Improving the Cybersecurity of IoT, Medical DevicesUL Experts Describe Projects with Government Agencies, Potential Private-Sector Benefits
The Department of Veterans Affairs and the U.S. Defense Advanced Research Projects Agency are working closely with safety certification and consulting firm UL to improve the cybersecurity of internet of things devices as well as medical devices procured by the government. The effort could yield benefits to the private sector as well, two researchers explain in an in-depth joint interview with Information Security Media Group.
"UL is working closely with agencies to ensure that the concepts established within those agencies find a good transition place to make it into industry practice," says Anura Fernando, UL principal engineer for medical systems interoperability and security. "That's fundamentally what we're trying to do with multiple agencies."
As part of its cybersecurity assurance program - which aims to minimize risks by creating standardized testing criteria for software vulnerabilities - UL, formerly Underwriters Laboratories, is working with the U.S. Department of Veterans Affairs on cooperative research and development, Fernando explains.
The work is designed to increase awareness of cybersecurity "across the healthcare space through sharing of the information that we uncover through the research that we're doing [with the VA]," he explains.
The collaboration also aims to "find better ways to standardize procurement of new medical devices in the VA [healthcare facilities], and to make innovative technology more readily available to the veterans ... through that procurement process."
In addition to the VA, the project involves the National Institute of Standards and Technology and the Food and Drug Administration, as well as the Association for the Advancement of Medical Instrumentation, he says. "All of the work that we're doing is really targeting not only improving the cybersecurity posture within the VA, but also to more broadly impact the entire healthcare sector."
The internet of things present similar cyber challenges, says Ken Modeste, a UL global principal engineer, in the joint interview.
"When you look at the challenges you have with IoT in general, what the industry has been asking for is a way to evaluate and assess the cybersecurity capabilities of IoT trends in the marketplace," he says.
"We have collaborated with DARPA to specifically look at industrial internet of things gateways - so a particular device you put between factory automation and ... a public communication platform, like the internet. We've been doing significant testing on how these products are implemented in factory automation and what are the cybersecurity risks and challenges that come out of these products," Modeste explains.
"We take that data and push it back to standards and capabilities that would revolve around all IoT devices and build mechanisms to evaluate and assess those IoT devices," he says. "Ultimately, the objective is to collaborate with DARPA so that we can eventually produce standard specifications for what you need to do for IoT gateways ... from a cybersecurity perspective."
Third-party assessment programs could then be built to evaluate whether IoT devices meet those specifications, he adds.
"A manufacturer or vendor could build to those specifications and a procurer that's buying that equipment could look for that third-party assessment for some kind of validation or verification."
In the interview, Fernando and Modeste also discuss:
- Details of the medical device work underway with the VA;
- How UL's work with DARPA could yield a standard for internet of things security;
- How cybersecurity in the private sector could benefit from the ongoing research projects.
Fernando is UL's principal engineer for medical systems interoperability and security. He has nearly 20 years of experience at UL with safety critical software and control systems certification and has also conducted research across multiple application domains. Fernando also has served on several U.S. federal government advisory panels, including the Department of Health and Human Services' Cybersecurity Task Force.
Modeste is the principal technical adviser and subject matter expert for UL's cybersecurity program. In that role, he helped develop UL's series of cybersecurity standards that test network-connectable devices for known vulnerabilities and software security. He previously served as an engineering manager at GE for 12 years.