Page 7 - Cyber Warnings
P. 7
2016). The victims of this include Deutsche Telekom (Kan, 2016), TalkTalk (Thomson Reuters,
2016), and Krebs on Security (Woolf, 2016; Krebs, 2016). These attacks and the bot army
brought to light the lack of strict guidance and security to IoT. There has not been a rush to have
security applied here. Over time this has been shown to be a higher priority project. The lack of
a standard mandated to be applied has only further worsened the InfoSec environment. If there
were to be a standard in place, the number and intensity of these DDoS would be substantially
lower.
Bio-Medical Devices
These are medical devices implanted into or onto the human body and connected electrically. In
this instance, the bio-medical equipment communicates to another unit certain data. The
connected devices have a rather direct and overt impact on human life.
Security has been likewise applied to these devices, as with the IoT, in a rather haphazard
manner. This is a clear indication that security, a unified set of guidance and standards, and
protocols have not been a primary focus here also. The lack of focus is evidenced by the
number of proof of concept attacks on the medical devices recently that have been in the news.
There are a number of devices that fit well within the definition. With the biomedical devices
having such a vital role in sustaining human life and the liability in the case of an epic equipment
failure, a prudent business and engineering staff should apply a specific security baseline or at
least some form of a minimum standard. This lack of a standard that has to be complied with
shows yet another detriment to society and consumers.
Two recent examples are the pacemaker and diabetic pump. The pacemaker has been shown
to have communication security issues, initially denied however later accepted by the
manufacturer and FDA. There also has been like attacks on diabetic devices focussing on the
communication vector.
Previously Attempted
Although this is a relative new sub-field of IT, there have been attempts to implement a security
framework in the individual disciplines. Although the attempt has been made to implement these
to strengthen the security to at a minimum baseline level, this governance has failed to
effectively govern the relevant parties, and assist these parties to understand and comprehend
the pertinence of these across the respective discipline. There may be varying levels of
implementation, however on average the respective parties within each discipline have not
embraced this.
IoT
With IoT, there has been no governing entity to direct research and which standards should be
followed and applied. The US Department of Homeland Security (DHS). In order to work
towards supplementing this and having a forum of principles to interpret, the DHS released a set
of principles to secure the IoT devices (DHS, 2016; Schumann & Lieberman, 2016). This would
not have been required if a mandated standard had been completed but is only a set of
principles. As these are only designed to be a set of principles, these would not have to be
7 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide