CADD®-Solis Wireless Communication - Cybersecurity Bulletin
Friday November 20 2020
Affected Device: CADD®-Solis Wireless Communication Module Model 2130
Type of Action: Cybersecurity Information
Original Posted Date: 2 July 2020
Update: 20 November 2020
Attention: Clinical Users and Distributors of CADD®-Solis Wireless Communication Models
Smiths Medical is aware of, and currently monitoring, the Cybersecurity and Infrastructure Security Agency (CISA) notification concerning the Cybersecurity Vulnerability, ICSA-20-168-011 (the “Advisory”). The recently published Advisory addresses multiple vulnerabilities affecting embedded TCP/IP software created by Treck Inc.2 This TCP/IP stack has been implemented in a wide range of industries and products, including the Digi Net+OS operating system used in the CADD®-Solis Wireless Communication Module Model 2130. The vulnerabilities have been classified in the Advisory as critical. For a more detailed description of these vulnerabilities, please view the information provided by Digi.3
Smiths Medical has conducted an analysis and determined that the vulnerabilities identified in the Advisory represent controlled risks to the affected CADD®-Solis Wireless Communication modules as defined in FDA guidance document Postmarket Management of Cybersecurity in Medical Devices.4 Please note that vulnerabilities found in Digi Net+OS and Treck TCP/IP stack are not specific nor limited to Smiths Medical devices.
The following Smiths Medical CADD®-Solis Wireless Communication Modules are impacted by the Treck TCP/IP vulnerabilities in Digi Net+OS:
- 21-2130-51 – CADD®-Solis Wireless Communication Module
- 21-2130-0100-51 – CADD®-Solis Wireless Communication Module
To date, Smiths Medical has not received any reports of these vulnerabilities impacting clinical use of infusion therapies with the CADD®-Solis pump using a Wireless Communication Module. Smiths Medical has released a software update v4.2.1 that resolves the cybersecurity vulnerabilities with updated code provided by Digi International. Contact Smiths Medical for information on how to receive and install this update.
The following mitigations are examples of controls that may be applied to reduce the likelihood of these vulnerabilities being exploited until the updated pump software can be installed:
- Segment networks to isolate CADD®-Solis pumps from other parts of the network.
- Ensure that medical device networks are not accessible from the internet.
- Use methods such as Virtual Private Networks (VPNs) when remote access is required. Make sure the VPN software is kept up to date.
- Use the newest appropriate protocols for wireless security and authentication to prevent unauthorized access to your wireless network.
- Configure network equipment to inspect TCP packets and reject those that are malformed.
- Block unused ICMP control messages such as MTU update.
- Normalize or block IP fragments if fragmentation is not used in your network.
- As a last resort, customers may disable wireless operation of the pump. The CADD®-Solis system was designed to operate without network access. This action would impact an organization’s ability to rapidly deploy drug libraries and firmware updates to its pumps.
Smiths Medical is committed to providing quality products that adhere to market cybersecurity standards throughout the lifecycle of its products. We have ongoing established processes to monitor the latest vulnerabilities, threats and risks and will proactively implement measures as required.
If you have any questions regarding this notification, please contact Smiths Medical via email at firstname.lastname@example.org or call to the application support +1 (800) 258 5361.