Last week’s warnings about serious, remote access flaws affecting GE anesthesiology machines underscore a major gap in our understanding of cyber risk. Namely: we don’t have a good way to measure security flaws that carry cyber physical risk.
Join me in considering warnings about two, recent software vulnerabilities.
The first, published May 10th, affects a commonly used printer management software package. An attacker could take advantage of the flaw to execute malicious code by compromising the host server, performing DNS spoofing of the host server, or modifying the update code in transit. That could give the attacker control over the print management application itself.
The second flaw, published July 10, affects two popular models of anesthesia pumps used in hospitals and other clinical settings all over the world. Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify the anesthesia device parameters. That could include altering the mix of gasses distributed to patients by the machine or disabling critical alarms.
My question: which is the more serious vulnerability? If you answered “the second,” you would be wrong – at least according to our current way of calculating and (therefore) understanding and talking about cyber risk.
Women and printers first!
Let me explain. The first vulnerability I mentioned is CVE-2018-5409 and concerns the PrinterLogic Print Management software. The vulnerability in question is considered an example of an “origin validation error” (CWE-346) according to the CWE – or Common Weaknesses Enumeration list, a kind of common reference guide for the many different kinds of software flaws. Those occur when software doesn’t properly verify that the source of data or communication is valid. An attacker who could take advantage of this flaw could execute malicious code on the PrinterLogic application -perhaps giving them control over the application and access to the systems and data it manages.
Certainly, running malicious code on any enterprise application is pretty serious. It could pose a major risk to the integrity of IT environments that use the PrinterLogic application – no doubt about it. But let’s be clear: we’re talking about a printer management platform here. The most likely and direct first order victims of this flaw are network printers. The CVE – or Common Vulnerability and Exposure – ranking for the flaw? 9.8 out of 10, which is considered “critical” severity.
The second vulnerability is, of course, CVE-2019-10966 which was first reported on July 10th. We wrote about this flaw last week after ICS CERT issued an alert calling attention to it. The flaw affects four, different anesthesia machines sold by GE Healthcare: the Aestiva 7100 and 7900 and the Aespire 7100 and 7900.
As we noted in our story, the flaws exist in the way these machines accept commands sent via a terminal server, which is used to connect medical devices like this to hospital local- and wide area networks. Essentially: the machines don’t require remote administrators to authenticate to them in any way when issuing commands that can modify the device configurations, including changing the composition of gasses aspirated using the machines and silencing alarms.
In a worst case scenario an attacker could use software commands sent over a local area network to alter the mix of gasses these devices dispense to patients as well as suppress alarms on the machine. Needless to say, such an attack could cause severe bodily harm to a person connected to the device – possibly even killing them. The CVS severity rating for the GE flaws? 5.3 on a scale of 1 to 10 for “improper authentication” (CWE-287). In other words: medium severity.*
How does a flaw potentially affecting the integrity of printer management application get a “critical” severity rating and one affecting the integrity and operation of anesthesia machines get a “moderate” severity rating? It has to do with our evolving and still immature system of rating (and therefore thinking about) cyber risk.
No Clear Guidance on measuring Cyber Physical Risk
Despite an explosion of software-driven and Internet connected physical “stuff” in the last two decades – from automobiles to X-Ray machines – our conception of cyber risk is still mostly focused on “CIA” – or confidentiality, integrity and availability. These measurements are concerned with the information contained on a given system. Vulnerability severity tracks to whether it enables attackers to defeat security measures for information access and disclosure (confidentiality), allows them to improperly modify or destroy information (integrity) or deny timely access to that information (availability).
The strength of this formula is that it can be applied evenly across information systems of all different types, regardless of their purpose or makeup. The weakness, obviously, is that it fails to assess the larger context of a piece of software like whether it is powering a passenger jet filled with hundreds of people or helping an incapacitated person breathe.
In other words, the GE anesthesia flaw can be considered “medium severity” because – under the rubric of CIA – it doesn’t look too serious: the GE pumps can be manipulated and reconfigured, but the data they contain can’t be altered or destroyed nor can the attacker knock the anesthesia pump offline. Looked at through the lens of common sense, however, that’s just silly. The flaws are trivial to use and let a remote attacker manipulate the operation of a life sustaining medical device. That’s “critical” by anyone’s standard.
As it stands, however, we don’t have a good or uniform way of bringing considerations such as “affects life sustaining medical device” into the mix. Needless to say: that’s a big problem – and one that will only become more pressing as software-based systems come to dominate critical and life-sustaining functions, like anesthesia pumps.
“Unfortunately you can’t have a ‘one size fits all,’ said Elad Luz, the Head of Research at CyberMDX who discovered the GE flaws. CVSS is most useful in measuring traditional software flaws like those in applications running on a PC or mobile device. “When you have a critical, embedded device like a medical device and you can manipulate or alter the sole functionality of that device? Personally I would consider this a higher score for the vulnerability,” Luz said. Technically, however, the flaw he discovered wasn’t a remote code execution, so it couldn’t be counted as critical – even though it is unclear that a RCE flaw could have a worse outcome than harming a patient. (Check out our full conversation here.)
Clearly, the folks at Department of Homeland Security recognized the severity of the flaw, because they issued a special bulletin about it. That’s good. My concern is absent that warning, it would have been easy to overlook a medium severity flaw affecting just a handful of models of medical devices. Missing the alert means that the vulnerability doesn’t get addressed. And that means people are at risk.
NIST, which hosts the NVD, and MITRE which maintain the Common Vulnerabilities and Exposures (CVE) list and the CVSS rating system, have recently taken pains to make clear that NVSS measures vulnerability severity, not cyber risk. NIST has also sought to distinguish CVSS “base scores” from more use- and context specific measurements. As NIST notes on its NVD website: base scores don’t take into account either temporal factors (changes in the environment external to a vulnerability that might make it more or less severe) nor ‘environmental scores’ which might capture the impact of the vulnerability to a specific organization.
A CVSS score calculator does incorporate temporal and environmental factors that could be figured into the base score to come up with a more comprehensive severity rating. But even those measures fail to capture what the GE anesthesia machine rating, namely: cyber physical risk. Its helpful to understand that CVSS scores aren’t a measure of cyber risk. But simply declaring that CVSS scores don’t measure risk and shouldn’t be thought of in that way doesn’t actually help us to figure out how to describe cyber risk and, in particular, cyber physical risk.
Sometimes an Impact is just an Impact
The closest thing we have right now that points in the direction of assessing cyber physical risk is in NIST’s FIPS 199 Standards for Information Categorization for Federal Information Standards. Those standards discuss what is referred to as the “impact” of security breaches that affect confidentiality, integrity or availability. The three impact ratings (low, medium and high) described in FIPS 199 talk about the possibility that a security breach might result in “harm to individuals involving loss of life or serious life threatening injuries.”
So that’s good: the ingredients of a vulnerability rating system that comprises both logical and physical risk are there. Now the question is how to combine those ingredients in the best way. And this is where things break down. While NIST points to the FIPS 199 standard, it doesn’t provide clear guidance on how to marry the CVSS score to FIPS 199.
Additionally, the FIPS 199 standards reference to the “impact” of security breaches when discussing cyber physical risk is hopelessly confusing. “Impact,” it turns out, is a term used repeatedly in NIST and other publications on cyber risk and vulnerabilities, though generally not in regard to physical risk. When does “impact” mean the kinds of impact that FIPS 199 is talking about in regard to cyber physical risk and when does impact just mean “impact” related to traditional CIA concerns? Its impossible to know.
FIRST, the incident response professional organization, calls for a “comprehensive risk assessment system” that “considers more factors than simply the CVSS Base Score” including “factors outside the scope of CVSS such as exposure and threat.” However it is unclear how such a system would work or what role cyber physical risk would play in it. The group’s detailed user guide makes no mention of cyber physical risk, physical harm or safety. The focus – once again – is on information security.
FIRST does encourage industries like safety, automotive and healthcare to try their hand at creating a broader cyber risk scoring system.”to include additional metrics and metric groups while retaining the official Base, Temporal, and Environmental Metrics.” Yes, its possible that each industry or even each vendor could come up with their own severity rating system that incorporates cyber physical risk. But its not clear that such a Balkanized system would do anything more than sow confusion.
What’s needed is a uniform system for rating security vulnerabilities that also comprises cyber physical risk. Such a system can build upon the success of CVE and CVSS, but also provide an easy means of bringing security flaws with cyber physical consequences to the forefront and make sure that physical safety figures prominently into our discussion of cyber risk. With more vehicles, robots, home appliances and – yes – medical devices sprouting Internet addresses, graphical interfaces and operating systems, the line between IT risk and physical risk is vanishing
(*) The 5.3 rating was taken from the U.S. CERT ICS Medical Advisory. The NVD indicates that the GE vulnerabilities are “awaiting analysis.”