Cybersecurity vulnerabilities in devices and systems are usually oversights or mistakes. They can exist in hardware, software, and firmware. In complex systems, there may be hundreds or thousands of such vulnerabilities. In the embedded hardware and software of medical devices, they may be fewer, but their potential for damage or loss may be just as great. Vendors of these devices and systems find some of the vulnerabilities and offer corrections (software patches, firmware or hardware upgrades). Other vulnerabilities may be missed by vendors, but discovered by others, including bad actors.
Our company actively seeks out vulnerabilities in medical devices and facility-related control systems. The research we carry out not only expands our knowledge of cybersecurity in this area, but also lets us preempt more threats for our customers.
When we find vulnerabilities, we assess them, make sure we can reproduce them, investigate them to learn as much as we can about their underlying cause, and then record them. The document describing the vulnerability can then be used to construct a defense against it, detect it, and fix it. By comparing new vulnerabilities with our knowledge of customer installations and deployments, we can proactively mitigate or remediate risks for the organizations concerned.