"Security Researchers Expose Bug In Medical System"

ICS-CERT now handling medical device vulnerability alerts in addition to SCADA/ICS vulnerabilities

Quelle: Security Dark Reading vom 17.01.13 

A pair of researchers best known for poking holes in industrial control systems (ICS) products found that medical devices suffer similar security woes after they were able to easily hack into a Philips medical information management system that directly interfaces with X-ray machines and other medical devices.

Turns out there is some overlap vendor-wise with electronic medical devices and ICS products. Siemens, Philips, Honeywell, and GE all provide products to both industries. The system and other medical device security problems mirror some of the same types of shortcomings Rios and McCorkle have seen firsthand with ICS products, the researchers say.

"They don't change their habits. The mentality we see and the attitudes are exactly the same" when it comes to security, Rios said.

McCorkle decided to dig deeper and see how the medical industry itself was handling security. He took a crack at an iPad app used by doctors to monitor their patients. Aside from the big no-no of using RDP to connect from the iPad to a host over the Internet, the app also offers a demo account via the App Store. "So they are sharing accounts. That tells me that they do not have that security mindset," McCorkle said.

Ein sehr interessanter Artikel mit einigen wichtigen Hinweisen. Die Rolle von Security als Qualitätsmerkmal wird noch viel zu wenig ernst genommen. Die Probleme ziehen sich quer durch alle Branchen. Daher stellt sich die Frage, warum dies im Bereich vom Smart Grid / Smart Meter anders sein sollte? Vor allem, wenn die gleichen oder ähnliche Marktplayer involviert sind?

Und einmal mehr sei hier der Hinweis erlaubt - es gibt keine andere Infrastruktur, wo es nur ein Netz gibt und wo gleichzeitig alle anderen Infrastrukturen und unser gesamtes Gemeinwesen ganz wesentlich von der Verfügbarkeit dieses Systems - der Stromversorgung - abhängig sind! Ein leichtfertiger Umgang mit diesem System ist daher grob fahrlässig.