Cars, toasters, medical devices add to DHS’ cyber headaches

Listen to part 1 of Jason's interview with Doug Maughan.

Jason Miller | April 17, 2015 9:10 pm

Cars, medical devices and even toasters are among the facets of life that are quickly becoming Internet based. This is why the Homeland Security Department already is working on cybersecurity technologies for these and many other everyday devices.

Doug Maughan, the director of DHS’ Science and Technology Directorate’s Cybersecurity Division, said the largest number of white papers received from the June broad agency announcement to award $95 million in cyber research and development funding came under the cyber physical systems area..

“This is really an up-in-coming topic if you think about automotive. Your car is nothing more than a computer on wheels. If you think about medical devices, airlines and critical infrastructure,” Maughan said in a recent exclusive interview with Federal News Radio. “We are looking at it on two fronts. One is on the forensics front to analyze the data in the car if needed for forensics purposes. The other one is we are working with automotive manufacturers in developing standards that they can require of their third-party vendors so we can make cars more secure from the standpoint of remote access.”

He said there have been several demonstrations over the last few years where outside hackers showed how they could take over the car’s network to control the gas pedal or the brakes.

Advertisement

TrendMicro reported in August 2013, “Successfully executing a technically demanding car hack has become a badge of distinction for the few cybercriminals skilled enough to hijack a vehicle using only a laptop.”

The cybersecurity company said car hacking was first raised as an issue in 2010 when a group of university researchers published details about system exploits in cars.

In 2013, two researchers funded by the Defense Advanced Research Projects Agency (DARPA) showed how hackers could gain access to 2010 models of the Toyota Prius and Ford Escape by simply getting the driver or passenger to connect to a particular Bluetooth handset or play a specific optical disc.

Partnering with HHS to secure medical devices

Maughan said these demonstrations helped convince the car manufacturers to see the potential risks.

“They are now on board and working very closely with us and realize that they need to take the necessary steps to create more secure components with their automobiles,” he said.

In fact, in September GM created a new cybersecurity official to oversee product design and development.

Along with cyber physical critical systems, DHS asked for research and development ideas in the BAA around data privacy, mobile device security and distributed denial of service defense.

He said S&T received more than 300 white papers from industry, academia and international experts, and chose 70 to submit proposals. DHS will review those proposals and make 25-30 new research and development contract awards with a ceiling of $95 million by early 2015.

With the attention and excitement around physical cyber systems, DHS S&T also is partnering with the Health and Human Services Department and the Food and Drug Administration to fund research around protecting medical devices.

In fact, DHS worked with the FDA when it held a workshop Oct. 21-22, seeking input from industry and other experts on how to best promote medical device cybersecurity. The workshop was one of several ongoing efforts to lead the collaboration and coordination of cybersecurity standards for medical devices.

“They are not a big R&D organization as it applies to cybersecurity,” he said. “We anticipate funding research jointly in trying to address some of those problems. They do have serious concerns as well because a lot of vendors in that space haven’t really thought about this problem. The time to tackle it is now.”

Maughan said the HHS/FDA and DHS S&T partnership is fairly new and similar to others they have across the government.

“My anticipation is that we will develop a R&D agenda and this gives them an opportunity to bring the vendor community into the discussion,” he said. “Part of the workshop is the first step to educate the health care and medical sector, particularly the device manufacturers about the current vulnerabilities and the needs the sector has to build more secure systems.”

Cyber crime fighters

Maughan said while the BAA is just getting off the ground, there are several other promising efforts that have been ongoing for years.

“Our most growing program is in the area of cyber crime, and creating technologies to support the law enforcement community and their mission to defeat cyber crime,” he said. “The criminals often have the latest and greatest technologies, and we are trying to work with our law enforcement partners here at DHS as well as state and locals to create the technologies they can use in the fight against cyber crime.”

Maughan said law enforcement officers are looking for technologies to help them more quickly and more effectively pull data off of devices as well as networking technologies.

“The criminals are using things like Tor and other underground networks. Our law enforcement partners need to be able to get access into those networks and extract information and analyze that information as well,” he said. “It’s not as much ultra violet scanning as you see on CSI, but there’s still plenty of technologies needed to help them on their mission.”

DHS S&T also is seeing benefits from an earlier BAA for cyber technologies. S&T awarded 34 contracts to 29 organizations worth about $40 million in 2012. Now two years later, some of those technologies are coming to the market.

“A product that came out of the University of Illinois and it has spun out into a start-up company that looks at the ability to measure the compliance of controls systems as it applies to the NERC Critical Infrastructure Protection standards,” Maughan said. “It’s helping the electric sector and other sectors that are required to adhere to these standards. It’s a tool that can be used by both operations people at a company, but also by an auditor from the government who could go into this network and very quickly determine if the company is complying with these standards.”

A second technology that is coming to market is from Columbia University, which looks at the vulnerabilities in embedded devices like printers or phones. Maughan said the software can be embedded into these devices and protect them from hackers.

He said printers have enough processing power that it could be used in bad ways as a botnet or to get into the broader network.

“The goal of this technology is working with the manufacturers of these devices so they create essentially a way to make all the devices look different,” he said. “So if I’m a bad guy and I get into one printer, that method will not work in another printer because every printer is almost like a random difference from every other printer. It’s really interesting technology. It’s not just printers, but anything that can be connected to the Internet.”

Click here to listen to part 2 of Jason Miller’s interview with Doug Maughan and read the related article.

RELATED STORIES:

DHS S&T antes up $95M for cyber research, development

FDA checking high-risk medical apps for safety

DHS Science and Technology seeks help to find its North Star

DHS pitches cyber projects to Silicon Valley, eyes commercialization