FDA vulnerability grading system proves all risk not created equal

The Food and Drug Administration this week added a new vulnerability grading system designed specifically for medical devices to its list of medical device development tools (MDDTs) – essentially giving it a final vote of approval as a scientifically valid metric.  

It’s a long-expected move.  The new rubric, developed for the FDA by MITRE, was first released last year and emphasizes risk to patients rather than ease and scope of exploitation. The concept has been praised by vendors, regulators and researchers alike, as an approach that emphasizes the importance of a common language for risk in the disclosure process. And, they say, it is a model other sectors might want to invest in.  

If you were to break it into a mathematic equation, risk is impact multiplied by probability. If something is extremely likely to happen, it’s probably a high risk. The traditional measure of the threat of a vulnerability, the Common Vulnerability Scoring System, is largely based on the probability someone might exploit something.  

CVSS was not, however, designed to measure the depth of impact that a vulnerable medical device might have. Someone hacking a pacemaker can kill them. Even if it is low probability, the impact is unacceptable. But without a common metric, it’s almost impossible for researchers and vendors to discuss how much impact a vulnerability packs.  

“Often times, there’s a lot of back and forth about what a vulnerability means,” said Penny Chase, a senior principal scientist at MITRE who worked on the rubric.  

The new rubric, treated as an add on to CVSS, takes all risk into account. 

MITRE published its first version of the metric in January of 2019. But, without the FDA’s MDDT decision,  CyberMDX head of research Elad Luz submitted vulnerabilities to device manufacturers this year and had the new scoring system turned away.  

“Vendors rejected the rubric as a draft. But now on I expect they’ll accept it,” said Luz.  

The FDA, notes Chase, is loath to outright issue new requirements to tell companies how to do something. Announcing acceptance of a new tool or initiative, however, is generally interpreted as a more-than-gentle nudge to either use it, or do something very similar.  

The change in accounting can make a big difference in scores. 

Last year, Luz reported to GE CVE-2019-10966, a vulnerability in certain anesthesia machines that the company then mitigated. It scored as an almost perfectly medium risk – 5.3 on the traditional CVSS scale. But, despite the score, anyone exploiting the flaw could put a patient at serious risk tampering with the composition of gasses and pressures. By Luz’s math, the new rubric gives the vulnerability a 9.1. 

Changing the way companies evaluate the severity of risk changes how they prioritize which bugs to stomp out in which order.  

Chase said during the pilot program testing the rubric, vendors reported it also changed how they approached patching a problem. Rather than addressing a single issue, she said, they might address preventing a possible outcome from any issue.  

There are arguments against risk-based models. Thaddeus Bender, a security solutions architect at the bug bounty platform HackerOne, said that the concept of risk can seem fuzzy and hard to prove. But risk is by and large a well accepted concept, especially when backed by a regulatory agency like the FDA.  

Chase, Bender and several other experts believe that several other industries could benefit by similar sector-specific rubrics. Any industry where a cyberattack could risk safety, physical damage or even uptime might benefit from their own addition to the CVSS.  

“It would be particularly useful in small and medium-sized companies,” said Kurt John, chief cybersecurity officer at Siemens, noting that they often have less infrastructure to evaluate bugs. “But, even for Siemens.”  

Risk, he believes is an important concept to consider in vulnerability disclosure, but a tough one to generalize. You would need sector specific guidelines, he said, to avoid judging the risk to a food maker by power plant standards.  

“All industries need a Rosetta Stone – a way for researchers and industry to talk about risk in the same language,” said Casey Ellis, chief technology officer of the disclosure platform Bugcrowd.  

He added that standardize communication traditionally results in the identification of more vulnerabilities. 

For now, Ellis believes that just seeing the rubric pass the FDA is an accomplishment.

"2020 brought into focus how important medical devices are," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.