June 1, 2016
Dr. Adam Sorini, a Senior Scientist in Exponent's Electrical Engineering & Computer Science practice, recently submitted a paper to IEEE Symposium on Product Compliance Engineering (ISPCE 2016) and was selected as one of the three "Best Paper Award Nominees."
The paper will be published in via IEEE Xplore in the ISPCE 2016 conference publications.
Dr. Sorini's paper, Self-Authentication in Medical Device Software An Approach To Include Cybersecurity In Legacy Medical Devices," describes that the FDA recommends that medical device manufacturers take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment. However, including safeguards into legacy devices in the field is not easy. One approach is to make software changes that are then distributed into the field. The problem with software-only changes is that they are easy to defeat by malicious attackers.
This paper explores an approach that provides incremental security to software that is distributed in the field. Specifically, this paper describes an approach to "self-authenticate" software so that it is robust in detecting attempts to defeat security safeguards that are programmed into the compiled software code. Self-authentication relies on encrypting certain critical functions of the software so that decryption of those portions is necessary for proper operation of the device. The decrypted portions also include integrity-checking and/or authentication functions that confirm that the software has not been modified.