Probabilistic Security Threat Detection for Risk Management in Cyber-Physical Medical Systems

Aakarsh Rao; Nadir Carreon Rascon; Roman Lysecky; J. W. Rozenblit

doi:10.1109/MS.2018.110165557

Probabilistic Security Threat Detection for Risk Management in Cyber-Physical Medical Systems

Aakarsh Rao, Nadir Carreon Rascon, Roman Lysecky, J. W. Rozenblit

Electrical and Computer Engineering

Research output: Contribution to journal › Article › peer-review

Abstract

Medical devices are complex cyber-physical systems incorporating emergent hardware and software components. In addition, interoperability and communication capabilities have been augmented, increasing the convenience and functionality of such devices. However, this complexity leads to a wide attack surface posing security risks and vulnerabilities. Mitigation and management of such risks during premarket design and postmarket deployment are required. Dynamically mitigating threat potential in the presence of unknown vulnerabilities requires an adaptive risk based mitigation scheme to assess the systems state, a secure system architecture that can isolate hardware and software components, and design methods that can adaptively adjust the systems topology based on risk changes. An essential complementary aspect during deployment is detecting, characterizing and quantifying security threats. In this paper, we present a dynamic risk management and mitigation approach based on probabilistic threat estimation. We show a case study of our approach on a smart connected pacemaker.

Original language	English (US)
Journal	IEEE Software
DOIs	https://doi.org/10.1109/MS.2018.110165557
State	Accepted/In press - Jan 11 2018

Keywords

computer systems organization
management
medical device security
Object recognition
operating systems
Pacemakers
Probabilistic logic
real-time and embedded systems
Risk management
risk management
Runtime
Security
security and privacy protection
software engineering
software/software engineering
special-purpose and application-based systems
threat estimation
Timing

ASJC Scopus subject areas

Software

Access to Document

10.1109/MS.2018.110165557

Fingerprint Dive into the research topics of 'Probabilistic Security Threat Detection for Risk Management in Cyber-Physical Medical Systems'. Together they form a unique fingerprint.

Cite this

@article{88a95e137cbb4cbc80038fbc4eb00e28,

title = "Probabilistic Security Threat Detection for Risk Management in Cyber-Physical Medical Systems",

abstract = "Medical devices are complex cyber-physical systems incorporating emergent hardware and software components. In addition, interoperability and communication capabilities have been augmented, increasing the convenience and functionality of such devices. However, this complexity leads to a wide attack surface posing security risks and vulnerabilities. Mitigation and management of such risks during premarket design and postmarket deployment are required. Dynamically mitigating threat potential in the presence of unknown vulnerabilities requires an adaptive risk based mitigation scheme to assess the systems state, a secure system architecture that can isolate hardware and software components, and design methods that can adaptively adjust the systems topology based on risk changes. An essential complementary aspect during deployment is detecting, characterizing and quantifying security threats. In this paper, we present a dynamic risk management and mitigation approach based on probabilistic threat estimation. We show a case study of our approach on a smart connected pacemaker.",

keywords = "computer systems organization, management, medical device security, Object recognition, operating systems, Pacemakers, Probabilistic logic, real-time and embedded systems, Risk management, risk management, Runtime, Security, security and privacy protection, software engineering, software/software engineering, special-purpose and application-based systems, threat estimation, Timing",

author = "Aakarsh Rao and {Carreon Rascon}, Nadir and Roman Lysecky and Rozenblit, {J. W.}",

year = "2018",

month = jan,

day = "11",

doi = "10.1109/MS.2018.110165557",

language = "English (US)",

journal = "IEEE Software",

issn = "0740-7459",

publisher = "IEEE Computer Society",

}

TY - JOUR

T1 - Probabilistic Security Threat Detection for Risk Management in Cyber-Physical Medical Systems

AU - Rao, Aakarsh

AU - Carreon Rascon, Nadir

AU - Lysecky, Roman

AU - Rozenblit, J. W.

PY - 2018/1/11

Y1 - 2018/1/11

N2 - Medical devices are complex cyber-physical systems incorporating emergent hardware and software components. In addition, interoperability and communication capabilities have been augmented, increasing the convenience and functionality of such devices. However, this complexity leads to a wide attack surface posing security risks and vulnerabilities. Mitigation and management of such risks during premarket design and postmarket deployment are required. Dynamically mitigating threat potential in the presence of unknown vulnerabilities requires an adaptive risk based mitigation scheme to assess the systems state, a secure system architecture that can isolate hardware and software components, and design methods that can adaptively adjust the systems topology based on risk changes. An essential complementary aspect during deployment is detecting, characterizing and quantifying security threats. In this paper, we present a dynamic risk management and mitigation approach based on probabilistic threat estimation. We show a case study of our approach on a smart connected pacemaker.

AB - Medical devices are complex cyber-physical systems incorporating emergent hardware and software components. In addition, interoperability and communication capabilities have been augmented, increasing the convenience and functionality of such devices. However, this complexity leads to a wide attack surface posing security risks and vulnerabilities. Mitigation and management of such risks during premarket design and postmarket deployment are required. Dynamically mitigating threat potential in the presence of unknown vulnerabilities requires an adaptive risk based mitigation scheme to assess the systems state, a secure system architecture that can isolate hardware and software components, and design methods that can adaptively adjust the systems topology based on risk changes. An essential complementary aspect during deployment is detecting, characterizing and quantifying security threats. In this paper, we present a dynamic risk management and mitigation approach based on probabilistic threat estimation. We show a case study of our approach on a smart connected pacemaker.

KW - computer systems organization

KW - management

KW - medical device security

KW - Object recognition

KW - operating systems

KW - Pacemakers

KW - Probabilistic logic

KW - real-time and embedded systems

KW - Risk management

KW - risk management

KW - Runtime

KW - Security

KW - security and privacy protection

KW - software engineering

KW - software/software engineering

KW - special-purpose and application-based systems

KW - threat estimation

KW - Timing

UR - http://www.scopus.com/inward/record.url?scp=85040911057&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85040911057&partnerID=8YFLogxK

U2 - 10.1109/MS.2018.110165557

DO - 10.1109/MS.2018.110165557

M3 - Article

AN - SCOPUS:85040911057

JO - IEEE Software

JF - IEEE Software

SN - 0740-7459

ER -