Recent warnings from U.S. federal authorities concerning vulnerabilities in critical operational technology devices highlight significant security risks often overlooked by healthcare organizations. Sila Özeren, a security research engineer at Picus Security, emphasized these concerns in a recent discussion.
The Cybersecurity Infrastructure and Security Agency (CISA) has issued two important alerts that reveal pressing vulnerability issues. One advisory addresses flaws in Advantech iView technology, which is integrated into IoT gateways and smart building systems managing HVAC, access control, and power infrastructure. Another alert focuses on vulnerabilities in Siemens Siprotec 5 devices, which are utilized in substations and power systems to automate and protect electrical assets.
Both Advantech iView and Siemens Siprotec 5 devices are deployed in large hospitals and healthcare facilities, exposing them to substantial risks if these vulnerabilities are exploited. Özeren noted that a successful attack on Advantech iView could result in power disruptions, leading to unstable electrical supply in hospitals. Such incidents could have dire consequences, including temperature fluctuations or failures in air filtration systems, potentially rendering operating rooms unusable.
Özeren stressed the importance for healthcare organizations to adopt a proactive stance in addressing these vulnerabilities. Patching and updating systems should be a priority, even if it necessitates scheduled downtime. Delaying patch management poses unacceptable risks in dynamic environments like hospitals, where unpatched systems can jeopardize patient safety.
In an audio interview with Information Security Media Group, Özeren elaborated on the specific vulnerabilities inherent in both Advantech iView and Siemens Siprotec 5 products. She provided insights into potential remediation strategies and discussed similar security challenges affecting other operational technology devices within healthcare settings. The conversation also touched on how the healthcare sector can improve its understanding and management of operational technology security risks.
Sila Özeren is an associate security research engineer at Picus Security and possesses a Master of Science degree in cryptography from the Institute of Applied Mathematics at the Middle East Technical University in Turkey, where she focused on the post-quantum cryptography algorithm CRYSTALS-Kyber and its implementations.
As the cybersecurity landscape evolves, it’s crucial for healthcare organizations to recognize their exposure to operational technology risks. Awareness of the potential exploitation tactics, such as initial access or privilege escalation as defined by the MITRE ATT&CK framework, can help in developing more robust security strategies that protect critical devices and, ultimately, patient safety.
