With recent cyberattacks hitting critical industries across the United States, workforce training and cybersecurity research have become even more critical. A timely joint effort by the FDA and the Center of Excellence in Regulatory Science Innovation (CERSI) at UCSF-Stanford to educate the biomedical engineering and manufacturing communities about cybersecurity has resulted in a series of seminars on cybersecurity. One of the recent “Cybersecurity for Biomedical Engineering” webinars discusses what the biomedical engineering field can learn from research and academic programs in embedded cybersecurity.
The speaker, Kevin T. Kornegay, PhD, is Professor of IoT Security and Director of the Center of Academic Excellence in Cybersecurity Assurance and Policy (CAP) in the Department of Electrical and Computer Engineering at Morgan State University in Baltimore , MD. Kornegay explained the CAP Center’s role in the medical field, which is to “provide the defense and intelligence community with the knowledge, methodology, solutions and highly trained cybersecurity professionals to mitigate penetration and manipulation. our country’s cyber-physical infrastructure,” according to Kornegay.
Students in the program learn how to ensure the safety and effectiveness of medical devices, pharmaceuticals, and more, in part through the CAP Center’s dual focus with research. Integrated cybersecurity is currently in the spotlight as cyberattacks on medical product technology become increasingly important.
Embedded systems operate inside physical objects connected to the Internet of Things (IoT) to perform dedicated functions within larger mechanical or electrical systems for industries such as medical and pharmaceuticals. Critical infrastructure then becomes dependent on its embedded systems for distributed control, monitoring, data collection, and other uses, making these systems targets for hacking, intrusion, and physical tampering.
The times when embedded systems become vulnerable listed in the webinar include:
- Hardware implementations
- Software and firmware bugs
- Protocol and standard implementation
- Integration system
- User errors (due to use of default passwords, phishing attacks, etc.)
Kornegay further explained that hackers are adept at understanding weaknesses and vulnerabilities in systems. In a medical environment involving applications on patients’ smart devices, collecting data to be sent to the cloud where medical providers can access, hackers who intrude to control IoT devices in such an environment may prevent communications, by holding patient information hostage, among other things. .
There are a myriad of ways hackers can attack a system, using intended channels, such as keyboards, displays, Bluetooth, and WiFi, and unintended channels, such as power consumption, electromagnetic radiation, sound and temperature. And their attacks can be passive (analyzing device behavior) or active (modifying device behavior). Many attacks can be prevented with employee training, although taking other cybersecurity measures reduces the chances of attackers finding a way in. However, security is an additional cost layer and it lengthens the product-to-market cycle, which deters some companies from investing in such security. measures.
Kornegay asserted that the current solutions the industry relies on to protect itself are not sustainable in the long term and should be replaced with transformative ones.
“You’ve seen in the media many instances of various types of cyberattacks on our supply chain and various infrastructure,” Kornegay said. “But our tactic to solve the problem is to use reverse engineering techniques to assess the assurance of these embedded systems, because embedded systems are at the heart of many systems.”
At Morgan University’s CAP Center, students research and test security methods from the edge, where devices reside, to the cloud. The center’s facilities range from labs to a zero-trust data center to their own IT department separate from that of the university.
Morgan University’s Workforce Development Plan helps them recruit talented students, starting with middle school summer courses and high school programs. The university has achieved a 30% female ratio in the program and plans to increase and maintain an even higher ratio through the workforce development plan.
The program and Center receive funding from and partner with organizations such as:
- National Science Foundation (SaTC Frontier, CyberCorps, NRT, EIR)
- National Security Agency (research and cybersecurity departments)
- NIST Prep Program
- NASA Jet Propulsion Laboratory
- JHU Applied Physics Laboratories – Smart Campus
- Northrop Grumman—IoT Security and RF Footprint
Kornegay said the program is looking to involve more medical companies in its capstone projects. “The way to get access to our students is to partner with us,” he said. “Our five doctorates. students graduating in May go to the NSA, JHUAPL, NIST, and MITER. So become a partner and get in line.
For seasoned engineers already working in the field who wish to undergo training to enhance their knowledge and capabilities with the latest research findings, Kornegay has listed opportunities including workshops, training segments, lectures offered at other universities such as OSU and certifications. Helping professionals transition into this space is as essential as training the future workforce. He further suggested opening a dialogue with your cybersecurity colleagues to increase knowledge and understanding of cyberattacks and to diversify research teams, as data shows that diverse teams lead to better solutions.
Watch the webinar on YouTube here: “Cybersecurity for Biomedical Engineering”.