So, how does one improve the cybersecurity of products like pacemakers or neural stimulators? Different vendors develop their own wireless interfaces to interface with them. All the external interfaces need cybersecurity support for their products.
I recommend the development of security modules that are designed the same way for each version of a protocol like TLS. TLS is used for encryption of communications between browsers and web servers. It would be beneficial to have TLS-like modules that can be used for multiple browsers, various operating systems, web servers, and IoT devices.
I would like to see the physical and data link communication methods (wireless, Ethernet, Bluetooth, …) be encapsulated. These security protocols, algorithms, and communication methods change over time, thereby obsoleting products that were developed with different communication and security models. Some critical software has communication and security protocols embedded deeply within the code. A lack of code modularity can lead to great difficulties when upgrading security and communication protocols.
In order to reduce product risk, I recommend isolating these components into development modules. If the product needs some upgrades in its security or communication methods, then only the relevant modules need to be changed. The core of the product remains unaffected. This also greatly reduces the amount of unit and systems testing that is needed for the product.
So, making software modules that focus on certain algorithms and communication methods helps reduce product risk in the past, presently, and in the future. Only updates to these modules are necessary. Unit and systems testing only needs to be done for the security and communications modules and their exposed interfaces to core product modules.
By core product modules, I mean those that provide the functionality that the product is purchased for. They are not the modules dealing with communications to/from the product or the cybersecurity functions which protect critical data within the product in transit or at rest. These network and security modules do not provide the main functionality of the product. And this is true for all the products that have networking and cybersecurity interfaces.
These communications and cybersecurity modules may need to be archived for potentially decades to support products that have communication methods and security protocols that are dated. The systems architecture and core modules that integrate with the communications and cybersecurity systems may also need to be archived so that systems issues can be addressed for older products in the future.