Smiths Medical Cybersecurity Bulletin
Thursday July 02 2020
Affected Device: CADD®-Solis Wireless Communication Module Model 2130
Type of Action: Cybersecurity Information
Date: 2 July 2020
Attention: Clinical Users and Distributors of CADD®-Solis Wireless Communication Models
Smiths Medical is aware of, and currently monitoring, the Cybersecurity and Infrastructure Security Agency (CISA) notification concerning the Cybersecurity Vulnerability, ICSA-20-168-011 (the “Advisory”). The recently published Advisory addresses multiple vulnerabilities affecting embedded TCP/IP software created by Treck Inc.2 This TCP/IP stack has been implemented in a wide range of industries and products, including the Digi Net+OS operating system used in the CADD®-Solis Wireless Communication Module Model 2130. The vulnerabilities have been classified in the Advisory as critical. For a more detailed description of these vulnerabilities, please view the information provided by Digi3
Smiths Medical has conducted an analysis and determined that the vulnerabilities identified in the Advisory represent controlled risks to the affected CADD®-Solis Wireless Communication devices as defined in FDA guidance document Postmarket Management of Cybersecurity in Medical Devices.4 Please note that vulnerabilities found in Digi Net+OS and Treck TCP/IP stack are not specific or limited to Smiths Medical devices.
The following Smiths Medical CADD®-Solis Pump Wireless Communication Modules are impacted by the Treck TCP/IP vulnerabilities in Digi Net+OS:
- 21-2130-51 – CADD®-Solis Wireless Communication Module
- 21-2130-0100-51 – CADD®-Solis Wireless Communication Module
To date, Smiths Medical has not received any reports of these vulnerabilities impacting clinical use of infusion therapies with the CADD®-Solis pump using a Wireless Communication Module. Smiths Medical has received a patch from Digi, the software vendor, and will release additional information on the issue and further actions as the same becomes available.
The following mitigations are examples of controls that may be applied to reduce the likelihood of these vulnerabilities being exploited:
- Segment networks to isolate CADD®-Solis pumps from other parts of the network.
- Ensure that medical device networks are not accessible from the internet.
- Use methods such as Virtual Private Networks (VPNs) when remote access is required. Make sure the VPN software is kept up to date.
- Use appropriate wireless security protocols (WPA2, EAP-TLS, etc.) to prevent unauthorized access to your wireless network.
- Reject malformed TCP packets.
- Block unused ICMP control messages such as MTU update.
- Normalize or block IP fragments if fragmentation is not used in your network.
- As a last resort, customers may disable wireless operation of the pump. The CADD®-Solis system was designed to operate without network access. This action would impact an organization’s ability to rapidly deploy drug libraries and firmware updates to its pumps.
Smiths Medical is committed to providing quality products that adhere to market cybersecurity standards throughout the lifecycle of its products. We have ongoing established processes to monitor the latest vulnerabilities, threats and risks and will proactively implement measures as required.
If you have any questions regarding this notification, please contact Smiths Medical via email at firstname.lastname@example.org.
- CISA Advisory: https://www.us-cert.gov/ics/advisories/icsa-20-168-01
- Treck Vulnerability Response Information: https://treck.com/vulnerability-response-information/
- Digi Security Notice: https://www.digi.com/support/knowledge-base/digi-international-security-notice-treck-tcp-ip-st
- FDA postmarket cybersecurity guidance: https://www.fda.gov/media/95862/download