FIRE: A Finely Integrated Risk Evaluation Methodology for Life-Critical Embedded Systems

Aakarsh Rao, Nadir A. Carreón, Roman L Lysecky, Jerzy Rozenblit

Research output: Contribution to journalArticlepeer-review

Abstract

Life-critical embedded systems, including medical devices, are becoming increasingly interconnected and interoperable, providing great efficiency to the healthcare ecosystem. These systems incorporate complex software that plays a significantly integrative and critical role. However, this complexity substantially increases the potential for cybersecurity threats, which directly impact patients’ safety and privacy. With software continuing to play a fundamental role in life-critical embedded systems, maintaining its trustworthiness by incorporating fail-safe modes via a multimodal design is essential. Comprehensive and proactive evaluation and management of cybersecurity risks are essential from the very design to deployment and long-term management. In this paper, we present FIRE, a finely integrated risk evaluation methodology for life-critical embedded systems. Security risks are carefully evaluated in a bottom-up approach from operations-to-system modes by adopting and expanding well-established vulnerability scoring schemes for life-critical systems, considering the impact to patient health and data sensitivity. FIRE combines a static risk evaluation with runtime dynamic risk evaluation to establish comprehensive risk management throughout the lifecycle of the life-critical embedded system. We demonstrate the details and effectiveness of our methodology in systematically evaluating risks and conditions for risk mitigation with a smart connected insulin pump case study. Under normal conditions and eight different malware threats, the experimental results demonstrate effective threat mitigation by mode switching with a 0% false-positive mode switching rate.

Original languageEnglish (US)
Article number487
JournalInformation (Switzerland)
Volume13
Issue number10
DOIs
StatePublished - Oct 2022

Keywords

  • life-critical embedded systems
  • medical device security
  • modeling and simulation
  • security risk assessment
  • security risk management
  • threat mitigation

ASJC Scopus subject areas

  • Information Systems

Fingerprint

Dive into the research topics of 'FIRE: A Finely Integrated Risk Evaluation Methodology for Life-Critical Embedded Systems'. Together they form a unique fingerprint.

Cite this