An ICS-CERT advisory has alerted the public of vulnerabilities found in CareFusion's Pyxis SupplyStation system (a drug dispensing system). The flaw could allow for remote exploitation, and due to the affected versions of the system being end-of-life it appears unlikely that they will be patched.
Fraser Kyne, Regional Systems Engineering Director at Bromium, says: "This vulnerability announcement provides further proof of the dangers of continuing to use unprotected, out of support Operating Systems and tools. However, all businesses (and particularly hospitals) are faced with the need to avoid costs by sweating their computing tools and assets for as long as possible.
The report states clearly that “These vulnerabilities could be exploited remotely”, and provides sane advice such as “Isolate affected products from the Internet and untrusted systems”. The problem is that we want to use our systems to run critical secure processes, and at the same time we want to run completely unsafe processes such as web browsing and email on the same devices. Isolation is a solid security principle, but we shouldn’t have to compromise between security and functionality.
There are ways to achieve this isolation with today’s technology, hardware and Operating Systems – so that we can really get the best of both worlds. However, to achieve this we have to take a step forward from the past, and realise that it’s not possible to simply place a band-aid over the truly legacy systems on our networks.
So, isolation is the best approach. Either isolate the as-is affected systems as advised, or move to a hardware-isolation model on current OS and hardware that will allow you to blend security and functionality; and to avoid such threats in the future."