Ripple 20 caused a "big stir" industry and regulators how to deal with it?

The Ripple20 vulnerability, disclosed in June this year, has affected almost the entire Internet of Things: from printers, infusion pumps, insulin pumps, smart homes, to ICS industrial control devices... Almost all of them are "inthem".
such risks are unavoidable, how should industry, healthcare providers, and regulators respond? In June, JSOF, an industry-renowned Israeli information security consultancy, revealed that 19 vulnerabilities, four of which were critical, were identified in the embedded TCP/IP stack developed by Treck.
JSOF called these vulnerabilities Ripple20.
as Treck's products are used by many customers, from HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, billions or more connected devices worldwide could be affected.
Treck worked with Japan's Elmic Systems (later renamed Zuken Elmic) in the 1990s to develop an embedded TCP/IP library.
The Asian market is dominated by Zuken Elmic, and some of the vulnerabilities discovered by JSOF this time are also in the TCP/IP stack sold by Zuken Elmic.
confidant? The widespread use of third-party software in medical devices can leave patients vulnerable to cybersecurity threats if they are not well understood.
the long-standing problem of dealing with the COVID-19 pandemic is all the more urgent: the use of telemedicine and telepatient monitoring has grown exponentially, but it should be noted that the associated risks are rising as they see the growth.
regulators and industry experts warn that hospitals and other healthcare providers will not be able to effectively protect devices from attacks without a clear understanding of the basic components of the device. Chris Gates, chief security architect at Houston-based Velentium,
, says many device manufacturers and users often don't know if the devices will be affected by the newly discovered vulnerabilities.
must not wait for such a risk to be ignored.
last month, researchers from Baxter and B. A vulnerability was discovered in a wide-ranging TCP/IP correspondence library by Treck, a third-party software vendor used by Braun infusion pumps.
hackers can remotely control devices and change the dosage of the drug through such vulnerabilities.
Baxter believes the vulnerabilities are low-risk or "controlled" threats under the FDA's cyber safety guidelines.
and B. Braun said it was working to patch vulnerable source code.
the dead sheep, not for the late, according to the U.S. Department of Commerce's National Communications and Information Administration, although most device software, including modules and correspondence libraries, does not have known Ripple20 vulnerabilities, some products come with vulnerable or outdated components that may never be updated.
to address the issue, NTIA launched a multi-stakeholder initiative in July 2018 to improve software component transparency across multiple industries, including the medical technology industry, by standardizing the process of sharing data so that users can better understand the exact operation of the network. "Software is built from smaller software modules," Dr. Allan Friedman, director of the NTIA Network Security Program at
, said in an interview with professional media in the medical field, but that the visibility of the software is small for the supply chain, which is a problem from a security perspective.
after consulting the medical technology industry, NTIA in November 2019 issued the first set of stakeholder-drafted documents intended as a preliminary guide to the proposed Software Bill Of Materials List (SBOM), which uses an electronic readable format that requires a list of third-party components or "components" detailed in the devices under review. Dr.
Friedman said: "The most difficult part of safety research, and the most expensive and valuable part, is trying to identify the affected devices, regardless of the new vulnerability.
for Ripple20, if everyone has a software bill of materials (SBOM), it will be a few key steps in identifying and identifying risks.
once you have these tools, you can make a decision based on the specific risks and exposure stakes that are determined.
"the medical device industry has been a leader in NTIA's SBOM program, even though the healthcare industry has traditionally been "not at the forefront of cyber security," says Dr. Friedman.
he admits that while the industry was initially "skeptical" about the viability of software bills of materials (SBOM), there was no shortage of "real awakens".
the idea of a software bill of materials (SBOM) was first proposed and is not as widely accepted as it is now.
healthcare proof-of-concept work in 2019, healthcare partners work with medical technology companies such as Abbott, Medtronic, Philips, Siemens Healthcare, and Healthcare Technologies such as Cedars-Sinai, Mayo Clinic, New York Presbyterian Hospital to identify key operational and cyber risks associated with medical devices.
device manufacturers and healthcare providers involved in the proof-of-concept work successfully demonstrated the feasibility of SBOM by generating, sharing, and using data to improve security practices in predefined use cases. Dr.
Friedman believes that the first exercise was a success, but it also shows some of the obstacles that large-scale promotion may be.
one of the outcomes of the final proof-of-concept report is that the standard SBOM format should be industry-neutral.
NTIA's ultimate vision for SBOM is to help create ecosystem-wide solutions that aren't just for the healthcare industry. "Actually, everyone is using the same underlying software, " says Dr.
Friedman.
" as part of a program led by NTIA, the Stakeholder Working Group will continue to refine the Software Bill of Materials (SBOM) specification in 2020.
's second healthcare proof-of-concept work this year involves more medical technologies, including Thermo Fisher Science, as well as participants in medical systems such as the Cleveland Clinic and Massachusetts General Hospital.
will focus on supporting third-party services from device manufacturers and hospitals, as well as the need to automate large-scale exercises.
the FDA's Published Medical Device Safety Action Plan makes it clear that the medical technology front end needs to develop a Software Bill of Materials (SBOM), "SBOM must be made available to the FDA as part of the listing application and made available to medical device customers and users so that they can better manage their connected devices and understand which devices they have in stock or use that may be vulnerable to vulnerabilities." Dr.
Friedman, the FDA took the same position, saying it would not define the standards itself, but wanted the medical device industry to participate in this broad cross-industry initiative initiated by NTIA. Chris Gates, chief security architect at Velentium, a member of the
Software Bill of Materials (SBOM) program, believes that despite FDA support, there is still a long way to go in providing software transparency for new medical devices, ultimately making it easier to know exactly which devices are affected by vulnerabilities such as Ripple20 and what targeted measures need to be taken.
pay attention to the "Drug Mingkang" WeChat Public Number.