Digital Bond

For Secure & Robust ICS

  • Home
  • Consulting
  • S4x18
    • S4x18 Call For Presentations
    • S4x18 Sponsor Packages
  • Dale Peterson
  • Hire Dale To Speak
  • Contact Us

What Do You Want To Ask Justine Bone of MedSec?

November 28, 2016 by Dale Peterson Leave a Comment

Submit and Vote on Questions for Justine Bone of MedSec

I am pleased to announce that Justine Bone of MedSec agreed to an interview on the Main Stage at S4x17. Vulnerability disclosure is and has been a contentious topic in ICS. I generally don’t write much about it because the person or organization that finds the vulnerability decides what is the responsible and appropriate disclosure. Full stop.

We have seen all sorts of disclosure approaches at S4, and even had a bit of a controversy ourselves around pointing out insecure by design issues in PLC’s and RTU’s as part of Project Basecamp at S4x12. However this or any other type of disclosure has not been as aggressive and controversial as the MedSec/Muddy Waters disclosures of vulnerabilities in St. Jude Medical’s devices.

MedSec had performed assessments on a variety of medical devices over 18 months and felt that St. Jude “stood out as lagging far behind” in security. You can see some demonstrations of the security issues at the profitsoverpatients.com site. Now the question was what to do with this information. Justine wrote:

In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public’s attention and to ensure that St Jude Medical responds appropriately and with urgency. We have shared our research with an investment firm, Muddy Waters Capital, that is helping us deliver this message.

The time has come for us to re-think the way cyber security is managed. We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action. Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products.

Muddy Waters publicly shorted the stock and issued analysis saying they expected revenue to decrease up to 50% over the next two years due to recalls and remediation costs, and “MedSec is receiving compensation related to investment profits from the funds Muddy Waters manages”.

There are a lot of questions around this approach in terms of legality, ethics, disclosing vulnerabilities without detail, effectiveness in getting the issues fixed, impact on the security research community and much more. I will have no difficulty coming up with questions to fill the 30 minute interview, but we decided to open this up to the ICS security community. What would you like to see Justine Bone asked in the onstage interview?

You can submit your question as well as view and vote on other submitted questions at this link.

See the S4x17 Agenda At A Glance and Register for S4x17 … Jan 10-12 in Miami South Beach

Image: Blausen.com staff. “Blausen gallery 2014“. Wikiversity Journal of Medicine. DOI:10.15347/wjm/2014.010. ISSN 20018762

Filed Under: S4, Vulnerability Disclosure Tagged With: MedSec, S4x17, Vulnerability Disclosure

Subscribe to the S4 Events YouTube Channel

S4x18 Stats: 447 people from 25 countries
Thanks to all Attendees, Speakers & Sponsors

Follow S4 Events on Facebook

Tools & Talks

DNS Squatting and You

DNS Squatting and You

February 24, 2016 By Reid W 3 Comments

Basecamp for Serial Converters

Basecamp for Serial Converters

October 30, 2015 By Reid W 3 Comments

escar Asia

escar Asia

September 9, 2015 By Dale Peterson 1 Comment

Unsolicited Response Podcast: Cyber Insurance

Unsolicited Response Podcast: Cyber Insurance

August 27, 2015 By Dale Peterson 3 Comments

S4 Events Newsletter

Subscribe to our newsletter on leading / bleeding edge ICS cyber security information and S4 Events.

* indicates required
Email Format

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments

  • Chris on Koyo/Automation Direct Vulnerabilities
  • Brandon Workentin on The ICS Security Stories We Tell And Love
  • Joe Weiss on Insanely Crowded ICS Anomaly Detection Market
  • Stuart Bailey on Unsolicited Response Podcast Is Back … With John Matherly of Shodan
  • Chris Orr on Insanely Crowded ICS Anomaly Detection Market

Search….

Follow @digitalbond

Copyright © 2018 Digital Bond. - All Rights Reserved ·