SlideShare a Scribd company logo

Secure-by-Design Using Hardware and Software Protection for FDA Compliance

ICS
ICS

The document discusses the importance of secure-by-design practices in medical device cybersecurity, emphasizing compliance with FDA regulations and protecting sensitive data throughout the product lifecycle. It outlines the roles of various organizations in providing secure platforms and tools for device manufacturers and highlights essential security features and frameworks needed for adherence to regulations. Key processes such as threat modeling, risk assessment, and ongoing security evaluations are advocated to prevent vulnerabilities in increasingly complex medical devices.

Software
1 of 34
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
TEEs & FDA [title tdb] Secure-by-Design Using Hardware and Software Protection for FDA Compliance
About Us 2 Trustonic Secure Platform provides a certified solution for the storage and management of security or privacy sensitive data. This can be used to protect cryptographic keys and patient information ensuring devices use best in class security. It can also be used to provide defense in depth to protect other systems, such as secure communications or intrusion detection, and enable secure manufacture and tracking of devices throughout their lifecycle. BG Networks equips embedded engineers and penetration testers with easy-to- use software automation tools to streamline cybersecurity tasks including hardening, detection, and testing. BG Networks automation tools are designed to help with adherence to regulations from the FDA, NIST, ISO, and the EU. ICS supports our customers with software development, User experience design, platform and regulatory support to build next generation products. We provide a number of services focused on the medtech space including human factors engineering with a 62366 compliant process, hazard and risk analysis, 62304 compliant software development, and platform support including cybersecurity. Cybersecurity Services Cyber-Testing & Detection Trusted Execution Environments
Speaker Introductions 3 Chief Strategy and Innovations Officer for Secure Platform Founder & CEO Director of Medical Programs & Cybersecurity
Cybersecurity in Medical Devices: Practical Advice for FDA’s 510(k) Requirements Webinar Series 1. On Demand Practical Advice for FDA’s 510(k) Requirements 2. On Demand Secure-by-Design - Using Hardware and Software Protection for FDA Compliance 3. Today Secure-by-Design - Using Hardware and Software Protection for FDA Compliance 4. September (TBC) Threat modeling and risk assessment – First step in risk management 5. Defense-In-Depth – Security control categories called for by the FDA 6. Cyber-testing – What the FDA expects 7. Cybersecurity documentation - eSTAR submissions 8. Post Market Requirements – Fixing Vulnerabilities: SBOM – Updates - Monitoring 9. Bolting On Security – Is there anything that can be done if I already have a design 4
Questions For Us - A Question For You – Link to Previous Webinar Questions for us • Put your questions in the Q&A • For questions we don’t get to, we’ll write answers and make them available after A question for you to keep in mind as we’ll ask it at the end FDA expects the level of security in a medical device scales with risk. What cyber-threats, the drivers of risk, are you most concerned about, and do you see your devices facing? For reference here is the previous webinar in this series and the answers to questions asked • Link to previous webinar: https://www.ics.com/webinar-demand-practical-advice-fdas-510k- requirements • Link to previous Q&A: https://www.ics.com/questions-answers-fdas-510k-requirements-webinar • We’ll put both in the chat 5
Devices are increasingly complex and network connected, so open to increasing risks Often, they are based on standard software and hardware platforms. Secure-by-Design means starting cybersecurity at the beginning. By starting at the beginning, gaps in security can be avoided, security features in hardware/software leveraged, and FDA expectations met.
7 Cybersecurity is Part of Device Safety and the Quality System Regulation
8 Secure Product Development Framework (SPDF) Covers the Total Product Lifecycle (TPLC) – The FDA is Very Clear Secure-by-Design means consider cybersecurity from the beginning A threat model and risk assessment should be done at the start, leading to a technical specification of security features to be implemented BG Networks and ICS are offering a Secure Product Development Framework System & Services SPDF includes manual, 25 procedures, 25 templates (including all needed for FDA premarket submission)
Authentication Confidentiality Data, Code, Execution Integrity Event Detection and Logging Resiliency and Recovery Updates Patches (& SBOMs) DM-Crypt Crypto. Accel. Secure Boot Secure Key Storage OS CPU MPU TPM TripWire Secure JTAG Authorization IDS Software Updates TEE Trust Zone SOFTWARE User Authentication Privilege Management FDA’s Eight Security Control Categories Possible Ways to Implement Using Processor Hardware & Commonly Used Software DM-Verity, DM-Integrity IDS TEE Hardware Root of Trust TLS/ OpenSSL Crypto FDA’s Eight Security Control Categories Possible Ways to Implement Using Processor Hardware & Commonly Used Software
Building a device • The platform is the boring but necessary bit to support your device. • Software platforms never stop changing • More software (from more places) also means more vulnerabilities Potentially huge number of sources of code & vulnerabilities Platforms are ripe for attack – and you need to defend them
Two broad classes of device Microcontroller / System on a Chip* Microprocessor / System on a Module Single chip for compute/ram/storage/… Arm Cortex-M Separate chips for compute/ram/storage/… Arm Cortex-A
Same security needs, but different scale Limited range of software. no OS / Zephyr / FreeRTOS Often embedded peripherals (e.g. Bluetooth) Limited choice of software often provided with chip Less software means fewer vulnerabilities (typically) Lots of software choices. Android or Linux + ‘extras’ More peripheral choice (if you build your own board) Lots of 3rd party and open- source software Volume of software means vulnerabilities are inevitable Microcontroller / M-Class Microprocessor / A-Class
Steps to security Basic Hygiene Isolation Monitoring … Obvious stuff people get wrong all the time Protect the important stuff Keeping an eye on the device. Software updates Device Lifecycle …
Modern SOC/SOBs have an overwhelming set of security features An example (i.MX 8/9) 1. Secure Boot / Encrypted Boot 2. Cryptographic Accelerator 3. Key Storage 4. Unique Device Identification 5. Security Monitoring (Tamper) 6. Processor & IO Locking (Debug) 7. TrustZone (TEE support) NXP i.MX 8/9 Security Architecture Source: NXP, What is the EdgeLock Secure Enclave 4 2 1 3 5 6 7 Platform Security Lockdown Application Security 1 2 3 4 5 6 7
Basic Hygiene Secure Boot and Image Signature Verification during update are CRITICAL to ensure the bad guys can’t “reflash” your device Modern devices all have decent secure boot But security makes life hard for developers And there is usually a side door… Put it place processes to ensure security is real not imagined. Debug ports left open, secure boot disabled, debug keys in production, serial access …. 2022-techcon-hacking-for-fun-and- glucose.pdf (ucsd.edu) … there was an unconnected ribbon cable protruding from the main board whose contacts were covered over with polyimide tape. ….it became clear that this was a cable used for debugging that was not disabled or removed when the pumps were shipped out to consumers.
Trusted Execution Environments provide a ‘safe space’ General Purpose Op e ra t ing Syst e m Se c urit y Foc use d Op e ra t ing Syst e m TEE REE
Hardware Security? TrustZone TM is a fe a t ure of a ll Arm a p p lic a t ion p roc e ssors whic h p rovide s ha rdwa re isola t ion a nd p rivile ge d a c c e ss t o se c urit y fe a t ure s. RISC-V p roc e ssors c a n a lso p rovide sim ila r isola t ion whe n p a ire d wit h a syst e m Me m ory Prot e c t ion Unit Arm A -Class processors all support TEEs RISC-V support is nascent
Hardware Security? The TEE Operating System t a ke s a dva nt a ge of t his isola t ion t o p rovide se c ure se rvic e s The TEE is re sp onsib le for se c ure ly b oot ing ot he r op e ra t ing syst e m s… …a nd t he n p roviding se c urit y foc use d se rvic e s for t he m
TEEs in MCUs are far less common, but the principle is the same By dividing the MPU into “se c ure ” a nd “norm a l” zone s, c rit ic a l c ode c a n b e isola t e d a nd p a t ie nt s p rot e c t e d … Create TLS Session Poll Server Decode TCP Packet Decode JSON Flash Lights Report Status Manage Power … Check signature Activate Pump Recent Arm -m processors (M23 & M33) support TEEs, but there are very few offerings today
Use cases for a TEE in Medical Devices 20 There are a number of key areas where security solution can enhance the customer experience & build confidence that their data and mission critical information is secured & protected 20 Patient Data Protecting patient data and information. Can be store in secure database or file store Location Data Ability to keep location - based data secure with embedded security System Protection Support broader system protection software such as IDPS Link to operator Reduce risk of compromised data through connections to a linked device e.g. Bluetooth / Serial Sensors and Biometrics The need to secure critical information e.g. face, voice, iris recognition for security, sensor data for health applications Secure Comms Protect sensitive data uploaded to cloud or server, and validate software and configuration updates sent to device Device Lifecycle Attest to secure manufacture and provisioning. Audit updates Manage change in patient and device recycling
Intrusion Detection System (IDS) For Event Detection • Where does the intrusion detection run: • Host-based: IDS runs on each host device • Network-based: IDS runs on a dedicated device or one device within the network • Cloud-based: IDS runs in the cloud performing analysis on data collected across devices • What is monitored: • Network traffic: IP addresses, ports, protocols, packet inspection, etc. • CPU: Processor utilization, performance counters • Memory: Contents of specific data structures in memory (Flash and RAM) • System: Process execution, system calls, file system accesses, login attempts, etc. • Software: Control flow, function calls, software stack, execution time, etc. • How is detection performed: • Signature: Scan for known vulnerability by looking for predefined signatures thereof • Rules: Define a set of rules allowed behaviors and detect violations of those rules • Anomaly: Define or train a model of normal behavior and detect deviations from model at runtime
Hacking Timeline: Best Case White/gray hat hacker finds & reports vulnerability Device manufacturer develops fix and discloses vulnerability Healthcare providers facilitate fix Updated or replaced device in use by patient Medical device in use by patient
Hacking Timeline: Worst Case Medical device in use by patient Black hat hacker finds vulnerability Publicly disclose first Demand ransom Harm patient Device manufacturer learns of vulnerability after attack
Hacking Timeline: Patients may be vulnerable • Recalls takes time • Time to determine and develop appropriate fix • Time to deploy fix • Months to years • Attackers often have a lead • Can exploit before vulnerability is known by manufactures, regulators, etc. Patients Vulnerable!! Patients Vulnerable!!
Object Detection Source (.c) Compiler (gcc) AnCyR Data Collection (ancyr_shm. c) Object Detection App Monitored Operation s AnCyR Engine Binary Event Stream (.csv) AnCyR Firmware OS App Event Stream (.csv) … Event Stream (.csv) … AnCyR Model AnCyR Training Flexible Anomaly Reporting: Anomaly score indicates the severity. Detailed forensic data identifies affected software tasks and operations. AnCyR Model Training: ML-based training optimizes model accuracy. False positive rate for demo system: 0.00000000198 AnCyR Runtime Anomaly Detection: Detects anomalies in real time. Uses IoT-optimized AI/ML to accurately detect anomalies in software execution Data Collection Agent Training Stat+Prob+ML Analysis & Detection Mode Anomaly Detected! AnCyR AnCyR Model AnCyR App SW OS AnCyR™ Integration: Simple integration of AnCyR™ agent and instrumentation during compilation. No source code modifications. US Patent #11,868,479B2 Example: AnCyR: Anomaly Detection & Cyber-Resilience
Not “Secure-by-Design” How do you know when you’re not “Secure-by-Design”? Contrast with strap-on or retrofitted security • Working with available architecture • Applying point-solutions • Without system-wide analysis • Without contextual analysis for: • Intended-use • User types • Environment of use • Architectural Vulnerabilities • Patient harm 26
Understanding “Secure-by-Design” An integrated set of security features that comprehensively satisfies product security • More secure than the “sum of the parts” • The integration makes the security architectural vs. strap-on • Example: Secure boot; authenticate bootloader with TPM protected keys Systematic analysis • Method that prevents errors of omission • Detailed and specific • Demonstrably complete Security context - Security requirements driven by • Intended use • Environment of use • Risk of patient harm 27 authentication execution integrity resiliency recovery Boot from Multi-Media Card Spoofing Self Signed Authority Roll-back to Unsecure Software Compromised Keys
Systematic Analysis – Water-tight Why Systematic Analysis is important 8 Security Control Categories (Authentication, Authorization, Cryptography, Execution Integrity, Confidentiality, Event Detection and Logging, Resiliency/Recovery, SW Updates) Errors of omission  security leaks SPDF (Secure Product Development Framework) processes that manage leaks • Threat modeling • Risk assessment • Mitigations Documentation burden Seasoned experts benefit from repetition, but,.. • Demonstrating compliance (showing your work) • Requirements  Verification • Architectural Continuity (people following your work) • Detailed, enduring adjudication of device security 28 authentication execution integrity resiliency recovery Boot from unauthorized location OTP Fuses Spoof Self-Signed Authority Root Certificate Authority Compromised keys Key Management System
Risk approach to Secure-by-Design Redundancy & contingency Double hulls  Defense in Depth Bulkheads  Security zones Defense in depth • Detection & Response (IDS) • Layers of encryption Security zones • Different encryption keys • Limited interactions between zones • Isolation of critical systems (TEE) This type of security can’t be retrofitted 29
Requirements Management SBOM Features Dev. Code Quality CI / CD Pre-Production Testing Post-Production Supporting End of Life Competence Development Threat Modeling Risk Assessment Implement cybersecurity features Static analysis, MISRA C, etc.. Generation CWE/CVE check Validation Pentesting Code Signing Release / Delivery Key Management Locking Hardware Vulnerability Monitoring Feedback / Incident Response Software Updates Diagnostic Tools Secure Decommissioning Software Development Lifecycle Security Development Lifecycle Legend 30 Secure-by-Design means consider cybersecurity from the beginning SPDF - Secure by design
SPDF - Secure by design Unpacking Requirements and Features Dev. 31 Requirements Threats Users Environment Security expectation Identify Assess Mitigate Design Specifications Tools Integrate Implement Code quality SBOM Evaluate From the beginning of process enables architectural solutions • TEE (Trusted Execution Environment) • IDS (Intrusion Detection Systems) Lengthy involved process not suitable for retrospective application Requirements Features Dev. Threat Modeling Risk Assessment Implement cybersecurity features
Secure by Design Take-away summary 1. Integrated designs security controls……………………………………………… Structural, architectural, avoids the big gaps 2. Systematic (Threat Modeling, Risk Assessment)………………………… For specific, small leaks 3. At beginning of System Design ……………………………………………….…….. Impractical when retro-fit 32
Poll Question 33 FDA expects the level of security in a medical device scales with risk. What cyber-threats, the drivers of risk, are you most concerned about, and do you see your devices facing?
Thank you

More Related Content

Similar to Secure-by-Design Using Hardware and Software Protection for FDA Compliance (20)

PPTX
CSE_Instructor_Materials_Chapter7.pptx
Mohammad512578
 
PDF
Security framework for connected devices
HCL Technologies
 
PDF
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
PDF
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
PDF
Medical Device Cybersecurity Threat & Risk Scoring
ICS
 
PPT
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
PPTX
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
mike parks
 
ODP
Securing control systems v0.4
CrispnCrunch
 
PDF
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET Journal
 
PDF
Hardware Security on Vehicles
Priyanka Aash
 
PDF
Endpoint Security for Mobile Devices
David Shepherd
 
PPTX
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
 
PDF
Securing Industrial Control System
Hemanth M
 
PDF
The Challenge of Integrating Security Solutions with CI.pdf
Savinder Puri
 
PPT
The 300 Leonidas Solution
matthew.maisel
 
PDF
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
PDF
Cisco cybersecurity essentials chapter - 2
Mukesh Chinta
 
PDF
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
PDF
Navigating the Complexities of IoT Security_ Best Practices
bytesnapinfo
 
PDF
CA_Module_2.pdf
EhabRushdy1
 
CSE_Instructor_Materials_Chapter7.pptx
Mohammad512578
 
Security framework for connected devices
HCL Technologies
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
Medical Device Cybersecurity Threat & Risk Scoring
ICS
 
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
mike parks
 
Securing control systems v0.4
CrispnCrunch
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET Journal
 
Hardware Security on Vehicles
Priyanka Aash
 
Endpoint Security for Mobile Devices
David Shepherd
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
 
Securing Industrial Control System
Hemanth M
 
The Challenge of Integrating Security Solutions with CI.pdf
Savinder Puri
 
The 300 Leonidas Solution
matthew.maisel
 
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
Cisco cybersecurity essentials chapter - 2
Mukesh Chinta
 
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Navigating the Complexities of IoT Security_ Best Practices
bytesnapinfo
 
CA_Module_2.pdf
EhabRushdy1
 

More from ICS (20)

PDF
Porting Qt 5 QML Modules to Qt 6 Webinar
ICS
 
PDF
Exploring Wayland: A Modern Display Server for the Future
ICS
 
PDF
Threat Modeling & Risk Assessment Webinar: A Step-by-Step Example
ICS
 
PDF
Future-Proofing Embedded Device Capabilities with the Qt 6 Plugin Mechanism.pdf
ICS
 
PDF
Choosing an Embedded GUI: Comparative Analysis of UI Frameworks
ICS
 
PDF
Threat Modeling and Risk Assessment Webinar.pdf
ICS
 
PDF
Webinar On-Demand: Using Flutter for Embedded
ICS
 
PDF
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
ICS
 
PDF
Overcoming CMake Configuration Issues Webinar
ICS
 
PDF
Enhancing Quality and Test in Medical Device Design - Part 2.pdf
ICS
 
PDF
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdf
ICS
 
PDF
Quality and Test in Medical Device Design - Part 1.pdf
ICS
 
PDF
Creating Digital Twins Using Rapid Development Techniques.pdf
ICS
 
PDF
Secure Your Medical Devices From the Ground Up
ICS
 
PDF
Cybersecurity and Software Updates in Medical Devices.pdf
ICS
 
PDF
MDG Panel - Creating Expert Level GUIs for Complex Medical Devices
ICS
 
PDF
How to Craft a Winning IOT Device Management Solution
ICS
 
PDF
Bridging the Gap Between Development and Regulatory Teams
ICS
 
PDF
IoT Device Fleet Management: Create a Robust Solution with Azure
ICS
 
PDF
Basic Cmake for Qt Users
ICS
 
Porting Qt 5 QML Modules to Qt 6 Webinar
ICS
 
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Threat Modeling & Risk Assessment Webinar: A Step-by-Step Example
ICS
 
Future-Proofing Embedded Device Capabilities with the Qt 6 Plugin Mechanism.pdf
ICS
 
Choosing an Embedded GUI: Comparative Analysis of UI Frameworks
ICS
 
Threat Modeling and Risk Assessment Webinar.pdf
ICS
 
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
ICS
 
Overcoming CMake Configuration Issues Webinar
ICS
 
Enhancing Quality and Test in Medical Device Design - Part 2.pdf
ICS
 
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdf
ICS
 
Quality and Test in Medical Device Design - Part 1.pdf
ICS
 
Creating Digital Twins Using Rapid Development Techniques.pdf
ICS
 
Secure Your Medical Devices From the Ground Up
ICS
 
Cybersecurity and Software Updates in Medical Devices.pdf
ICS
 
MDG Panel - Creating Expert Level GUIs for Complex Medical Devices
ICS
 
How to Craft a Winning IOT Device Management Solution
ICS
 
Bridging the Gap Between Development and Regulatory Teams
ICS
 
IoT Device Fleet Management: Create a Robust Solution with Azure
ICS
 
Basic Cmake for Qt Users
ICS
 
Ad

Recently uploaded (20)

PDF
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
PDF
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PDF
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
PPTX
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
PPTX
Finding Your License Details in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Agentic Automation: Build & Deploy Your First UiPath Agent
klpathrudu
 
PPTX
Tally software_Introduction_Presentation
AditiBansal54083
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PDF
Top Agile Project Management Tools for Teams in 2025
Orangescrum
 
PDF
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
PPTX
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
PDF
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
PPTX
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
PDF
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
PDF
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
PDF
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
PPTX
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
Finding Your License Details in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Agentic Automation: Build & Deploy Your First UiPath Agent
klpathrudu
 
Tally software_Introduction_Presentation
AditiBansal54083
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
Top Agile Project Management Tools for Teams in 2025
Orangescrum
 
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
Ad

Secure-by-Design Using Hardware and Software Protection for FDA Compliance

  • 1. TEEs & FDA [title tdb] Secure-by-Design Using Hardware and Software Protection for FDA Compliance
  • 2. About Us 2 Trustonic Secure Platform provides a certified solution for the storage and management of security or privacy sensitive data. This can be used to protect cryptographic keys and patient information ensuring devices use best in class security. It can also be used to provide defense in depth to protect other systems, such as secure communications or intrusion detection, and enable secure manufacture and tracking of devices throughout their lifecycle. BG Networks equips embedded engineers and penetration testers with easy-to- use software automation tools to streamline cybersecurity tasks including hardening, detection, and testing. BG Networks automation tools are designed to help with adherence to regulations from the FDA, NIST, ISO, and the EU. ICS supports our customers with software development, User experience design, platform and regulatory support to build next generation products. We provide a number of services focused on the medtech space including human factors engineering with a 62366 compliant process, hazard and risk analysis, 62304 compliant software development, and platform support including cybersecurity. Cybersecurity Services Cyber-Testing & Detection Trusted Execution Environments
  • 3. Speaker Introductions 3 Chief Strategy and Innovations Officer for Secure Platform Founder & CEO Director of Medical Programs & Cybersecurity
  • 4. Cybersecurity in Medical Devices: Practical Advice for FDA’s 510(k) Requirements Webinar Series 1. On Demand Practical Advice for FDA’s 510(k) Requirements 2. On Demand Secure-by-Design - Using Hardware and Software Protection for FDA Compliance 3. Today Secure-by-Design - Using Hardware and Software Protection for FDA Compliance 4. September (TBC) Threat modeling and risk assessment – First step in risk management 5. Defense-In-Depth – Security control categories called for by the FDA 6. Cyber-testing – What the FDA expects 7. Cybersecurity documentation - eSTAR submissions 8. Post Market Requirements – Fixing Vulnerabilities: SBOM – Updates - Monitoring 9. Bolting On Security – Is there anything that can be done if I already have a design 4
  • 5. Questions For Us - A Question For You – Link to Previous Webinar Questions for us • Put your questions in the Q&A • For questions we don’t get to, we’ll write answers and make them available after A question for you to keep in mind as we’ll ask it at the end FDA expects the level of security in a medical device scales with risk. What cyber-threats, the drivers of risk, are you most concerned about, and do you see your devices facing? For reference here is the previous webinar in this series and the answers to questions asked • Link to previous webinar: https://www.ics.com/webinar-demand-practical-advice-fdas-510k- requirements • Link to previous Q&A: https://www.ics.com/questions-answers-fdas-510k-requirements-webinar • We’ll put both in the chat 5
  • 6. Devices are increasingly complex and network connected, so open to increasing risks Often, they are based on standard software and hardware platforms. Secure-by-Design means starting cybersecurity at the beginning. By starting at the beginning, gaps in security can be avoided, security features in hardware/software leveraged, and FDA expectations met.
  • 7. 7 Cybersecurity is Part of Device Safety and the Quality System Regulation
  • 8. 8 Secure Product Development Framework (SPDF) Covers the Total Product Lifecycle (TPLC) – The FDA is Very Clear Secure-by-Design means consider cybersecurity from the beginning A threat model and risk assessment should be done at the start, leading to a technical specification of security features to be implemented BG Networks and ICS are offering a Secure Product Development Framework System & Services SPDF includes manual, 25 procedures, 25 templates (including all needed for FDA premarket submission)
  • 9. Authentication Confidentiality Data, Code, Execution Integrity Event Detection and Logging Resiliency and Recovery Updates Patches (& SBOMs) DM-Crypt Crypto. Accel. Secure Boot Secure Key Storage OS CPU MPU TPM TripWire Secure JTAG Authorization IDS Software Updates TEE Trust Zone SOFTWARE User Authentication Privilege Management FDA’s Eight Security Control Categories Possible Ways to Implement Using Processor Hardware & Commonly Used Software DM-Verity, DM-Integrity IDS TEE Hardware Root of Trust TLS/ OpenSSL Crypto FDA’s Eight Security Control Categories Possible Ways to Implement Using Processor Hardware & Commonly Used Software
  • 10. Building a device • The platform is the boring but necessary bit to support your device. • Software platforms never stop changing • More software (from more places) also means more vulnerabilities Potentially huge number of sources of code & vulnerabilities Platforms are ripe for attack – and you need to defend them
  • 11. Two broad classes of device Microcontroller / System on a Chip* Microprocessor / System on a Module Single chip for compute/ram/storage/… Arm Cortex-M Separate chips for compute/ram/storage/… Arm Cortex-A
  • 12. Same security needs, but different scale Limited range of software. no OS / Zephyr / FreeRTOS Often embedded peripherals (e.g. Bluetooth) Limited choice of software often provided with chip Less software means fewer vulnerabilities (typically) Lots of software choices. Android or Linux + ‘extras’ More peripheral choice (if you build your own board) Lots of 3rd party and open- source software Volume of software means vulnerabilities are inevitable Microcontroller / M-Class Microprocessor / A-Class
  • 13. Steps to security Basic Hygiene Isolation Monitoring … Obvious stuff people get wrong all the time Protect the important stuff Keeping an eye on the device. Software updates Device Lifecycle …
  • 14. Modern SOC/SOBs have an overwhelming set of security features An example (i.MX 8/9) 1. Secure Boot / Encrypted Boot 2. Cryptographic Accelerator 3. Key Storage 4. Unique Device Identification 5. Security Monitoring (Tamper) 6. Processor & IO Locking (Debug) 7. TrustZone (TEE support) NXP i.MX 8/9 Security Architecture Source: NXP, What is the EdgeLock Secure Enclave 4 2 1 3 5 6 7 Platform Security Lockdown Application Security 1 2 3 4 5 6 7
  • 15. Basic Hygiene Secure Boot and Image Signature Verification during update are CRITICAL to ensure the bad guys can’t “reflash” your device Modern devices all have decent secure boot But security makes life hard for developers And there is usually a side door… Put it place processes to ensure security is real not imagined. Debug ports left open, secure boot disabled, debug keys in production, serial access …. 2022-techcon-hacking-for-fun-and- glucose.pdf (ucsd.edu) … there was an unconnected ribbon cable protruding from the main board whose contacts were covered over with polyimide tape. ….it became clear that this was a cable used for debugging that was not disabled or removed when the pumps were shipped out to consumers.
  • 16. Trusted Execution Environments provide a ‘safe space’ General Purpose Op e ra t ing Syst e m Se c urit y Foc use d Op e ra t ing Syst e m TEE REE
  • 17. Hardware Security? TrustZone TM is a fe a t ure of a ll Arm a p p lic a t ion p roc e ssors whic h p rovide s ha rdwa re isola t ion a nd p rivile ge d a c c e ss t o se c urit y fe a t ure s. RISC-V p roc e ssors c a n a lso p rovide sim ila r isola t ion whe n p a ire d wit h a syst e m Me m ory Prot e c t ion Unit Arm A -Class processors all support TEEs RISC-V support is nascent
  • 18. Hardware Security? The TEE Operating System t a ke s a dva nt a ge of t his isola t ion t o p rovide se c ure se rvic e s The TEE is re sp onsib le for se c ure ly b oot ing ot he r op e ra t ing syst e m s… …a nd t he n p roviding se c urit y foc use d se rvic e s for t he m
  • 19. TEEs in MCUs are far less common, but the principle is the same By dividing the MPU into “se c ure ” a nd “norm a l” zone s, c rit ic a l c ode c a n b e isola t e d a nd p a t ie nt s p rot e c t e d … Create TLS Session Poll Server Decode TCP Packet Decode JSON Flash Lights Report Status Manage Power … Check signature Activate Pump Recent Arm -m processors (M23 & M33) support TEEs, but there are very few offerings today
  • 20. Use cases for a TEE in Medical Devices 20 There are a number of key areas where security solution can enhance the customer experience & build confidence that their data and mission critical information is secured & protected 20 Patient Data Protecting patient data and information. Can be store in secure database or file store Location Data Ability to keep location - based data secure with embedded security System Protection Support broader system protection software such as IDPS Link to operator Reduce risk of compromised data through connections to a linked device e.g. Bluetooth / Serial Sensors and Biometrics The need to secure critical information e.g. face, voice, iris recognition for security, sensor data for health applications Secure Comms Protect sensitive data uploaded to cloud or server, and validate software and configuration updates sent to device Device Lifecycle Attest to secure manufacture and provisioning. Audit updates Manage change in patient and device recycling
  • 21. Intrusion Detection System (IDS) For Event Detection • Where does the intrusion detection run: • Host-based: IDS runs on each host device • Network-based: IDS runs on a dedicated device or one device within the network • Cloud-based: IDS runs in the cloud performing analysis on data collected across devices • What is monitored: • Network traffic: IP addresses, ports, protocols, packet inspection, etc. • CPU: Processor utilization, performance counters • Memory: Contents of specific data structures in memory (Flash and RAM) • System: Process execution, system calls, file system accesses, login attempts, etc. • Software: Control flow, function calls, software stack, execution time, etc. • How is detection performed: • Signature: Scan for known vulnerability by looking for predefined signatures thereof • Rules: Define a set of rules allowed behaviors and detect violations of those rules • Anomaly: Define or train a model of normal behavior and detect deviations from model at runtime
  • 22. Hacking Timeline: Best Case White/gray hat hacker finds & reports vulnerability Device manufacturer develops fix and discloses vulnerability Healthcare providers facilitate fix Updated or replaced device in use by patient Medical device in use by patient
  • 23. Hacking Timeline: Worst Case Medical device in use by patient Black hat hacker finds vulnerability Publicly disclose first Demand ransom Harm patient Device manufacturer learns of vulnerability after attack
  • 24. Hacking Timeline: Patients may be vulnerable • Recalls takes time • Time to determine and develop appropriate fix • Time to deploy fix • Months to years • Attackers often have a lead • Can exploit before vulnerability is known by manufactures, regulators, etc. Patients Vulnerable!! Patients Vulnerable!!
  • 25. Object Detection Source (.c) Compiler (gcc) AnCyR Data Collection (ancyr_shm. c) Object Detection App Monitored Operation s AnCyR Engine Binary Event Stream (.csv) AnCyR Firmware OS App Event Stream (.csv) … Event Stream (.csv) … AnCyR Model AnCyR Training Flexible Anomaly Reporting: Anomaly score indicates the severity. Detailed forensic data identifies affected software tasks and operations. AnCyR Model Training: ML-based training optimizes model accuracy. False positive rate for demo system: 0.00000000198 AnCyR Runtime Anomaly Detection: Detects anomalies in real time. Uses IoT-optimized AI/ML to accurately detect anomalies in software execution Data Collection Agent Training Stat+Prob+ML Analysis & Detection Mode Anomaly Detected! AnCyR AnCyR Model AnCyR App SW OS AnCyR™ Integration: Simple integration of AnCyR™ agent and instrumentation during compilation. No source code modifications. US Patent #11,868,479B2 Example: AnCyR: Anomaly Detection & Cyber-Resilience
  • 26. Not “Secure-by-Design” How do you know when you’re not “Secure-by-Design”? Contrast with strap-on or retrofitted security • Working with available architecture • Applying point-solutions • Without system-wide analysis • Without contextual analysis for: • Intended-use • User types • Environment of use • Architectural Vulnerabilities • Patient harm 26
  • 27. Understanding “Secure-by-Design” An integrated set of security features that comprehensively satisfies product security • More secure than the “sum of the parts” • The integration makes the security architectural vs. strap-on • Example: Secure boot; authenticate bootloader with TPM protected keys Systematic analysis • Method that prevents errors of omission • Detailed and specific • Demonstrably complete Security context - Security requirements driven by • Intended use • Environment of use • Risk of patient harm 27 authentication execution integrity resiliency recovery Boot from Multi-Media Card Spoofing Self Signed Authority Roll-back to Unsecure Software Compromised Keys
  • 28. Systematic Analysis – Water-tight Why Systematic Analysis is important 8 Security Control Categories (Authentication, Authorization, Cryptography, Execution Integrity, Confidentiality, Event Detection and Logging, Resiliency/Recovery, SW Updates) Errors of omission  security leaks SPDF (Secure Product Development Framework) processes that manage leaks • Threat modeling • Risk assessment • Mitigations Documentation burden Seasoned experts benefit from repetition, but,.. • Demonstrating compliance (showing your work) • Requirements  Verification • Architectural Continuity (people following your work) • Detailed, enduring adjudication of device security 28 authentication execution integrity resiliency recovery Boot from unauthorized location OTP Fuses Spoof Self-Signed Authority Root Certificate Authority Compromised keys Key Management System
  • 29. Risk approach to Secure-by-Design Redundancy & contingency Double hulls  Defense in Depth Bulkheads  Security zones Defense in depth • Detection & Response (IDS) • Layers of encryption Security zones • Different encryption keys • Limited interactions between zones • Isolation of critical systems (TEE) This type of security can’t be retrofitted 29
  • 30. Requirements Management SBOM Features Dev. Code Quality CI / CD Pre-Production Testing Post-Production Supporting End of Life Competence Development Threat Modeling Risk Assessment Implement cybersecurity features Static analysis, MISRA C, etc.. Generation CWE/CVE check Validation Pentesting Code Signing Release / Delivery Key Management Locking Hardware Vulnerability Monitoring Feedback / Incident Response Software Updates Diagnostic Tools Secure Decommissioning Software Development Lifecycle Security Development Lifecycle Legend 30 Secure-by-Design means consider cybersecurity from the beginning SPDF - Secure by design
  • 31. SPDF - Secure by design Unpacking Requirements and Features Dev. 31 Requirements Threats Users Environment Security expectation Identify Assess Mitigate Design Specifications Tools Integrate Implement Code quality SBOM Evaluate From the beginning of process enables architectural solutions • TEE (Trusted Execution Environment) • IDS (Intrusion Detection Systems) Lengthy involved process not suitable for retrospective application Requirements Features Dev. Threat Modeling Risk Assessment Implement cybersecurity features
  • 32. Secure by Design Take-away summary 1. Integrated designs security controls……………………………………………… Structural, architectural, avoids the big gaps 2. Systematic (Threat Modeling, Risk Assessment)………………………… For specific, small leaks 3. At beginning of System Design ……………………………………………….…….. Impractical when retro-fit 32
  • 33. Poll Question 33 FDA expects the level of security in a medical device scales with risk. What cyber-threats, the drivers of risk, are you most concerned about, and do you see your devices facing?