Cybersecurity is more than a buzzword—it’s a crucially important subject in today’s increasingly digital world. While cybersecurity lapses in consumer products can spur dystopian headlines (for example, the Amazon Echo that recorded a family’s private conversation and sent it to a random person in their contacts), in safety-critical applications, these vulnerabilities can have even more dire consequences. Picture the autonomous flight system of a commercial jet being commandeered by hackers—a very real and very troubling possibility.
So what can we do to prevent these issues before they occur?
Luckily, cybersecurity risks have been around long enough that regulators can adapt and issue guidance. When implementing a cybersecurity plan for your application, two distinct types of protections must be made: Performance Protection and Information Protection.
In the context of cybersecurity, performance protection means protecting the device from being hacked to perform a function outside of its intended use. The theoretical plane hijacking I described above would fall into this category.
Security-specific standards such as IEC 80001 for medical devices and DO-326 & 356 for aerospace outline the measures that should be taken in order to protect a device from nefarious actors. These measures include:
- Requiring user authentication (eg. login credentials, two-factor authentication) to access the device. In some cases, it may be prudent to assign roles to these users, restricting access to some functions and data based on the role
- Implementation of features to detect and respond to security breaches
- “Locking Down” critical functionality when alerted to a potential cyberattack, preventing hackers from doing potential harm
These standards work in harmony with standards related to risk management or overall design considerations, such as IEC 62304, 62443 and ISO 14971 for medical devices, or DO-178C for aerospace applications.
While protecting the functionality of a safety-critical software application is paramount, equal importance must be placed on data security—especially in defense products or medical devices subject to HIPAA or GDPR regulations.
For example, in 2017, the UK’s National Health Service (NHS) was crippled by a devastating ransomware attack. This attack locked up to 70,000 devices in the UK alone, forcing many non-essential surgeries to be postponed and ambulances to be rerouted as care providers were unable to access necessary medical records.
Above and beyond the scope of the standards above, information protection must be implemented on a larger scale, as any network vulnerabilities can expose connected devices to unforeseen risk.
Standards such as ISO/IEC 27000 outline steps your organization can take to protect sensitive data from falling into the wrong hands.
It is important to note that cybersecurity is not a “set it and forget it” type of policy. In the NHS attack, many affected devices were running 15-year-old operating systems that were no longer supported or updated by Microsoft. Devices (especially devices connected to the internet) must be maintained to counter the latest threats through security patches and other updates as necessary.
Security is an inherent risk in any software application, and regulators want to see that you have identified potential risks and have taken measures to mitigate or eliminate them. For example, FDA 510(k) Premarket Notifications require:
- Identification of assets, threats, and vulnerabilities
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients
- Assessment of the likelihood of a threat and of a vulnerability being exploited
- Determination of risk levels and suitable mitigation strategies
- Assessment of residual risk and risk acceptance criteria
Critically, regulators note that they will not validate your security plan for you—they simply want to ensure that you took this risk into account during your design process.
Unfortunately, this means that many vulnerabilities aren’t discovered until they are exposed in the field. Manufacturers must ensure that once a product is on the market, it remains safe. To facilitate the ability to implement security upgrades quickly, the FDA does not require any type of clearance for patches that strengthen device security but don’t impact the functionality in any way.
We hope that this post helps provide some insight into cybersecurity for safety-critical software applications. If you require any further clarification, or for assistance in developing your own cybersecurity plan, Contact Us or call (860) 282-2900 today.