Digital Bond

For Secure & Robust ICS

What Do You Want To Ask Justine Bone of MedSec?

by Leave a Comment

Submit and Vote on Questions for Justine Bone of MedSec

I am pleased to announce that Justine Bone of MedSec agreed to an interview on the Main Stage at S4x17. Vulnerability disclosure is and has been a contentious topic in ICS. I generally don’t write much about it because the person or organization that finds the vulnerability decides what is the responsible and appropriate disclosure. Full stop.

We have seen all sorts of disclosure approaches at S4, and even had a bit of a controversy ourselves around pointing out insecure by design issues in PLC’s and RTU’s as part of Project Basecamp at S4x12. However this or any other type of disclosure has not been as aggressive and controversial as the MedSec/Muddy Waters disclosures of vulnerabilities in St. Jude Medical’s devices.

MedSec had performed assessments on a variety of medical devices over 18 months and felt that St. Jude “stood out as lagging far behind” in security. You can see some demonstrations of the security issues at the profitsoverpatients.com site. Now the question was what to do with this information. Justine wrote:

In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public’s attention and to ensure that St Jude Medical responds appropriately and with urgency. We have shared our research with an investment firm, Muddy Waters Capital, that is helping us deliver this message.

The time has come for us to re-think the way cyber security is managed. We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action. Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products.

Muddy Waters publicly shorted the stock and issued analysis saying they expected revenue to decrease up to 50% over the next two years due to recalls and remediation costs, and “MedSec is receiving compensation related to investment profits from the funds Muddy Waters manages”.

There are a lot of questions around this approach in terms of legality, ethics, disclosing vulnerabilities without detail, effectiveness in getting the issues fixed, impact on the security research community and much more. I will have no difficulty coming up with questions to fill the 30 minute interview, but we decided to open this up to the ICS security community. What would you like to see Justine Bone asked in the onstage interview?

You can submit your question as well as view and vote on other submitted questions at this link.

See the S4x17 Agenda At A Glance and Register for S4x17 … Jan 10-12 in Miami South Beach

Image: Blausen.com staff. “Blausen gallery 2014“. Wikiversity Journal of Medicine. DOI:10.15347/wjm/2014.010. ISSN 20018762

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments