With the recent cyberattacks that have hit essential industries throughout the United States, workforce training and cybersecurity research have become even more critical. A timely joint effort from the FDA and the UCSF-Stanford’s Center of Excellence in Regulatory Science Innovation (CERSI) to educate the biomedical engineering and manufacturing communities in cybersecurity has resulted in a Cybersecurity Seminar Series. One of the recent webinars “Cybersecurity for Biomedical Engineering,” addresses what the biomedical engineering field can learn from research and academic programs in embedded cybersecurity.
The speaker, Kevin T. Kornegay, PhD, is the IoT security professor and director of the Cybersecurity Assurance and Policy (CAP) Center for Academic Excellence in the Electrical and Computer Engineering Department at Morgan State University in Baltimore, MD. Kornegay explained the CAP Center’s role in the medical field, which is to “provide the defense and intelligence community with the knowledge, methodology, solutions, and highly skilled cybersecurity professionals to mitigate penetration and manipulation of our nation’s cyber-physical infrastructure,” according to Kornegay.
|PACK EXPO International Returns with Eight New Show Additions|
The students in the program learn how to ensure the safety and effectiveness of medical devices, pharmaceutical products, and more, in part through the dual purpose of the CAP Center with research. Embedded cybersecurity is currently being emphasized as cyberattacks on technology within medical products are becoming increasingly prominent.
Embedded systems operate inside physical objects connected to the Internet of Things (IoT) to perform dedicated functions within larger mechanical or electrical systems for industries such as medical products and pharmaceuticals. Critical infrastructure then becomes dependent on its embedded systems for distributed control, tracking, data collection, and other uses, which makes these systems targets to hacking, intrusion, and physical tampering.
Moments where embedded systems become vulnerable listed in the webinar included:
- Hardware implementations
- Software and firmware bugs
- Protocol and standard implementation
- System integration
- User errors (due to the use of default passwords, phishing attacks, etc.)
Kornegay further explained that hackers are skilled in understanding the weaknesses and vulnerabilities of the systems. In a medical environment involving apps on patients’ smart devices, collecting data to send to the cloud where medical providers can gain access, hackers who break through to control IoT devices in such an environment can prevent communications, holding patient information hostage, among other things.
There is a multitude of ways that hackers can attack a system, using intended channels, such as keyboards, screens, Bluetooth, and WiFi, and unintended channels, such as power consumption, EM radiation, sound, and temperature. And their attacks can be passive (analyzing device behavior) or active (changing device behavior). Many attacks can be prevented through employee training, though taking other cybersecurity measures lessens the chance of attackers finding a way in. However, security is an additional layer of cost and it lengthens the product to market cycle which deters some companies from investing in such safety measures.
Kornegay asserted that the current solutions the industry relies on for protection are not viable long-term and should be replaced with transformative solutions.
“You’ve seen in the media many instances of various types of cyberattacks on our supply chain and various infrastructures,” said Kornegay. “But our tactic to addressing the problem is to utilize reverse engineering techniques to assess the assurance of these embedded systems, because embedded systems are the heart of many systems.”
At Morgan University’s CAP Center, the students are researching and proofing security methods spanning from the edge, where devices reside, to the cloud. The center’s facilities range from labs to a zero trust data center to their own IT department separate from the university’s.
Morgan University’s workforce development plan helps them recruit talented students, starting with summer courses for middle schoolers and high school programs. The university has achieved a 30% women ratio in the program and plans to grow and sustain an even higher ratio through the workforce development plan.
The program and Center receive funding from and partner with organizations such as:
- National Science Foundation (SaTC Frontier, CyberCorps, NRT, EIR)
- National Security Agency (research & cybersecurity directorates)
- NIST Prep Program
- NASA Jet Propulsion Laboratory
- JHU Applied Physics Labs—Smart campus
- Northrop Grumman—IoT security and RF fingerprinting
Kornegay expressed that the program is looking to involve more medical companies in its capstone projects. “The way to have access to our students is to establish a partnership with us,” he said. “Our five Ph.D. students graduating in May are going to NSA, JHUAPL, NIST, and MITRE. So become a partner and get in line.”
|unPACKed with PMMI Podcast: Don’t be the Reason your Company is Attacked|
For those seasoned engineers already working in the field who want to do training to improve their knowledge and abilities with the latest research findings, Kornegay listed opportunities including workshops, training segments, talks offered at other universities such as OSU, and certifications. Helping professionals transition into this space is as essential as educating the future workforce. He further suggested opening a dialogue with your cybersecurity colleagues to increase knowledge and understanding of cyberattacks and to diversify research teams as data shows that diversified teams lead to better solutions.
View the webinar on YouTube here: “Cybersecurity for Biomedical Engineering.”