philips products are known to be impacted,” it continued.
THE LARGER TREND
Medical device security has taken on heightened importance amidst the COVID-19 pandemic, when remote patient monitoring and telehealth have expanded hospitals’ network endpoints.
The U.S. Food and Drug Administration’s Suzanne Schwartz told Healthcare IT News earlier this year that device cybersecurity requires a “whole community” approach.
“This is an area of shared ownership and shared responsibility,” she said. “There is no one entity, no one stakeholder that can solve these really big challenges on their own.”
“It has to be through partnership through collaboration, through recognition that we all have different roles to play, different types of expertise, different responsibilities,” she added.
ON THE RECORD
“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents,” said CISA in its advisory.