Saturday, November 5, 2011

The SCADA Within Us

I have been saying this for quite some time now, and I was absolutely thrilled when someone from the health care industry came up to me and said "We are running SCADA systems in health care."  For those who do not know what the acronym stands for, it is "Supervisory Control and Data Acquisition".

Let's examine this for a moment.

Supervisory - Medical systems are indeed used to supervise patients.  That is exactly what they do.

Control - Medical systems are indeed used to control patient procedures at many levels.  That is exactly what they do.

Data Acquisition - Medical systems record patient data constantly, and use this information to make decisions.  That is exactly what they do.

Yup!  They are SCADA systems.

I just returned from the Amphion Medical Forum in Minneapolis, home of Medtronic (the largest medical technology company in the world).  Medtronic is very concerned with medical device security, and they are now beginning to understand the potential impact of mounting interest among the attack sector in hacking SCADA systems.  Rest assured they are taking this VERY seriously, and this is an absolutely fantastic bit of news for the health care community, because they are the most likely organization to make an impact on health care security.  I applaud Medtronic executives for their decision to aggressively address these issues.

One of the most interesting discussions I had with a member of the Medtronic engineering staff, who seemed very familiar with SCADA systems, was the very unique challenges the medical device industry is facing.  One challenge is that they cannot easily address physical security of many medical devices, since they are frequently found in patients (e.g. insulin pumps, pacemakers) or in their homes (e.g. monitors).  While it is possible to educate patients about this, it is nearly impossible to control physical security.  Another issue is that, even if devices are designed with firmware that can be updated, there is no easy way to update the firmware in devices implanted in the human body, and for several reasons.  One obvious reason is...well...because it is implanted in a human body.  Another reason is because many of these devices operate on coin sized batteries, and many of you know that firmware updated dramatically decrease battery life.  Let's not forget, by the way, that a failed firmware update on an implanted device that puts it in a DOS state is also very serious.

On the subject of power, if you think that the "traditional" SCADA systems have resource constraints, you are not even close to the resource constraints of some of these medical devices.  Let's not forget the need for reliability as well.

The health care industry is taking this very seriously, but there are some major challenges to address...and this is very high priority.

Health care touches each and every life on Earth.  I look forward to working with the health care industry to get this under control.

1 comment:

Chris Blask said...

That is good news.

The medical sector has been among the slowest adopting Information Technology at all (how many of us still have doctors scrawling notes on paper?), while simultaneously using information technologies in some of the most complicated and consequence-rich fashions. Hospital networks have all of the downsides of enterprise IT (complex, dynamic, application-driven...) - and then some - while having none of the benefits of most other ICS sectors (deterministic, predictable, contained...). Think of the term "Medical University" if you want to picture how bad the security proposition is.

It will require expressed interest on the part of vendors such as Medtronic to drive the medical community to adopt cybersecurity best practices.