Securing Pacemakers using Runtime Monitors over Physiological Signals

IF 2.8 3区计算机科学 Q2 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

ACM Transactions on Embedded Computing Systems Pub Date : 2024-01-06 DOI:10.1145/3638286

Abhinandan Panda, Srinivas Pinisetty, Partha Roop

{"title":"Securing Pacemakers using Runtime Monitors over Physiological Signals","authors":"Abhinandan Panda, Srinivas Pinisetty, Partha Roop","doi":"10.1145/3638286","DOIUrl":null,"url":null,"abstract":"<p>Wearable and implantable medical devices (IMDs) are increasingly deployed to diagnose, monitor, and provide therapy for critical medical conditions. Such medical devices are safety-critical cyber-physical systems (CPSs). These systems support wireless features introducing potential security vulnerabilities. Although these devices undergo rigorous safety certification processes, runtime security attacks are inevitable. Based on published literature, IMDs such as pacemakers and insulin infusion systems can be remotely controlled to inject deadly electric shocks and excess insulin, posing a threat to a patient’s life. While prior works based on formal methods have been proposed to detect potential attack vectors using different forms of static analysis, these have limitations in preventing attacks at runtime. </p><p>This paper discusses a formal framework for detecting cyber-physical attacks on a pacemaker by monitoring its security policies at runtime. We propose a wearable device that senses the Electrocardiogram (ECG) and Photoplethysmogram (PPG) of the body to detect attacks in a pacemaker. To facilitate the design of this device, we map the security policies of a pacemaker w.r.t ECG and PPG, paving the way for designing formal verification monitors for pacemakers for the first time using multiple physiological signals. The proposed monitoring framework allows the synthesis of parallel monitors from a given set of desired security policies, where all the monitors execute concurrently and generate an alarm to the user in the case of policy violation. Our implementation and the performance evaluation results demonstrate the technical feasibility of designing such a wearable device for attack detection in pacemakers. This device is separate from the pacemaker, ensuring no need for re-certification of pacemakers. Our approach is amenable to the application of security patches when new attack vectors are detected, making the approach ideal for runtime monitoring of medical CPSs.</p>","PeriodicalId":50914,"journal":{"name":"ACM Transactions on Embedded Computing Systems","volume":"44 1","pages":""},"PeriodicalIF":2.8000,"publicationDate":"2024-01-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Embedded Computing Systems","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3638286","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Wearable and implantable medical devices (IMDs) are increasingly deployed to diagnose, monitor, and provide therapy for critical medical conditions. Such medical devices are safety-critical cyber-physical systems (CPSs). These systems support wireless features introducing potential security vulnerabilities. Although these devices undergo rigorous safety certification processes, runtime security attacks are inevitable. Based on published literature, IMDs such as pacemakers and insulin infusion systems can be remotely controlled to inject deadly electric shocks and excess insulin, posing a threat to a patient’s life. While prior works based on formal methods have been proposed to detect potential attack vectors using different forms of static analysis, these have limitations in preventing attacks at runtime.

This paper discusses a formal framework for detecting cyber-physical attacks on a pacemaker by monitoring its security policies at runtime. We propose a wearable device that senses the Electrocardiogram (ECG) and Photoplethysmogram (PPG) of the body to detect attacks in a pacemaker. To facilitate the design of this device, we map the security policies of a pacemaker w.r.t ECG and PPG, paving the way for designing formal verification monitors for pacemakers for the first time using multiple physiological signals. The proposed monitoring framework allows the synthesis of parallel monitors from a given set of desired security policies, where all the monitors execute concurrently and generate an alarm to the user in the case of policy violation. Our implementation and the performance evaluation results demonstrate the technical feasibility of designing such a wearable device for attack detection in pacemakers. This device is separate from the pacemaker, ensuring no need for re-certification of pacemakers. Our approach is amenable to the application of security patches when new attack vectors are detected, making the approach ideal for runtime monitoring of medical CPSs.

查看原文本刊更多论文

使用生理信号运行时监控器确保起搏器安全

可穿戴和植入式医疗设备（IMDs）越来越多地被用于诊断、监测和治疗危重症。此类医疗设备属于安全关键型网络物理系统（CPS）。这些系统支持引入潜在安全漏洞的无线功能。尽管这些设备经过了严格的安全认证流程，但运行时的安全攻击仍不可避免。根据已发表的文献，起搏器和胰岛素输注系统等 IMD 可被远程控制，以注射致命的电击和过量的胰岛素，对病人的生命构成威胁。虽然此前已有基于形式化方法的研究成果提出使用不同形式的静态分析来检测潜在的攻击向量，但这些方法在防止运行时攻击方面存在局限性。本文讨论了通过在运行时监控心脏起搏器的安全策略来检测网络物理攻击的正式框架。我们提出了一种感应人体心电图（ECG）和光电搏动图（PPG）的可穿戴设备，用于检测起搏器受到的攻击。为便于设计该设备，我们将起搏器的安全策略与心电图和光电血流图进行了映射，从而首次利用多种生理信号为起搏器设计形式验证监控器铺平了道路。所提出的监控框架允许根据一组给定的所需安全策略合成并行监控器，所有监控器同时执行，并在违反策略时向用户发出警报。我们的实施和性能评估结果证明了设计这种用于检测起搏器攻击的可穿戴设备在技术上的可行性。该设备与心脏起搏器是分开的，因此无需对心脏起搏器进行重新认证。当检测到新的攻击载体时，我们的方法可以应用安全补丁，这使得该方法成为医疗 CPS 运行时监控的理想选择。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Embedded Computing Systems 工程技术-计算机：软件工程

CiteScore

3.70

自引率

0.00%

发文量

138

审稿时长

6 months

期刊介绍： The design of embedded computing systems, both the software and hardware, increasingly relies on sophisticated algorithms, analytical models, and methodologies. ACM Transactions on Embedded Computing Systems (TECS) aims to present the leading work relating to the analysis, design, behavior, and experience with embedded computing systems.