Just saying there are attacks is not enough.
Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Tom Mahler: I am researching this area for three to four years. At the beginning, I started investigating the entire field of medical devices, and specifically medical imaging devices.
Dave Bittner: That's Tom Mahler. He's a researcher at Ben-Gurion University. The research we're discussing today is titled, "A Dual-Layer Architecture for the Protection of Medical Devices from Anomalous Instructions."
Tom Mahler: As you know, this area is very much unattended and there are a lot of problems in it, and I did research that laid out about twenty-three different attacks on medical imaging devices. This was the initial research I did on this topic. Then, once we discovered the different vectors of attacks, I also wanted to try to find a solution to these attacks, because they just saying that there are attacks is not enough. I wanted also to try to find solutions. So this is one of the solutions that can be applied to protect from a wide range of attacks.
Dave Bittner: Well, before we dig into your research, can you give us an overview of what sort of things are we dealing with with these devices? What kind of devices are we talking about, and what are some of the concerns?
Tom Mahler: Medical imaging devices – well, you can take the approach that I presented to other medical devices as well – but if we're talking on medical imaging devices, these are CTs, MRIs, ultrasounds, and such devices, which has an architecture which I presented – I can also send you their presentation if you want – they have some sort of host-control PC that controls the medical device and sends instructions to the actual medical device.
Tom Mahler: So, if you're if you're thinking of a CT device – so, I don't know if you have ever been in a CT device, a CT scanner, but basically you have the control room where a technician sits and configures the exam, and then the patient is placed on a mechanical bed that is moving through the scanning – through the scanning procedure. And the scanner rotates or does some different things depending on the technology. For example, CT uses x-ray radiation to scan the patients, MRI uses magnetic resonance to scan the patient, and ultrasound uses ultrasonic waves. But you can also think of other devices, such as radiotherapy devices or a robotic surgery or basically any medical device that has a controlling PC.
Tom Mahler: So, it's not – if you're thinking of heart-rate monitors or cardiovascular implanted devices, it's not exactly this kind of device. I'm talking about bigger devices that have some controlling interface. This is important for the architecture.
Dave Bittner: Now, what kind of communications typically goes on between that controlling device and the scanning hardware?
Tom Mahler: This varies significantly between different manufacturers and different devices. For example, in the CT device – this is where we tested our idea – they have a compass network, which is similar to what you have in cars. You know the CAN connection?
Dave Bittner: Yeah, yeah.
Tom Mahler: C-A-N, yeah. So, it's just the same connection you have in the car or in other industrial control systems. So this is just a regular input, but it doesn't really matter, because even if you have an Ethernet connection or even if you have a Wi-Fi connection, it doesn't matter because – I'll get into it in a few moments – but our idea is to monitor the traffic between this host control and the device. So usually, from what I saw in CT devices and MRIs, we're talking about CAN bus connections, but it can also be used when you have Ethernet connections, normal LAN connections, or if you have some other Wi-Fi or even Bluetooth connections.
Dave Bittner: I guess the question I'm getting at is, in one of these devices, let's say that the technician who's operating the device sends a command to the device, you know, to – just make something up here, you know, set the power level to ten. Is there some sort of back-and-forth between the device and the control computer that says – where the computer says, hey, set this to ten. The device says, you know, got that, ten, do you really mean ten? And the control says, yes, ten. Do you know what I mean?
Tom Mahler: Yeah, yeah. Well, this is an excellent question. And let me give you a little bit more background. So, the device, at least in CT devices, once the technician configures the scan, then the device sends all the instructions at once. In a CT device, it's called a gantry. A gantry is the physical scanner that the patient is – the patient sits into it. So this is called the gantry. So the host PC sends the instructions to the gantry. Now, these instructions are complete with all the information that it needs to do the scan. There is no really back-and-forth. There are some things that are back-and-forth, but not in the way that you mentioned. I mean, there is not a lot of validation.
Dave Bittner: Hmm.
Tom Mahler: I'll say what validations exist and what doesn't exist. The validation that that exists are validations that are concerned with safety. So, you know, medical devices need to pass a lot of regulations and tests. So, they pass safety tests that check that there isn't too much high radiation, or like you say, too high power. But the important thing is that since these devices are used for a wide range of different scans, so within the safe – and I say safe in quotes – within the safe margin of the allowed radiation or allowed movement, there is still a lot of gap. So let's say a big patient with a heavy weight is being scanned. He can be scanned in the same device where a child which weighs much less is scanned. So it's the same scanner and you can take it can take care of both patients. So, of course, the heavier patient will get more radiation. So if you take this the maximum safe radiation and put it into a child, this is not so safe. You see what I'm saying?
Dave Bittner: Yeah, absolutely.
Tom Mahler: And another thing is that there is no validation for the question, is this instruction fit or matches this specific patient? But the only one who knows all the profile of the patient – let's say his gender, his weight – the only one who knows it is the technician, and he needs to configure the exam. So the device itself doesn't make this validation. The device doesn't know which patient is being scanned. So this opens up a lot of different attacks. And also, I want to add that a lot of attacks come from different sources. So we know that there are a lot of network attacks – like, the WannaCry attack propagated through the network and infected device after device. The WannaCry attack is very important in the medical device because it's one of the biggest attacks that actually affected medical devices. So this is like a very big event here.
Tom Mahler: And I know that there are different companies who offer network-based solution so they they can scan the network. They can – you can put a firewall. You can maybe try to do the IoT discoverability. You know, these kind of things, right?
Dave Bittner: Right.
Tom Mahler: Yeah. So this means that you can monitor the network, but the host PC itself is a very, very closed system. So it's still a Windows PC, a normal Windows PC, but they can really install endpoint security or even install updates to the computer. Because let's say a CT device comes in one piece. It comes with the host and with the gantry and with all the servers – they're all supplied by the manufacturer, and they are all passed all these rigorous validation regulations that I mentioned regarding the safety. So, if you install an update, the manufacturer must make sure that this update didn't interfere with any other thing that may compromise the device and may cause damage to the patient, even if it's just a security update.
Dave Bittner: Yeah, well, let's dig into your research here. I mean, you're talking about a dual-layer architecture. Describe to us – what was your approach?
Tom Mahler: So, our approach was that you can protect the network, as I mentioned just now, you can protect the endpoint. But there is only a certain amount of protection that you can do on the endpoint, because, as I said, you can't install a lot of things on the endpoint. So our approach is to put the protection system outside of the host control PC, and even outside of the entire CT ecosystem or medical device ecosystem. And we are connected from one side to the host PC and from the other side to the gantry. So, you can think of us as a – like a Wireshark sniffer, but we are doing, of course, this analysis that I will mention in a few minutes. But we are monitoring the traffic, and our approach doesn't require any change to the existing device.
Tom Mahler: So if you own a CT and you want to make it secure, you don't need to install anything on the network. You don't need to install anything on the PC itself. You can just take our solution, which is like a black box. You plug it in from one side to the host control – to the output of the host control. This output is supposed to go to the gantry. So instead of connecting to the gantry, you connect it to our box. And then from the other side, our box connects to the gantry. And this way we can monitor all the traffic that passes through.
Tom Mahler: Now, I will explain, of course, the method later, but it's important to know that – to understand that it doesn't matter where the attack came from. So you can maybe do a network-based based attack scenario or you can insert some kind of USB – a malicious USB – to the host itself, or it can even be a simple human error. We catch all these kind of things and you can't overpass our system. Because it doesn't protect us from all kinds of attacks, but it protects from a very big portion of attacks.
Tom Mahler: So, if an attacker tries to – like you asked at the beginning of the interview – you asked if he takes the power level, let's say, to ten, or the radiation level and multiply the radiation level by one-hundred. So this the result of such an attack will be an instruction with too much radiation, and we catch this instruction by using AI methods, we can learn what are normal instructions and what are anomalous instructions, and then detect these anomalous instructions.
Dave Bittner: Well, describe to us the part of your approach here that's utilizing artificial intelligence.
Tom Mahler: Yeah. So this is the dual-layer. And why dual-layer? Because we have two different layers who are aimed at protecting two different kinds of anomalies. So the first layer is the unsupervised, context-free layer. And this layer is using unsupervised anomaly-detection algorithms. And we use different kinds of algorithms such as isolation forest and KNN, k-nearest neighbors, one-class SVM, and a different combination of these algorithms using an ensemble technique – an ensemble average technique.
Tom Mahler: And we recorded about, I think, eight-thousand or maybe more instructions from a real CT device. We did a collaboration with a manufacturer and in a hospital, and we recorded over a eight-thousand instructions from a CT device. And then we – the first unsupervised layer is learning these instructions and trying to find anomalies which are, let's say, out of the normal distribution of instructions. So, if they are very weird instructions, for example, a very, very high radiation that was never sent before or a very weird combination of parameters that doesn't make sense because they were never sent like this before. And this is the first layer. So the first layer tries to detect very, very strange instructions.
Tom Mahler: And the second layer is the context-sensitive layer, which uses supervised classification to take the instruction and try to learn instructions with the context of the patient being scanned and the context of the clinical objective for the scan.
Dave Bittner: Hmm.
Tom Mahler: So this is the second layer, tries to detect instructions, like I explained at the beginning of, let's say, an adult being scanned while the actual patient is a child. So, we wanted to also learn the instruction with the context of the patient being scanned. This is why we have these two layers.
Tom Mahler: And I just want to say two things about the data itself. So as I said, we collected over eight-thousand instructions and they contain over two-hundred different parameters. So this is a lot of information of the scans. Now, the second thing I want to add about data is about the anomalies. So, you can think of how we actually tested this idea, because it's not easy to record data at all. It took us over one-and-a-half years to collect this data because each time we have to go to the hospital and physically connect to the device. And it's not like they allow us to come whenever we want and plug a USB and download everything...
Dave Bittner: (Laughs)
Tom Mahler: ...There is a certain procedure here. So it took us a lot of time. And the anomalies were even harder because, first of all, the hospital didn't allow at all for us to try to record manual instructions on our own. So we had to collaborate with the manufacturer of the CT devices to try to – we went to their development center and we brought a certified technician, which sat on a development CT – a real CT, but which is being used for doing development. And we asked this technician to try on purpose to generate malicious instructions, like the maximum amount of level you could think of, or move the engines as fast as the device can. So this is one kind of anomalies which we call manual anomalies, which we recorded. We were able to record about sixty such anomalies.
Tom Mahler: As you can imagine, this is quite a long procedure. It took us several days each time. It's a slow procedure, because each time the CT device actually does this instruction. And at a certain point, the manufacturer told us that he doesn't like this, we are moving the rotor, the motors so fast, because he's afraid that the development CT will break...
Dave Bittner: (Laughs)
Tom Mahler: ...So we had to stop with these kind of instructions. But at least the radiation, the maximum radiation was OK. And also we had another set of malicious instructions, which we – by chance, we caught certain instructions that were – we recorded them during a maintenance procedure. So at a certain month, this manufacturer came to the hospital that we worked with and did some calibration and testing on the device – normal maintenance. But of course, a patient shouldn't be present during this maintenance instructions. So we also recorded them and inserted them into our anomaly set.
Dave Bittner: You know, it strikes me that this could be useful to the manufacturer as well, because it could help them detect bugs and errors in their own system.
Tom Mahler: Yes, yes, of course. And for them, it could be useful for much more. First of all, for cybersecurity, of course. This is why this manufacturer really liked our idea, because he said that it's very easy to implement. He doesn't need to install anything. It's just plug-and-play. Just take this black box, put it in this device, and it makes this device more safe.
Tom Mahler: And another thing, it can help them not only learn – not only detect errors, but also learn, you know, like, business intelligence. For example, how many scans of certain types were done on this specific device? And then they can say that – let's say a specific CT scanner did a lot of a head scans. And let's say these head scans highly affect certain parts of the device. And because this device did a lot of head tests, then it needs to keep in maintenance of certain x-ray tubes. So this is also something that could be very interesting for the manufacturers.
Dave Bittner: It strikes me, too, that this could be very useful for something like an infusion pump. You know, I'm thinking about just preventing medical errors, and as you say, being able to gather data about, when errors do happen, what are the circumstances under which they occur?
Tom Mahler: Yeah, yeah, I think so as well. And this is why I think what really helps here is the second, context-sensitive layer of this dual-layer architecture, because adding the context to the instructions, they don't do it. I mean, the manufacturers simply send instructions without any context. So if you add the insights you know about the context, you can really do a lot of interesting things also in terms of optimization, optimizing the instructions to better fit this specific patient being scanned, not just any patient being scared.
Dave Bittner: Are there any concerns with, for example, latency or availability? If, you know, the ability for these machines to connect to the device that you all have designed here, is there a potential for it to slow things down? Or, for example, if your system goes down for some reason, can the hospital still bypass it?
Tom Mahler: If our system fails, then the hospital can always revert to the current situation that he has today without our system. So if there is a problem, you can just unplug our system, plug the host directly to the gantry, and everything works the same. So this won't cause any problems.
Tom Mahler: In terms of latency, from what we saw, analyzing one instruction is a matter of milliseconds. So I don't think it would cause a slowdown to the procedure itself. And also you can apply on the instructions simultaneously while the device begins its operation. A CT scan is not something that takes a millisecond. It's a procedure that takes, let's say, even one or two or three minutes. So if you if you discover an anomaly after two or three seconds and you give the alert so the technician can can stop the device immediately, and no damage would be done, because two or three seconds, even at the highest radiation will cause any problem. Now, we also want to add, in the future, explanation to the system, which will also explain the anomalies and not just alert them. Regarding the explanation, I think here would be maybe a bit more latency because the explanation process is more slow, but we are not there yet.
Dave Bittner: Our thanks to Tom Mahler from Ben-Gurion University for joining us. The research is titled, "A Dual-Layer Architecture for the Protection of Medical Devices from Anomalous Instructions." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup Studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.