Saturday, April 23, 2016

Comments on Postmarket Cybersecurity Guidance: The FDA Awakens

FDA's draft postmarket guidance on cybersecurity greatly
improves beyond past approaches, but the devil is in the details
The deadline to submit comments on FDA's draft postmarket cybersecurity guidance has come and gone last week. Below is a copy of my comments to FDA.

My major recommendation pertains to language choice when describing postmarket risks so as to monitor for postmarket problems without falling victim to the streetlight effect. While network-based threats are a significant part of the problem, it's just one of many postmarket problems. There's a reason we don't write guidance on how to avoid flu by sneeze, then write a different guidance document on how to avoid flu by cough. By focusing instead on exposure to cybersecurity risk, the industry can better prepare for shifting threats whether it be by network, USB drive, telephone social engineering, or whatever fancy technology next comes out of Silicon Valley. To ensure that the postmarket guidance can remain relevant as technology and threats change, focus on overarching exposure rather than streetlight modalities.

I also advise manufacturers and HDOs to follow the NIST cybersecurity guidance for critical infrastructure.  For example, (1) enumerate cybersecurity risks because deploying technology without understanding risk is counterproductive; (2) deploy cybersecurity controls that match the specific risks; and (3) continuously measure the effectiveness of the security controls because threats, vulnerabilities, and misconfigurations can bypass a previously effective control within seconds. For instance, if you just look for threats against your core reactor, you might forget about your thermal oscillator.

My letter is downloadable here.