Skip to the main content.
Pricing Download
Pricing Download

Did you know?

 

RTI is the world’s largest DDS supplier and Connext is the most trusted software framework for critical systems.

Industries
Technology Topics
Explore

Success-Plan-Services-DSSuccess-Plan Services

Our Professional Services and Customer Success teams bring extensive experience to train, problem-solve, mentor, and accelerate customer success.

Learn more
Services & Training
Explore
Developers

From downloads to Hello World, we've got you covered. Find all of the tutorials, documentation, peer conversations and inspiration you need to get started using Connext today.

Try the Connectivity Selection Tool ⇢

Getting Started
Essential
Explore
Resources

RTI provides a broad range of technical and high-level resources designed to assist in understanding industry applications, the RTI Connext product line and its underlying data-centric technology.

Documents
Knowledge
Explore
Company

RTI is the infrastructure software company for smart-world systems. The company’s RTI Connext product is the world's leading software framework for intelligent distributed systems.

Contact Us

Who We Are
News & Events
Cooperation

4 min read

Data-Centric Threat Modeling: A Case Study with Surgical Robots

Picture of Hila Ben Abraham Hila Ben Abraham : November 7, 2024

Healthcare Cybersecurity 2024
Data-Centric Threat Modeling: A Case Study with Surgical Robots

In the rapidly evolving landscape of medical technology, surgical robots are becoming increasingly sophisticated and interconnected. With this advancement comes a critical need for robust cybersecurity measures to protect patient safety and sensitive medical data. Today, we'll explore a novel approach to securing these systems: data-centric threat modeling. Our approach is aligned with the FDA premarket guidance, recommending threat modeling at an early stage of the system to help manage and respond to cyber threats.

As we delve into the world of surgical robots, keep in mind that the challenges and solutions we'll examine are mirrored in many other domains. The need for robust cybersecurity measures is paramount whether you're dealing with a surgical robot, an autonomous vehicle, a smart grid system, or a military drone. The data-centric threat modeling approach we discuss in this blog is applicable to any industry dealing with mission-critical, data-intensive systems.

The Surgical Robot System

To illustrate the principles of data-centric threat modeling, we'll use a surgical robot system as our primary example. Our surgical robot system consists of several interconnected components, that form a distributed system, communicating via the Data Distribution Service (DDS) standard:

  • Surgical Robot Arm 
  • Arm Controller/ iPad Controller
  • Surgical Orchestrator 
  • Patient Monitor 
  • Video Camera 

Medical Demo

Figure 1: Architecture Overview of the Surgical Robot Demonstration. Excerpt from RTI MedTech demo video. 

DDS-Security takes the data-centric approach to secure the data in motion instead of communication channels. This approach is well aligned with the requirements of a zero-trust architecture, and it provides more granular control and flexibility in protecting specific data elements. Distributed systems running DDS can define what data should be protected, and how it should be protected. More importantly, security decisions can be modeled during design time, and be applied to the system through configuration files. No application-specific code is needed. 

All these system components work together in perfect harmony. But what happens if the system is under attack?

Attack Scenarios

Let's consider some potential attack scenarios that could threaten the security and safety of our surgical robot system:

1. The Malicious Device Attack

Scenario: An attacker manages to introduce a malicious device into the hospital network, mimicking a legitimate patient monitoring system component. This rogue device starts injecting false data into the system. 

Potential Impact: Surgeons and automated systems might make incorrect decisions based on the false data, potentially endangering the patient's life.

2. The Network Insider Threat

Scenario: An employee with access to the Video Camera system attempts to steal sensitive patient data by intercepting data published by the Patient Monitor.

Potential Impact: This could lead to a serious breach of patient privacy, potentially exposing confidential medical information.

3. The Compromised Reader Attack

Scenario: An exploit to a software vulnerability compromised the Surgical Orchestrator device. The application running on the device was originally a legitimate reader authorized to read Arm Control commands. Therefore, it has the key used to sign the topic messages. Now, it attempts to disturb surgeries by sending signed shutdown commands to the robot arm.

Potential Impact: Unexpected movements of the surgical robot could cause serious harm to the patient during an operation.

Modeling Attacks with Data-Centric STRIDE

Now that we've examined some potential attack scenarios, let's explore how we can model these threats using a data-centric adaptation of the STRIDE threat modeling framework.

STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege, is a well-established threat modeling methodology. However, it was designed for host-centric systems where end-to-end data flows can be modeled using data flow diagrams (DFDs), and STRIDE threats can then be modeled for each data flow. 

Data-centric threat modeling is an innovative method that adapts the well-known STRIDE framework to systems built on data-centric communication architectures. The method defines two trust boundaries:

  1. Domain Trust Boundary: Protects against attacks initiated by applications outside of the data-centric robot network.
  2. Topic Trust Boundary: Protects against attacks initiated inside the robot data-centric network. This boundary enforces the principle of least privilege within the domain, and maintains integrity and authenticity among authorized, non-compromised applications. 

The figure below depicts the two trust boundaries with respect to our medical robot example. The figure also shows that the topic trust boundary consists of three protection layers: Domain Outsider, Topic Outsider, and Topic Insider. 

Threat-Modeling-Figure-2

Figure 2: Illustration of two trust boundaries and three protection layers for medical robotics example

Note that these boundaries protect the data itself, not specific data flows between components.  By focusing on the data, we can apply consistent security policies regardless of how the data moves through the system or which components interact with it. This approach is particularly powerful in distributed systems where data flows can be complex and dynamic.

Solution: Data-Centric Mitigations

Attack  Scenario

STRIDE Vulnerabilities

Data-Centric Mitigation Strategy

The Malicious Device Attack

Spoofing (S): The malicious device is impersonating a legitimate system component.

Tampering (T): False data is being injected into the system.

Domain Outsider Protection (Applied to All System Data):

Authenticate all applications authorized to participate in the communication using DDS Security's Identity Certificate feature.

Sign (using Message Authentication Codes (MACs)) all communications to prevent unauthorized applications from interpreting or injecting data

The Network Insider Threat

Elevation of Privilege (E): A device is attempting to perform actions beyond its authorized access.

Information Disclosure (I): The insider could potentially access sensitive patient data.

Topic Outsider Protection (Patient Vitals Data):

Configure DDS fine-grained access controls so the webcam won’t be allowed to write robot arm commands

Use Topic-level encryption to prevent external and unauthorized inside devices from interpreting sensitive data 

The Compromised Reader Attack

Tampering (T): The attacker is modifying legitimate commands.

Denial of Service (D): The attacker shuts down the system

Elevation of Privilege (E): A device is attempting to perform actions beyond its authorized access.

Topic Insider Protection - (Arm Control Data):

Sign Arm Control commands using topic-level origin keys to ensure readers can identify and verify the source of data.

Revoke the application certificate of the compromised device. 

 

Conclusion

Data-centric threat modeling represents a significant advancement in cybersecurity for complex, distributed systems like medical robots. By focusing on protecting the data itself and leveraging the powerful features of middleware such as DDS, we can create more secure, flexible, and scalable systems. As our simple example scenarios demonstrate, this approach allows us to systematically identify and mitigate a wide range of potential threats.

To assist with threat modeling, RTI offers a DDS-Security Plugin for Dassault Cameo System Modeler (previously NoMagic MagicDraw). This plugin enables Data-Centric STRIDE modeling, maps threats to DDS-Security Policies, and auto-generates security configuration files to help support the cybersecurity requirements for FDA submissions. 

Key features of the Cameo plugin include:

  • Data-Centric STRIDE modeling
  • Automatic threat-to-policy mapping
  • Enhanced security model visualization
  • Validated configuration file generation

To learn more about integrating RTI Connext systems with MBSE, visit:

About the author:

Hila Abraham Preferred

Hila Ben Abraham, Ph.D. is a Staff Research Scientist at RTI. Dr. Ben Abraham joined RTI in 2021, where she has since led multiple research efforts and served as the principal investigator of government-funded research, focusing on data-centric threat modeling, real-time anomaly detection, and model-based validation in complex distributed systems.

Before joining RTI, Dr. Ben Abraham was a teaching faculty member at Washington University in St. Louis, where she conducted research in distributed networks, focusing on data-centric networks and secure data synchronization for resilient tactical networks.