Monitoring for Vulnerabilities

It is important to regularly monitor for any new cybersecurity vulnerabilities particularly if the software bill of materials (SBOM) for your medical device contains off the shelf (OTS) software. Security researchers and hackers are finding issues with OTS software every day. MITRE keeps a twitter account for new vulnerabilities if you want to observe the breathtakingly rapid pace (dozens per working day). @CVENew

Have an SBOM

First, it is important to have a good SBOM. This should have been generated as part of your premarket documentation but if you have not created one for your device there are some things to consider about how you put your SBOM together for monitoring. For a device that contains an operating system, if you look at your raw manifest of installation packages you will likely have a long list. The most conservative answer would be to place all of these packages on the SBOM to be monitored for vulnerabilities. Another approach could be to risk rate the list and only monitor the higher risk packages, for example, operating system, networking, authentication and cryptographic packages.

I also recommend that you put your SBOM in a format that makes it easy to cross-reference to the vulnerability lists. One option is the Common Platform Enumeration (CPE) format from the NIST website. For example, suppose you have an older device with say the last long term support (LTS) version of the 2.6 Linux Kernel, version 2.6.32.58. You can search for that on the NIST CPE Search page. The CPE identifier for this example is the catchy name "cpe:2.3:o:linux:linux_kernel:2.6.32.58:*:*:*:*:*:*:*". Then you can then easily get a list of vulnerabilities from NIST based on that. (There are 2,323 matching records for 2.6.32.58.)

Simple Monitoring

If your device has a relatively small list of packages you may be able to monitor with a few simple tools that you already have. One nice method that a former coworker of mine, NB, told me about is to use the the website cvedetails.com to generate a custom RSS feed for your package(s) and then you can setup a Slack channel or similar to monitor that RSS feed. Every time a new vulnerability is found you will get a message in your Slack channel.

Commercial Tools for Monitoring

Unfortunately I don't have much experience with the commercial tools. I have tried to survey some folks in the past but what I am going to relay here is based mostly on internet searches. One comment first, not that anyone is likely to think that I am using this blog to make money but if I mention a product or service on here please know that I am not getting any payment for that mention. I am paying the modest internet hosting and domain registration fees out of pocket.

The tools that I am able to find seem to do all of the work discussed so far in this blog post. They create your SBOM and show the related vulnerabilities. The category of tools is called Software Composition Analysis (SCA). For example, one product I have seen demonstrated is Black Duck by Synopsys. BTW, I can say that Synopsys is a good company. I have used other software in their portfolio and have been involved with some of their services. Black Duck seems to be focused on the SBOM and open source license management which is less interesting to me. For a medical device, I generally know what OTS software I am using and what the licenses are. Black Duck also has something they call 'Advisories' which comes from vulnerability monitoring. That is more interesting to me. They say it finds things before they hit the official CVE lists mentioned above. Other SCA companies that came up in my search are White Source, Revenera, Fossa and others. Here is a list that someone at sourceforge.net put together.

Other Sources

It is good to subscribe to some other sources for vulnerabilities as well. Examples might be an information sharing and analysis organization (ISAO) such has H-ISAC or some other sources such as medtechintelligence.com.

Trouble

White hat hacker Taylor Swift has premonitions about trouble regarding certain OTS components. She says "I knew you were trouble when you walked in." So, let's say you have your monitoring in place and you login to your computer on Monday morning and there is trouble, a new vulnerability alert. What do you do? (Of course, you *want* to close your computer and ignore it but that is probably not a good idea.) What I have seen work pretty well is just to dole out the investigation of new reports in a round robin among the group. You can use an Agile board for progress tracking. In my experience, most of the new vulnerabilities don't apply. Maybe there is a vulnerability with FTP in your network stack but you don't use FTP. Timing-wise, you want to have these investigations occur pretty quickly because as I discussed in a previous post you only have 30 days to notify your customers and 60 days to fix and deploy if there is something bad. For those new vulnerabilities that do not apply I recommend a quarterly meeting with a report perhaps combined with an anomaly review or similar to document what was reviewed.

Summary

Monitoring for cybersecurity vulnerabilities is an important piece of your postmarket cybersecurity process. As I discussed in a previous post the timing is tight to get things fixed so knowing about an issue early is important. I have heard of hospitals with a device's open source SBOM notifying a medical device manufacturer about an issue that they did not even know about because they were not monitoring.

Hopefully this will help you with your process. Please let me know if you have any comments.