sphinx-project.eu / Blog  / SPHINX Use Cases: Part III

SPHINX Use Cases: Part III

Continue from blog entry SPHINX Use Cases: Part II

Through the following classification of use cases, SPHINX aims to better understand how threats, risks and vulnerabilities are manifested, as well as how prevention, recovery and mitigation actions can be improved.

Tampering with Medical Devices

Descritpion: A device supplier aims to discredit its major competitors. The supplier is aware that medical devices are subjected to thorough testing procedures, followed by strict certification processes that are time and effort consuming. Planning to tamper with its competitors’ medical devices, the device supplier finds a care centre employee that is extremely displeased with the management and approaches the employee, offering a financial reward for the execution of the attack. The plan is to release a virus using a USB stick that only targets specific medical devices from competitors.

Since the employee has physical access to several medical devices in the care centre, the attack is easily conducted, with the USB stick containing the virus being plugged to several medical devices, causing the virus’ activation and propagation throughout the network. In a matter of hours, the virusinfected most of the medical devices at the care centre, causing malfunctions, continuous reboots and wrong measurements.

The care centre’s management issues several formal complaints and terminates business relations with three devices suppliers, who endure a significant reputation loss. Until the devices are repaired, the care centre is limited in the quality of healthcare services it provides to its users.

Attack Impact: This attack  impacts the care centre’s operations, causing a loss of availability of specific healthcare services and the violation of the integrity of the users’ data, following the use of the infected medical devices. The attack affects the healthcare organisation (the care centre) and its users, as the care centre no longer provides specific healthcare services. Further, also the care centre’s medical device suppliers are deeply affected by the attack, once the information is leaked and other customers demanded security assessments. The attack’s expected recovery time is estimated to be 5 working days, depending on the time spent to identify the infected medical devices and have them repaired, as well as on the effort required to reset the affected users’ records.

SPHINX Role and Added-value Benefits: The SPHINX System is relevant in the cybersecurity certification of the medical devices and equipment (SPHINX 3rd party APIs and sandbox  tools) before being deployed in operational environments (i.e., the care centre), in the identification of vulnerable critical assets (SPHINX vulnerability assessment and real-time cyber risk assessment tool), in the early detection of  attacks by identifying the compromised devices (SPHINX anomaly detection tool), in the isolation of the affected devices, preventing the spreading of the virus throughout the network (SPHINX sandbox tool), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack (SPHINX decision support tool).

Ransomware Attack to Healthcare Data

Descritpion: A criminal organisation plans a large-scale ransomware attack targeting healthcare data, for it is a highly valuable asset and healthcare service providers are willing to pay so that their multi-million business is not disrupted. Targeting a global healthcare service provider, with a large network of hospitals, clinics and laboratories, the cybercriminals develop a new sophisticated cryptoworm to infect file systems and lock access to infected computers. Unless the requested amount of money in virtual currency is paid to a specific account, the
healthcare data of millions of patients will be forever lost, seriously compromising their healthcare treatment outcomes and quality of life.

The healthcare service provider rapidly notices the presence and effects of the cryptoworm. At each facility, the IT department starts working hard to shut down the network, disconnect all computers and proceed with their reinstallation. The latest backups are used to restore the organisation’s databases, although the amount of records lost depend on the backup policy of each hospital, clinic and laboratory. Meanwhile, the healthcare organisations have to revert to paper-based operations and cannot perform specific interventions requiring IT
assets (e.g., diagnoses and database access).

Attack Impact: The healthcare service provider’s operations are imopacted, causing a loss of availability of healthcare databases, patient data and of healthcare services, namely those requiring IT-based systems. The attack affects the healthcare organisation (different hospitals,
clinics and laboratories) and its patients, as they no longer are able to receive specific healthcare services. The attack’s expected recovery time is estimated to be 1 or 2 months, depending on the extent of the infection and on the time spent to reinstall the backup files to reset the encrypted data and to adopt secure protocols for file sharing across the different hospitals, clinics and laboratories.

SPHINX Role and Added-value Benefits: The SPHINX System is relevant in the identification of vulnerable critical assets, including with respect to adopted network sharing protocols(SPHINX vulnerability assessment, real-time cyber risk assessment and security protocol analysis tools), in the early detection of attacks by identifying the compromised computers (SPHINX data traffic monitoring, anomaly detection and intrusion detection tools), isolating them and preventing the spreading of the cryptoworm throughout the network (SPHINX sandbox tool), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack (SPHINX decision support tool).

More information about the SPHINX use cases can be found in Deliverable 2.4 that is publicly available here.