SCADA or Medical Devices, Insecure by Default?

Medical DeviceSCADA systems are in front of the security scene for a few days since the disclosure of the Siemens default password story. SCADA stands for “Supervisory Control And Data Acquisition“. It’s a set of tools and protocols used in industrial environments. I wrote an article about security & SCADA a few months ago. Was it a premonition?

But there is another domain where computers are more and more used: the processing of medical information. Not the beloved social security numbers (and other nice stuffs) in the United States, but technical data like medical imaging or the control of medical devices (scanners). Still a few years ago, the IT infrastructure in most hospitals was used to perform administrative tasks. Today, computers are everywhere and infrastructure needs exploded in terms of requirements (storage, bandwidth, etc). Even, banned technologies like Wi-Fi are now widely deployed.

From a personal experience: I had an opportunity to work in a medical environment on a firewall issue. After the upgrade, while browsing the logs, I detected suspicious activities from an IP address: connection probes on port 445 to random IP addresses. Do I need to give more details?

After some investigations, the IP address was assigned to a PC connected to a scanner. Case closed? Certainly not!

  • Impossible to shut down the PC (the scanner must be available 24×7)
  • No administrative rights on the PC
  • Warranty broken if the PC configuration was changed
  • The scanner manufacturer had to come on site to “fix the bug”

But the most scaring fact is: how was this PC infected? It had no Internet access, restricted applications. I suppose the insertion of a rogue USB key was the source of the problems. Consequences of such infection can be dramatic: network congestion, slow response times (which is critical when information must be processed in real-time), etc.

With this example, I would like to draw attention to the problematic security of such equipments. Dear SCADA & Medical devices manufacturers, your solutions must be bullet proof (They control devices which can have a major impact on people if not working properly). Don’t forget that, in most cases, you rely on widely deployed solutions like Microsoft Windows or Linux. Don’t rely only on your customers to ensure proper security. It’s a  job to be performed jointly by multiple parties. If one fails, the whole security will be affected, just like the weakest link of a chain. If your organization uses SCADA or medical devices and the manufacturers recommend unsecure behavior (like using default passwords), this must be a “no-go”! Using in SCADA or medical environment, security must be taken into account like on a regular network.

2 comments

  1. Stuxnet is a new Internet worm that specifically targets Siemens WinCC SCADA systems: used to control production at industrial plants such as oil rigs, refineries, electronics production, and so on. The worm seems to uploads plant info (schematics and production information) to an external website. Moreover, owners of these SCADA systems cannot change the default password because it would cause the software to break down.

    http://www.wired.com/threatlevel/2010/07/siemens-scada/

  2. Other kinds of poorly patched embedded OS are also risk factors, in things like networked printers, digital signage and so on.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.