Implantable therapeutic tools are becoming progressively interdependent through the internet of things (IoT) in order to audit vital signs and improve patients’ quality of life. Yet, the IoT imposes major vulnerabilities with such interconnection, and any disturbance could cause significant destruction or life-impeding demands [1
]. An adversary may construct various attacks to jeopardize both IoT implantable therapeutic equipment and networks [3
]. Table 1
illustrates some recent cyberattack incidents that occurred in the medical field. Thus, it is not easy to design and protect medical devices that are able to cope with equipment failures and connectivity and operating systems faults [4
]. Security and privacy concerns should also be considered, such as identification, data integrity, confidentiality, authentication, and user and service privacy [5
]. A recent survey [6
] studied over one hundred medical tools to consider their protection worries with a focus on reported cyberattacks including tampering, sniffing, and unauthorized access. The survey also studied available mitigation methods to handle these worries.
Attack graphs provide a viewable technique to determine risks within interoperable systems. The actions needed to conduct an attack can be identified utilizing this technique. The identification of attacks helps engineers to establish defensive actions in order to eliminate the execution of an attack [14
]. For instance, a method is presented by [15
] for indicating the best placement of a collection of IoT tools within an institution using a traditional attack graph which is augmented to consider the substantial placement of IoT tools and their connectivity effectiveness.
Attack graphs can also help forensic investigators to identify many possible attack paths. An empirical study is provided by [16
] on the growth of using data gathered by smartphone tools (developed to correlate a therapeutic tool) as digital clue in legal cases. A report is included about evidence which is possibly helpful in a digital forensics inspection.
A digital inspection system is proposed by [17
] for the examination of fatal attack scenarios on cardiac implantable medical devices (IMDs). The system reports the identification and regeneration of possible attack scenarios that result in a patient’s death. An approach of three stages is proposed, along with a collection of approaches to use in every stage. In the first stage, the approach aids determining the reason for a death based on the therapeutic conclusions gathered by the IMD. Second, the approach follows the entries and system logs gathered from the IMD under consideration, which determine the critical actions associated with distant access and construction. The technique aims to collect the possible attack scenarios that could achieve similar impact in the gathered log proof, as if they had been conducted. A library of threats and a model checking established algorithm are utilized to conduct the automatic reformation which is made in forward chaining. The third stage of the approach correlates the generated scenarios, identifies the most persuasive composite of medical and vocational scenarios, and confirms the presence of abnormal attitude in the chosen composite that caused a patient’s death.
The main contribution of this work manifests an approach for developing attack graphs for the pacemaker automatic remote monitoring system (PARMS). This demands a general specification of system model (design and communications, units, resources, protections, vulnerabilities, and attack instances), and exploration of the security concerns. The model and the security properties are encoded using architecture analysis and design language (AADL) [18
] and verified using JKind checker embedded software [19
]. The developed attack graph contains the attack scenarios causing system compromise through gaining ability to alter the settings of the home monitoring device. Thus, controlling the wireless pacemaker and jeopardizing the patient’s life. The resulting graph is visualized utilizing Graphviz [20
]. The rest of this paper is organized as follows: Section 1.1
reviews the relevant work. Section 2
presents the modeling process of the pacemaker automatic remote monitoring system (PARMS). Section 3
illustrates attack graph construction and visualization for the PARMS. Section 4
recaps and discusses some forthcoming work.
1.1. Related Work
Different papers were investigated in the literature for modelling attack graphs for medical devices. A model-based system, a safety and security co-engineering (MB3SE) technique, and a correlated toolchain for the implementation of medical equipment was proposed by [21
]. The toolchain included architecture modelling and safety and cyber-security risk analysis tools. Explanations for security concerns of 5G networks aiding electronic healthcare applications were presented by [22
]. The explanations incorporated knowledge graph development, automated attack and protection technologies, and a security testbed.
An approach is presented by [23
] for developing attack trees for IMDs which receive two inputs: functional workflow and a hazard study of the IMD in consideration. A process-modeling software is utilized to illustrate the IMD system as it is arranged, booted up, and managed by the caregiver. Hazards can be identified as system states that are built-in unprotected for the user. Hazard study requires determining system states that will ultimately cause critical harm to the patient.
Threat modeling is examined in medical cyber physical systems (MCPS) by [24
]. This includes the roles of stakeholders and system components, trust models, threat models, and threat analysis. An abstract architecture is also sketched for an MCPS to demonstrate various threat modeling options.
A methodology has been developed by [2
] for generating attack trees for patient controlled analgesia (PCA-IMD). This process contains four steps: (1) process modeling, (2) fault tree analysis (FTA), (3) attack tree generation, and (4) quantification. First, the user of the PCA-IMD takes a depiction of the workflow of the PCA-IMD and constructs a process-modeling design for it. Once the process model is constructed, the IMD user establishes the distinct hazards that can happen as a result of running the system, leading to extra infusion.
Two internal activities are studied by [25
], involving the utilization of Universal Serial Bus (USB) drives and Compact Disc Read-Only Memory (CD-ROM) as the entrance methods leading to data loss in the healthcare firm surroundings. The generated augmented threat trees show the vulnerabilities abused, the actions required to abuse them, and the fingerprint implemented by the attackers’ functionalities. A Markov models set is developed by [26
] for a healthcare IoT foundation, that enables the consideration of the particularity of clients’ machines, connectivity, advancement of data stream, and protection and security worries of these elements.
The modeling and study of cyberattacks utilizing a multimodal graph technique is shown by [27
]. This work illustrates how cyber actions, parties, targets, and networks that gathered them can be modeled using a multimodal graph, such that multiple graphs of distinct modalities are connected to show the features of the attack.
A framework is presented by [28
] for modeling and assessing security of the IoT which incorporates preprocessing, security model generation using a hierarchical attack representation model (HARM), conception and repository, security study, and transformations and updates. In the scheme, an IoT, security model generators, and an evaluator are implemented.
The authors of [29
] investigated whether the ideas of model checking and attack tree refinement correspond to using an IoT healthcare illustrative example. The extension by model checking and the enclosing of attack trees into the Isabelle internal scheme permitted the investigation of this correspondence utilizing the analytical strict and automated proof assistance of Isabelle. Hence, reassessing the interpretation of state evolution in model checking and importing a variation that showed the attack sequences. This permitted the conversion of attack paths established by model checking into the attack tree refinement procedure.
An attack graph-based study is presented by [4
] of attacks on a certain interoperability surrounding to provide patient pain medication (PCA) among multiple levels of interoperability from simple data gathering to complete closed loop control. Explanations of the potential prevention methods are determined for every class of attack vectors. The work showed that security has a deep impact on the safety of medical device interoperability and the patients they are provided to.
Conceptual graphs are collected by [30
] with Dung’s disputation system that supplied convenient extensions for dependable selection procedures, all adapted to telemedicine in general and tele-expertise in particular. The work implemented the visual graph of attacks where distinct interpretation of the reasoning logic is adapted to verify the possible adequate arguments.
A systematic threat-modeling approach is proposed by [31
] to investigate IMD security. The attack tree approach provided an overall and organized scheme of the strengths and weaknesses of the IMD system. The work showed a systematic method for conducting system-level security examination to incorporate various potential attack surfaces. The research done by [14
] demonstrated attack graph modeling on hypothetical ambulatory medical equipment. The research examined specific attacks that jeopardized ambulatory equipment, like physical attacks and social engineering.
3. Attack Graph Generation
Two software programs were utilized to conduct the cyberattack scenarios’ generation and visualization, as shown in Figure 2
. These tools are JKind model checker and Graphviz. JKind is a software tool that we used to conduct cyberattack scenarios against the PARMS [40
]. The model checker keeps checking repeatedly if a given finite-state model of a system meets a given security property of importance. JKind is an infinite-state model checker for analyzing safety attributes of a system asserted in Lustre, a data flow synchronous terminology arranged for programming reactive systems like automatic control and auditing systems [41
]. The JKind employs a back-end satisfiability modulo theories (SMT) solver to validate if a system model complies with a specific temporal logic property in every execution of the system. A wrong execution in which a property is not fulfilled is expressed as a counter example (CE) illustrating a sequence of attack instances (i.e., attack scenarios).
The PARMS depiction model of the parts and their interfaces and links is defined using architecture analysis and design language (AADL), within the open-source integrated development environment (Osate2). The AADL model is confined by assume guarantee reasoning environment (AGREE) annex plug-in in which the constants or variables are established locally. The AGREE plug-in translates the AADL+Annex models and properties to Lustre and communicates with JKind which verifies the system against the security property under study φ, and gives the result as a CE.
Considering the given security property φ, the goal of the attacker is to gain a root access on the home monitoring device (HS), and therefore gain the ability to alter the settings of the HS. Thus, imposing a life-threatening risk to patient. The JKind model checker generated the following counter example (CE1
) as a spreadsheet shown in Figure 3
This attack sequence can be summarized as follows. Initially, the attacker has a root privilege on AP, an IGAP-HS attack is initialized to gather information about the HS (e.g., IP addresses). After the IGAP-HS attack an SHS-PN attack is launched between the HS and PN to get login username and password. This will allow the attacker to access the PN with user privilege therefore disclosing patient and HS information. Using the disclosed information, an MIMPN-PN attack is launched against the PN components to gain a higher privilege (root privilege). Using this privilege, an MAPN-HS attack is conducted exploiting a COTS vulnerability in the HS to gain a root access to it. By doing so, the attacker can alter the settings of the HS which will affect the wireless pacemaker and jeopardize the patient’s life.
The generated counter example CE1 is encoded in disjunction with the property φ under study, that is φ ∨ CE1. A new counterexample complies with: ¬ (φ ∨ CE1) = ¬ φ ∧ ¬ CE1, i.e., a counter example of φ distinct from CE1. This produces a new counter example (CE2: SEAP-PN → PVPN-PN → MIMPN-PN → MAPN-HS). By continuing this process, three CEs were found, producing the complete attack scenarios (attack graph).
In order to visualize the union of generated cyberattack scenarios (attack graph), the Graphviz tool and DOT graph description language are used. Graphviz is a package of open-source tools used to represent structural information as diagrams of abstract graphs and networks. Graphviz takes the descriptions of graphs in a simple text language [20
]. The resulting attack graph shown in Figure 4
consists of arrows and nodes. Each arrow illustrates a possible occurrence of an attack instance, while each node represents the system state resulting from executing the attack instance. An attack scenario is a sequence of attack instances represented by any path from the initial node to the final node in the attack graph. The shown attack graph has three attack scenarios that terminate in a reachable state where the settings of HS can be altered by the attacker. Hence, the attacker can gain a root privilege on the pacemaker, which may threaten the patient’s life.
The generated graph may aid system administrators to decide the placement of appropriate detection and prevention measures. For instance, experimental results showed that an MA attack can never be correctly conducted against the HS without running MIM or SQL attacks first against the PN. Thus, by way of preventing MIM and SQL, the system administrators can also eliminate the MA attack which would immensely enhance the system security.
In addition to that, the MA attack against the HS required exploiting the COTS vulnerability in its operating system or the firmware update vulnerability. Therefore, securing the HS operating system and deploying an intrusion detection system (IDS) between the HS and the PN may prevent the attacker from executing the remaining attacks.
The feasibility of protecting implantable medical devices (IMDs) is explored by [42
] without adjusting them by carrying out security strategies completely on an external device called a shield. The shield is placed between the IMD and possible correspondents, e.g., worn on the body close to the implanted device. The shield performs as a gateway that conveys messages between the IMD and accredited endpoints. Such an approach improves the security of IMDs for patients who already have them and enables medical staff to access a protected IMD by discarding the external device or turning it off.