Joe Weiss has posted over on his blog (https://www.controlglobal.com/blogs/unfettered/fertility-clinic-liquid-nitrogen-incidents-could-they-have-been-hacks/) some interesting questions about the failure of temperature controls on fertilized ovum storage at two widely separated (Cleveland and San Francisco) facilities at the same time on the same day.
I think those questions are both interesting and important. We need answers.
Here’s Joe’s post:
Electrical and mechanical failures occur. Moreover, they can occur in seemingly independent situations. However, when failures occur in similar systems at almost the same time in systems that are supposedly designed to be failure-proof, one has to ask do you believe in coincidences? On the same day at essentially the same time, in almost opposite sides of the country, fertility clinics, one in San Francisco and one in Cleveland, suffered liquid nitrogen tank issues leading to egg loss. There are more than 500 centers across the country. All of the centers communicate with one another. Liquid nitrogen electronic tank monitoring uses different sensors to ensure that tanks perform to specifications. Probes attached to the tank are supposed to detect a rise in temperature within the tank, or a drop in the level of liquid in the tank. Sensors are connected to a telephone alarm system that is designed to alert staff to a problem. “It is standard to have a monitoring system that alarms locally when level or temperature are out of acceptable range and that calls out to staff following a ‘call tree’ structure,” said Brent Hazelrigg, president and CEO of ReproTech Ltd., which has four major U.S. storage facilities with “state-of-the-art cloud-based monitoring systems.” As noted by previous blogs, cloud-based systems are based on the assumptions that process sensors are secure and authenticated – they are not.
There have been numerous catastrophic failures caused by erroneous level indication (or lack thereof). As noted, the liquid nitrogen supply is controlled by process sensors, controllers, and HMIs. Considering there is no cyber security or authentication in process sensors and HMIs have been hacked to indicate erroneous level indications, questions include:
- were the two systems from the same supplier,
- were the two facilities using factory default settings,
- were the process sensors and actuators “intelligent” with remote calibration capability,
- were the HMIs connected to the Internet or with some form of remote access,
- was there any cyber security protections or logging employed,
- was there any indication of cyber activity,
Additional questions are:
- How many other fertility clinics use these same systems with common factory default settings?
- Do other fertility clinics and embryo storage facilities employ appropriate cyber protections?
- As liquid nitrogen is used in many industrial applications including production of finely ground pharmaceuticals, plastics and pigments; food and beverge, metal manufacturing, etc., what other industries could be at risk?
It should be noted that ISA99 has an ongoing task group examining process sensor (Purdue Reference Model Level 0,1) cyber security issues.