Security Lessons from CSI: Cyber

CSI: Cyber

Thanks to winter storm ‘Jonas’ I had some free time on my hands this weekend and I got to catch up on a recent episode of CSI: Cyber – the latest in the CSI franchise which follows the work of an elite team of FBI special agents investigating cyber-crime across the US. The episode, titled ‘Hack E.R.’ addressed a security issue that’s been discussed at length in the media this year: the possibility of exploiting the Internet of Things to hack into medical equipment and facilities. The episode sees a hacker take control of all networked devices at a Dallas hospital, resulting in the death of a patient, and threats to kill more patients at regular intervals if the attacker’s ransom demands are not met.

In the episode, the CSI team rushes to locate the source of the attack and discover how the culprit managed to get around the hospital’s supposed high levels of security.  They find that the hacker had gained access through a Smart TV that was connected to the hospital’s WiFi. By accessing the hospital’s network the hackers then disabled a patient’s heart monitor and installed malware on the hospital network which caused a defibrillator to malfunction when staff attempted to save the patient.

In today’s cyber-crime crazy world, it is, unfortunately, a plausible scenario, and I think there are few lessons that can be learnt from this episode:

• Network segmentation – The use of a Smart TV as the entry point for uploading the malware implies that there was little to no segmentation in the hospital’s networks, as the malware was able to move from the WiFi network to critical areas of the system, and onto medical equipment. Had the hospital properly segmented and isolated their networks, they would have been able to prevent access to the patient’s medical equipment and ultimately prevent their deaths.
• Internal permissions and access management – (spoiler alert 1) – The doctor who carried out the attack evidently had access to the patient’s medical records and prescriptions. This reinforces the need for tight permission controls and policy-driven management of user identities and access to systems and resources.
• Insider threats – (spoiler alert 2) – The fact that the attack was perpetrated by an employee of the hospital reminds us of the threat that employees pose to a company network. Insiders have the advantage of knowing the network and what’s on it, meaning that they can often cause greater damage than external hackers. So beware of disgruntled employees!

While I don’t wish for any more snow days, hopefully, I will be able to catch up on some more episodes of CSI:Cyber in the near future. While the show sometimes bends the truth with both technology and terminology to drive its plotlines, it does tackle some very real threats, and it’s good to see cyber-security issues getting wider exposure in the media