Automated Threat Modeling and Attack Simulations in Healthcare
As more medical devices and systems are becoming interconnected, cybersecurity threats have become more numerous and impactful. Automated Threat Modeling and Attack Simulations offers a way to cope with the challenge in line with FDA recommendations.
Threat modeling is a procedure that answers key questions in cyber security management such as: “How vulnerable am I to different types of cyber-attacks?, “What are the weak links that an attacker can exploit to reach my high value assets?”, and “What can/need I do to safeguard against these threats in the most effective way?” It provides defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. This enables companies to “shift left” and become more proactive and effective.
Healthcare is one of the industries/sectors where the stakes at risk are particularly high. Just consider the risk of ransomware disrupting clinical operations or the harm of hacking pacemakers.
FDA recommends doing threat modeling to reduce the risk of patient harm. Manufacturers of products and solutions should conduct cybersecurity risk analyses that include threat modeling for each of their devices/applications and to update those analyses over time. Among other, FDA encourages manufacturers to address the following key elements:
- Identification of assets, threats, and vulnerabilities;
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
- Assessment of the likelihood of a threat and of a vulnerability being exploited;
- Determination of risk levels and suitable mitigation strategies;
For each key threat, a summary report should be produced that concisely summarizes the risk analysis and the threat modeling information. The results of the analyses and the critical information that comes out as the results should also be traceable to related documentation.
ENISA (the European Union Agency for Cybersecurity) is also recommending that threat modeling is incorporated in the cybersecurity processes in hospitals. Cybersecurity threats should be considered when planning procurement of a new system, product or service and threat identification should be continuous in the procurement lifecycle. The threat modeling process should be updated if applicable following the procurement of a new product or service.
In the report “Procurement guidelines for cybersecurity in hospitals” released in February 2020 ENISA explains good practices for the security of Healthcare services.
Threat Modeling with securiCAD can be used within the healthcare sector both for security assessments of traditional and cloud IT environments, medical devices, applications and the connections between them. One of the very key features of securiCAD is that it automates the threat modeling process through simulations and thus enables the user to capture the holistic picture. Devices, products and applications almost always exist in a context of systems of systems, and this wider context is typically utterly important for the security. Capturing this wider context quickly makes the threat modeling too complex and time consuming for the human brain, but perfect for automation/simulations.
In line with FDA and ENISA recommendations as listed above, securiCAD helps identify key assets, threats and vulnerabilities, identify the “critical paths” that an attacker could exploit to cause harmful impact, quantifies risks, and suggest effective mitigation actions. securiCAD works with a model/digital twin of the device/product or application/system and is not interfering with the real environment.
Using securiCAD in the Healthcare sector:
The fundamental approach of cyber security analysis with securiCAD is to simulate attacks on a digital twin/model of your current or future systems/devices/applications. As simulations are conducted on a digital twin/model, securiCAD will not interfere with the real existing solution. When the model of the environment is built in securiCAD, check the model/structure and flag the high value assets. Any object in the model and any number of objects can be chosen as a high value asset. The attack simulations in securiCAD will then try to reach every corner of the model, which means that for most objects in the model, there are attack simulation results. The report shows risk exposure values and Time to Compromise values for the selected High Value Assets. The Critical Paths and Chokepoints visualizes the attack paths, how an attacker can most easily reach and/or compromise your High Value Assets. The user can then chose and test the effectiveness of different applicable mitigation actions, to assess how the risks can be mitigated in the most effective way.
In total, foreseeti recommends using the solutions like a circle flow, simulate, check results, mitigate errors, simulate, check results again, and repeat the process until the results are within accepted threat levels.
The securiCAD solutions are used across the system lifecycle, from proactive modeling at design stage to proactive and continuous risk assessments of live environments.
Proactive modeling at the design stage: Enable organizations to uncover weaknesses in Healthcare devices or applications before they are introduced. Simulate attacks on planned IT architectures already at the design stage and/or before deployment. Take proactive actions based on the insights back to the development team.
Proactive modeling of existing architecture: Analyze live systems in a non-intrusive way. Build a model of your architecture; manually and top down, or automatically through data import. Simulate attacks. Find out what security actions have the best effect in lowering your overall business risk.
Proactive modeling of cloud architecture: For AWS cloud-based IT architectures import of the AWS data is fully automated via standard APIs. A model of your AWS environment can be viewed and is used to simulate attacks to relive valuable insights. The simulation report shows High Value Assets, Chokepoints, a Threat summery and the critical path an attacker would choose to reach the high value assets.